popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66d1e3c3c7dc6_vregs.exe#space

Client SW User Data Stealer LokiBot info stealer ftp Client Antivirus Malicious Library Code injection HTTP PWS Internet API Http API .NET EXE PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 2, 2024, 10:13 a.m. Sept. 2, 2024, 10:26 a.m.
Size 253.5KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 744dad327f45b0839b0150d45e6b1f9f
SHA256 b83f5ea0d9fbc1418ecfbf9d0407cfddb3ca85ba99e967c5fe431fbb6b663bad
CRC32 7293BE2E
ssdeep 6144:zik8TD3usJ7mvwYI9WEyxG/h/y+dObHmjxOREO:z4n+Oae2op3qAcEO
PDB Path AVP.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
147.45.68.138 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2049087 ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST A Network Trojan was detected
TCP 147.45.68.138:80 -> 192.168.56.101:49166 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 147.45.68.138:80 -> 192.168.56.101:49166 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 147.45.68.138:80 -> 192.168.56.101:49166 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.68.138:80 -> 192.168.56.101:49166 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path AVP.pdb
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlDeleteTimerQueueEx+0x5db RtlCutoverTimeToSystemTime-0xaf ntdll+0x74801 @ 0x76f84801
LdrVerifyImageMatchesChecksum+0x326 RtlComputePrivatizedDllName_U-0xf12 ntdll+0xa08f5 @ 0x76fb08f5
RtlDeleteTimerQueueEx+0x378 RtlCutoverTimeToSystemTime-0x312 ntdll+0x7459e @ 0x76f8459e
RtlDeleteTimerQueueEx+0x2bb RtlCutoverTimeToSystemTime-0x3cf ntdll+0x744e1 @ 0x76f844e1
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x72c4d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08
regasm+0x6d5c @ 0x406d5c
regasm+0xafce @ 0x40afce
regasm+0xdaf9 @ 0x40daf9
regasm+0x14f46 @ 0x414f46
regasm+0x15d1f @ 0x415d1f
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 50 04 29 55 fc 8b 08 03 4d 08 57 56 83 c0 08
exception.symbol: RtlDeleteTimerQueueEx+0x644 RtlCutoverTimeToSystemTime-0x46 ntdll+0x7486a
exception.instruction: mov edx, dword ptr [eax + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 477290
exception.address: 0x76f8486a
registers.esp: 3499272
registers.edi: 4294967295
registers.eax: 174415872
registers.ebp: 3499296
registers.edx: 174415872
registers.ebx: 268435456
registers.esi: 4200071168
registers.ecx: 22624
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://147.45.68.138/
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/sql.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/mozglue.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/msvcp140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/vcruntime140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.68.138/nss3.dll
request GET http://147.45.68.138/
request POST http://147.45.68.138/
request GET http://147.45.68.138/sql.dll
request GET http://147.45.68.138/freebl3.dll
request GET http://147.45.68.138/mozglue.dll
request GET http://147.45.68.138/msvcp140.dll
request GET http://147.45.68.138/softokn3.dll
request GET http://147.45.68.138/vcruntime140.dll
request GET http://147.45.68.138/nss3.dll
request POST http://147.45.68.138/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00630000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00700000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00565000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00567000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02782000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73751000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73661000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 2486069
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 2486272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10750000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description RegAsm.exe tried to sleep 122 seconds, actually delayed analysis time by 122 seconds
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Chromium\User Data\Local State
file C:\ProgramData\freebl3.dll
file C:\ProgramData\msvcp140.dll
file C:\ProgramData\nss3.dll
file C:\ProgramData\vcruntime140.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000003a0
process_name: taskhost.exe
process_identifier: 2376
1 1 0

Process32NextW

 snapshot_handle: 0x000003a0
process_name: RegAsm.exe
process_identifier: 2684
1 1 0

Process32NextW

 snapshot_handle: 0x000003a0
process_name: WmiPrvSE.exe
process_identifier: 2868
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ò7ŸZ³YÌZ³YÌZ³YÌËZÍn³YÌË\ÍϳYÌË]ͳYÌËXÍY³YÌZ³XÌسYÌOÌ\ÍE³YÌOÌ]ÍU³YÌOÌZÍL³YÌl3]Í[³YÌl3YÍ[³YÌl3¦Ì[³YÌl3[Í[³YÌRichZ³YÌPELi¨`eà! %Ô Ê{Dð ð%@ Û#ñ6œ¢$(Ð$Ìð$ˆâ`²#8x±#@ $œ.textGÓ Ô  `.rdata‘"ð $Ø @@.data4| $bü#@À.idata´ $^$@@.00cfgÀ$p$@@.rsrcÌÐ$r$@@.reloc5ÿð$†$@B
request_handle: 0x00cc0014
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! 4pÐ Ëý @AH S› Ȑ xF P/  ð#”   ¤ @.text•  `.rdataÄ @@.data<F0  @À.00cfg€  @@.rsrcx  @@.relocð#  $" @B
request_handle: 0x00cc0014
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"! ¶^À¹€ jª @A`ãWä·, ° P/0 ØAS¼øhРì¼ÜäZ.textaµ¶ `.rdata” Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B
request_handle: 0x00cc0014
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ٓ1Cò_ò_ò_)n°Ÿò_”ŠÌ‹ò_ò^"ò_Ϛ^žò_Ϛ\•ò_Ϛ[Óò_ϚZÑò_Ϛ_œò_Ϛ œò_Ϛ]œò_Richò_PEL‚ê0]à"! (‚`Ù@ ð,à@Ag‚Ïèr ðœèA°¬=`x8¸w@päÀc@.text’&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B
request_handle: 0x00cc0014
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! ÌðPÏSg@ADvS—wð°€ÀP/ÀÈ58qà {Œ.text&ËÌ `.rdataÔ«à¬Ð@@.data˜ |@À.00cfg „@@.rsrc€°†@@.relocÈ5À6Š@B
request_handle: 0x00cc0014
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäՄ¤Š†„¤Š†„¤Š†08e††¤Š†Ü†¤Š†„¤‹†¬¤Š†Ö̉‡—¤Š†Ö̎‡¤Š†Ö̏‡Ÿ¤Š†Ö̊‡…¤Š†ÖÌu†…¤Š†Ö̈‡…¤Š†Rich„¤Š†PEL|ê0]à"! ސÙð 0Ôm@Aàã ¸ŒúðA  € 8¸ @´.textôÜÞ `.dataôðâ@À.idata„ä@@.rsrcê@@.reloc  î@B
request_handle: 0x00cc0014
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"! Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð |Ê\€&@.text‰×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B
request_handle: 0x00cc0014
1 1 0
section {u'size_of_data': u'0x0003c600', u'virtual_address': u'0x00002000', u'entropy': 7.7034805144304, u'name': u'.text', u'virtual_size': u'0x0003c504'} entropy 7.70348051443 description A section with a high entropy has been found
entropy 0.991786447639 description Overall entropy of this PE file is high
url https://steamcommunity.com/profiles/76561199761128941
url https://t.me/iyigunl
url http://147.45.68.138:80
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
description Win32 PWS Loki rule Win32_PWS_Loki_m_Zero
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2648
process_handle: 0x000001e0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2648
process_handle: 0x000001e0
1 0 0
host 147.45.68.138
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 2363392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001e0
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 2363392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001ec
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
wmi
wmi Select * From AntiVirusProductroot\SecurityCente
Process injection Process 2564 manipulating memory of non-child process 2648
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 2363392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001e0
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $d¾]ˆ ß3Û ß3Û ß3ÛO©­Û+ß3ÛO©™Ûß3Û)§°Û%ß3Û)§ Û.ß3Û ¦2Ú#ß3Û ß2Û½ß3ÛO©˜Ûß3ÛO©®Û!ß3ÛRich ß3ÛPEL4ÌÐfà  Äè0Wà@$j@€ÀSX˜ÀSX˜P´°#°À##àô.textàÃÄ `.rdataŽzà|È@@.dataÈE!`&D@À.rsrc°°#j@@.relocÌCÀ#Dl@B
base_address: 0x00400000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer: €0€ HX°#Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x0063b000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2684
process_handle: 0x000001ec
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $d¾]ˆ ß3Û ß3Û ß3ÛO©­Û+ß3ÛO©™Ûß3Û)§°Û%ß3Û)§ Û.ß3Û ¦2Ú#ß3Û ß2Û½ß3ÛO©˜Ûß3ÛO©®Û!ß3ÛRich ß3ÛPEL4ÌÐfà  Äè0Wà@$j@€ÀSX˜ÀSX˜P´°#°À##àô.textàÃÄ `.rdataŽzà|È@@.dataÈE!`&D@À.rsrc°°#j@@.relocÌCÀ#Dl@B
base_address: 0x00400000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000003b0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
Process injection Process 2564 called NtSetContextThread to modify thread in remote process 2684
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3538072
registers.edi: 0
registers.eax: 4282160
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 2684
1 0 0
url http://147.45.68.138:80
Process injection Process 2564 resumed a thread in remote process 2684
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2684
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2564
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2564
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2564
1 0 0

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x000001e8
process_identifier: 2648
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001e0
1 1 0

NtGetContextThread

 thread_handle: 0x000001e8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 2363392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001e0
3221225496 0

CreateProcessInternalW

 thread_identifier: 2688
thread_handle: 0x000001f0
process_identifier: 2684
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

NtGetContextThread

 thread_handle: 0x000001f0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2684
region_size: 2363392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001ec
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $d¾]ˆ ß3Û ß3Û ß3ÛO©­Û+ß3ÛO©™Ûß3Û)§°Û%ß3Û)§ Û.ß3Û ¦2Ú#ß3Û ß2Û½ß3ÛO©˜Ûß3ÛO©®Û!ß3ÛRich ß3ÛPEL4ÌÐfà  Äè0Wà@$j@€ÀSX˜ÀSX˜P´°#°À##àô.textàÃÄ `.rdataŽzà|È@@.dataÈE!`&D@À.rsrc°°#j@@.relocÌCÀ#Dl@B
base_address: 0x00400000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00426000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer: €0€ HX°#Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x0063b000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0063c000
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2684
process_handle: 0x000001ec
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3538072
registers.edi: 0
registers.eax: 4282160
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 2684
1 0 0

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2684
1 0 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
Skyhigh Artemis!Trojan
Cylance Unsafe
VIPRE Trojan.GenericKD.73972987
Sangfor Trojan.Win32.Agent.V7sj
K7AntiVirus Riskware ( 00584baa1 )
BitDefender Trojan.GenericKD.73972987
K7GW Riskware ( 00584baa1 )
Arcabit Trojan.Generic.D468BCFB
VirIT Trojan.Win32.MSIL_Heur.A
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Vidar.A
APEX Malicious
McAfee Artemis!744DAD327F45
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Stealerc.gen
MicroWorld-eScan Trojan.GenericKD.73972987
Rising Stealer.Stealerc!8.17BE0 (CLOUD)
Emsisoft Trojan.GenericKD.73972987 (B)
DrWeb Trojan.DownLoader47.33260
TrendMicro Trojan.Win32.PRIVATELOADER.YXEH5Z
McAfeeD ti!B83F5EA0D9FB
FireEye Generic.mg.744dad327f45b083
Sophos Troj/MSILIn-BFQ
SentinelOne Static AI - Malicious PE
Google Detected
MAX malware (ai score=89)
Kingsoft MSIL.Trojan-PSW.Stealerc.gen
Gridinsoft Spy.Win32.Vidar.tr
Microsoft Trojan:MSIL/LummaStealer.KAO!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData Trojan.GenericKD.73972987
AhnLab-V3 Malware/Win.Generic.C5664310
BitDefenderTheta Gen:NN.ZemsilF.36812.pm2@aebN1@k
DeepInstinct MALICIOUS
Ikarus Trojan.MSIL.Injector
Panda Trj/Chgt.AD
TrendMicro-HouseCall Trojan.Win32.PRIVATELOADER.YXEH5Z
huorong Trojan/MSIL.Agent.li
Fortinet PossibleThreat.MU
AVG Win32:MalwareX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_90% (D)