popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66bb584acc7f2_stealc_default.vmp.exe

Client SW User Data Stealer Gen1 info stealer ftp Client Generic Malware .NET framework(MSIL) UPX Malicious Library Malicious Packer Http API PWS AntiDebug PE File OS Processor Check PE32 .NET EXE AntiVM DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 21, 2024, 1:26 p.m. Aug. 21, 2024, 1:40 p.m.
Size 207.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 769696b4d235e0184c2c8099e39b2394
SHA256 e15d6cb16c10e5b195706f648749001c448ddb7d585576023c66e0aa5be319c0
CRC32 39456394
ssdeep 3072:khF/AxZMqR1akvFDXDKAxqrAwFLImCMgVdJiQE1zAUGSPfl5LH0oIWgp:oI461asjeSHwrsdJi1MQtmJWg
PDB Path G.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
siscorp.mx
A 162.241.63.30
162.241.63.30
IP Address Status Action
162.241.63.30 Active Moloch
164.124.101.2 Active Moloch
46.8.231.109 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044243 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044244 ET MALWARE Win32/Stealc Requesting browsers Config from C2 Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2051828 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044246 ET MALWARE Win32/Stealc Requesting plugins Config from C2 Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044248 ET MALWARE Win32/Stealc Submitting System Information to C2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044301 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.103:49166 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.103:49166 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 162.241.63.30:443 -> 192.168.56.103:49170 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 162.241.63.30:443 -> 192.168.56.103:49177 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.241.63.30:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49175 -> 162.241.63.30:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.103:49166 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 162.241.63.30:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49169 -> 162.241.63.30:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 46.8.231.109:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Access is denied.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Access is denied.
console_handle: 0x0000000b
1 1 0
pdb_path G.pdb
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://46.8.231.109/c4754d4f680ead72.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
request GET http://46.8.231.109/
request POST http://46.8.231.109/c4754d4f680ead72.php
request GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
request POST http://46.8.231.109/c4754d4f680ead72.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00420000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00450000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02342000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743e1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x61e00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7355c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7336b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732ca000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c42000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73253000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2148
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ee1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT
file C:\ProgramData\vcruntime140.dll
file C:\ProgramData\msvcp140.dll
file C:\ProgramData\nss3.dll
file C:\ProgramData\freebl3.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
cmdline "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\JKJECBAAAF.exe"
cmdline C:\Windows\System32\cmd.exe /c start "" "C:\ProgramData\JKJECBAAAF.exe"
cmdline "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\FBFCFIEBKE.exe"
cmdline C:\Windows\System32\cmd.exe /c start "" "C:\ProgramData\FBFCFIEBKE.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c start "" "C:\ProgramData\JKJECBAAAF.exe"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c start "" "C:\ProgramData\FBFCFIEBKE.exe"
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000330
process_name: smss.exe
process_identifier: 232
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: csrss.exe
process_identifier: 308
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: wininit.exe
process_identifier: 344
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: csrss.exe
process_identifier: 356
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: winlogon.exe
process_identifier: 392
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: services.exe
process_identifier: 436
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: lsass.exe
process_identifier: 452
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 560
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 636
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 716
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 780
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: audiodg.exe
process_identifier: 896
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 984
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 340
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: spoolsv.exe
process_identifier: 1060
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: taskhost.exe
process_identifier: 1112
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 1120
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: dwm.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: explorer.exe
process_identifier: 1236
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: svchost.exe
process_identifier: 1744
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: pw.exe
process_identifier: 1888
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: SearchIndexer.exe
process_identifier: 1652
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: mobsync.exe
process_identifier: 1668
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: pw.exe
process_identifier: 760
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: taskhost.exe
process_identifier: 1000
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: SearchProtocolHost.exe
process_identifier: 940
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: cmd.exe
process_identifier: 1020
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: conhost.exe
process_identifier: 508
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: SearchFilterHost.exe
process_identifier: 1836
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: pw.exe
process_identifier: 1280
1 1 0

Process32NextW

 snapshot_handle: 0x00000330
process_name: RegAsm.exe
process_identifier: 2148
1 1 0

Process32NextW

 snapshot_handle: 0x000004e0
process_name: svchost.exe
process_identifier: 2404
1 1 0

Process32NextW

 snapshot_handle: 0x000004e0
process_name: mscorsvw.exe
process_identifier: 2432
1 1 0

Process32NextW

 snapshot_handle: 0x000004e0
process_name: mscorsvw.exe
process_identifier: 2476
1 1 0

Process32NextW

 snapshot_handle: 0x000004e0
process_name: sppsvc.exe
process_identifier: 2524
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc’¿à! &  @ àa0: Ð ˆ* Ð 0 ¨@ <   Ð.text„% & `P`.data|'@ (, @`À.rdatapDp FT @`@.bss(À €`À.edataˆ*Ð ,š @0@.idataÐ Æ @0À.CRT, Ô @0À.tls Ö @0À.rsrc¨0 Ø @0À.reloc<@ >Þ @0B/48€  @@B/19RȐ Ê" @B/31]'`(ì @B/45š-.@B/57\ À B@0B/70#ÐN@B/81
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! 4pÐ Ëý @AH S› Ȑ xF P/  ð#”   ¤ @.text•  `.rdataÄ @@.data<F0  @À.00cfg€  @@.rsrcx  @@.relocð#  $" @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"! ¶^À¹€ jª @A`ãWä·, ° P/0 ØAS¼øhРì¼ÜäZ.textaµ¶ `.rdata” Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ٓ1Cò_ò_ò_)n°Ÿò_”ŠÌ‹ò_ò^"ò_Ϛ^žò_Ϛ\•ò_Ϛ[Óò_ϚZÑò_Ϛ_œò_Ϛ œò_Ϛ]œò_Richò_PEL‚ê0]à"! (‚`Ù@ ð,à@Ag‚Ïèr ðœèA°¬=`x8¸w@päÀc@.text’&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"! Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð |Ê\€&@.text‰×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! ÌðPÏSg@ADvS—wð°€ÀP/ÀÈ58qà {Œ.text&ËÌ `.rdataÔ«à¬Ð@@.data˜ |@À.00cfg „@@.rsrc€°†@@.relocÈ5À6Š@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäՄ¤Š†„¤Š†„¤Š†08e††¤Š†Ü†¤Š†„¤‹†¬¤Š†Ö̉‡—¤Š†Ö̎‡¤Š†Ö̏‡Ÿ¤Š†Ö̊‡…¤Š†ÖÌu†…¤Š†Ö̈‡…¤Š†Rich„¤Š†PEL|ê0]à"! ސÙð 0Ôm@Aàã ¸ŒúðA  € 8¸ @´.textôÜÞ `.dataôðâ@À.idata„ä@@.rsrcê@@.reloc  î@B
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00033400', u'virtual_address': u'0x00002000', u'entropy': 7.951738498511874, u'name': u'.text', u'virtual_size': u'0x00033204'} entropy 7.95173849851 description A section with a high entropy has been found
entropy 0.990338164251 description Overall entropy of this PE file is high
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 46.8.231.109
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 2371584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL„7»fà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: LáA.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAC$÷A ÷A÷A÷A÷A÷A ÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAœöA˜öAöA„öA|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õA”õA€õAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôA”ôA„ôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BȺB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬úA..ÀºBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBĺBÈBÈBÈBÈBÈBÈBÈBȺB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@
base_address: 0x0042b000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2148
process_handle: 0x00000220
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL„7»fà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2148
process_handle: 0x00000220
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
Process injection Process 1932 called NtSetContextThread to modify thread in remote process 2148
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1900292
registers.edi: 0
registers.eax: 4285584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2148
1 0 0
Process injection Process 1932 resumed a thread in remote process 2148
Process injection Process 2148 resumed a thread in remote process 2612
Process injection Process 2148 resumed a thread in remote process 2756
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2148
1 0 0

NtResumeThread

 thread_handle: 0x00000514
suspend_count: 1
process_identifier: 2612
1 0 0

NtResumeThread

 thread_handle: 0x000005fc
suspend_count: 1
process_identifier: 2756
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1932
1 0 0

NtResumeThread

 thread_handle: 0x00000214
suspend_count: 1
process_identifier: 1932
1 0 0

CreateProcessInternalW

 thread_identifier: 2152
thread_handle: 0x0000021c
process_identifier: 2148
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000220
1 1 0

NtGetContextThread

 thread_handle: 0x0000021c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 2371584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL„7»fà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: LáA.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAC$÷A ÷A÷A÷A÷A÷A ÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAœöA˜öAöA„öA|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õA”õA€õAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôA”ôA„ôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BȺB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬úA..ÀºBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBĺBÈBÈBÈBÈBÈBÈBÈBȺB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@
base_address: 0x0042b000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0063e000
process_identifier: 2148
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2148
process_handle: 0x00000220
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1900292
registers.edi: 0
registers.eax: 4285584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2148
1 0 0

NtResumeThread

 thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2148
1 0 0

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x00000514
process_identifier: 2612
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\JKJECBAAAF.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000308
1 1 0

NtResumeThread

 thread_handle: 0x00000514
suspend_count: 1
process_identifier: 2612
1 0 0

CreateProcessInternalW

 thread_identifier: 2760
thread_handle: 0x000005fc
process_identifier: 2756
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\FBFCFIEBKE.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000600
1 1 0

NtResumeThread

 thread_handle: 0x000005fc
suspend_count: 1
process_identifier: 2756
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath: C:\ProgramData\JKJECBAAAF.exe
track: 0
command_line: "C:\ProgramData\JKJECBAAAF.exe"
filepath_r: C:\ProgramData\JKJECBAAAF.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\ProgramData\JKJECBAAAF.exe
track: 0
command_line: "C:\ProgramData\JKJECBAAAF.exe"
filepath_r: C:\ProgramData\JKJECBAAAF.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath: C:\ProgramData\FBFCFIEBKE.exe
track: 0
command_line: "C:\ProgramData\FBFCFIEBKE.exe"
filepath_r: C:\ProgramData\FBFCFIEBKE.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\ProgramData\FBFCFIEBKE.exe
track: 0
command_line: "C:\ProgramData\FBFCFIEBKE.exe"
filepath_r: C:\ProgramData\FBFCFIEBKE.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000
0 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.NanoBot.m!c
Elastic malicious (high confidence)
CAT-QuickHeal Trojan.Stealc
Skyhigh Artemis!Trojan
ALYac Trojan.Generic.36717352
Cylance Unsafe
VIPRE Trojan.Generic.36717352
Sangfor Backdoor.Msil.Kryptik.Vjoh
K7AntiVirus Trojan ( 005b95bf1 )
BitDefender Trojan.Generic.36717352
K7GW Trojan ( 005b95bf1 )
Cybereason malicious.4d235e
Arcabit Trojan.Generic.D2304328
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/GenKryptik.HAOD
APEX Malicious
McAfee Artemis!769696B4D235
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Stelpak-10034590-0
Kaspersky HEUR:Backdoor.MSIL.NanoBot.gen
Alibaba Backdoor:MSIL/Stealerc.c15aabb1
NANO-Antivirus Trojan.Win32.Stealer.kqwvcf
SUPERAntiSpyware Trojan.Agent/Gen-Stealer
MicroWorld-eScan Trojan.Generic.36717352
Rising Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:vD7PPnP4EOOBe0cUMU9uIA)
Emsisoft Trojan.Generic.36717352 (B)
F-Secure Trojan.TR/AD.Stealc.xvddw
DrWeb Trojan.PWS.Stealer.39565
TrendMicro Trojan.Win32.PRIVATELOADER.YXEHNZ
McAfeeD Real Protect-LS!769696B4D235
FireEye Generic.mg.769696b4d235e018
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Google Detected
Avira TR/AD.Stealc.xvddw
MAX malware (ai score=82)
Antiy-AVL Trojan[Backdoor]/MSIL.NanoBot
Kingsoft MSIL.Backdoor.NanoBot.gen
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Stealerc.GAB!MTB
ViRobot Trojan.Win.Z.Genkryptik.212480.G
ZoneAlarm HEUR:Backdoor.MSIL.NanoBot.gen
GData Trojan.Generic.36717352
Varist W32/MSIL_Kryptik.LKR.gen!Eldorado
AhnLab-V3 Trojan/Win.PWSX-gen.C5658607
BitDefenderTheta Gen:NN.ZemsilF.36812.mm0@aqOSxbb
DeepInstinct MALICIOUS
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Crypt