popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66e8771d4d239_vfdokdf15.exe#d15

Client SW User Data Stealer LokiBot info stealer ftp Client Antivirus Malicious Library Code injection HTTP PWS Internet API Http API .NET EXE PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 19, 2024, 9:35 a.m. Sept. 19, 2024, 10:03 a.m.
Size 283.5KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 3817c947e0d26bde329f7481b6d76709
SHA256 a1d7a27d0db33680df06c7b7ac1a58ba17c18843af52782f57ec7f94bb023a75
CRC32 F3F118DC
ssdeep 6144:J4C2lKti9a/UIPZHrk6BcHvJ1rOjMmmqAZMzLswInEO:J4iwerk6qHrCMmbEyABEO
PDB Path c:\dnkocftiasw38\obj\Release\' .pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
t.me
A 149.154.167.99
149.154.167.99
steamcommunity.com
A 104.76.74.15
104.76.74.15
IP Address Status Action
104.76.74.15 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
78.47.207.136 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 149.154.167.99:443 -> 192.168.56.101:49166 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 104.76.74.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49164 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49164 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49164 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49165 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.101:49165 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 78.47.207.136:443 -> 192.168.56.101:49171 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49168
104.76.74.15:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: Person 0
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 2
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 3
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 4
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 5
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 6
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 7
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 8
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 9
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 10
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 11
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 12
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 13
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 14
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 15
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 16
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 17
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 18
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 19
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 20
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 21
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 22
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 23
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 24
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 25
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 26
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 27
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 28
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 29
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 30
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 31
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 33
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 34
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 35
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 36
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 37
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 38
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 39
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 40
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 41
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 42
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 43
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 44
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 45
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 46
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 47
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 48
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Person 49
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path c:\dnkocftiasw38\obj\Release\' .pdb
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://steamcommunity.com/profiles/76561199768374681
request GET https://steamcommunity.com/profiles/76561199768374681
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00530000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00690000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00580000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02501000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75831000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73751000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74161000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72881000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72861000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
cmdline "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\EGDBFIIECBGD" & exit
cmdline C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\EGDBFIIECBGD" & exit
file C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
wmi
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\EGDBFIIECBGD" & exit
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000005ac
process_name: RegAsm.exe
process_identifier: 2644
1 1 0

Process32NextW

 snapshot_handle: 0x000005ac
process_name: WmiPrvSE.exe
process_identifier: 2836
1 1 0
section {u'size_of_data': u'0x00043c00', u'virtual_address': u'0x00002000', u'entropy': 7.993575532856482, u'name': u'.text', u'virtual_size': u'0x00043b14'} entropy 7.99357553286 description A section with a high entropy has been found
entropy 0.990859232176 description Overall entropy of this PE file is high
url https://t.me/edm0d
url https://steamcommunity.com/profiles/76561199768374681
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
description Win32 PWS Loki rule Win32_PWS_Loki_m_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\EGDBFIIECBGD" & exit
cmdline C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\EGDBFIIECBGD" & exit
host 78.47.207.136
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 2453504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL˜äfà"  Þ>äð@p%.º@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: €0€ HX%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00651000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2644
process_handle: 0x00000204
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL˜äfà"  Þ>äð@p%.º@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 2644
process_handle: 0x00000204
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005bc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
process RegAsm.exe useragent
process RegAsm.exe useragent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Process injection Process 2552 called NtSetContextThread to modify thread in remote process 2644
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3668132
registers.edi: 0
registers.eax: 4292580
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2644
1 0 0
Process injection Process 2552 resumed a thread in remote process 2644
Process injection Process 2644 resumed a thread in remote process 2928
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2928
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2552
1 0 0

CreateProcessInternalW

 thread_identifier: 2648
thread_handle: 0x00000200
process_identifier: 2644
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000204
1 1 0

NtGetContextThread

 thread_handle: 0x00000200
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 2453504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000204
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL˜äfà"  Þ>äð@p%.º@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042f000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0043c000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: €0€ HX%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00651000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00652000
process_identifier: 2644
process_handle: 0x00000204
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2644
process_handle: 0x00000204
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3668132
registers.edi: 0
registers.eax: 4292580
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2644
1 0 0

CreateProcessInternalW

 thread_identifier: 2932
thread_handle: 0x00000324
process_identifier: 2928
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\EGDBFIIECBGD" & exit
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000031c
1 1 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2928
1 0 0

CreateProcessInternalW

 thread_identifier: 3024
thread_handle: 0x00000084
process_identifier: 3020
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout /t 10
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Stealc.l!c
CAT-QuickHeal TrojanSpy.MSIL
Skyhigh Artemis!Trojan
ALYac Gen:Variant.Jalapeno.18350
Cylance Unsafe
VIPRE Gen:Variant.Jalapeno.18350
Sangfor Infostealer.Msil.Kryptik.Vcso
CrowdStrike win/malicious_confidence_70% (D)
BitDefender Gen:Variant.Jalapeno.18350
K7GW Trojan ( 005ba0eb1 )
K7AntiVirus Trojan ( 005ba0eb1 )
Arcabit Trojan.Jalapeno.D47AE
VirIT Trojan.Win32.GenusT.DZJO
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/GenKryptik.HBHS
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Msilheracles-10036160-0
Kaspersky HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba TrojanSpy:MSIL/Cerbu.a3742fbf
MicroWorld-eScan Gen:Variant.Jalapeno.18350
Rising Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:snnxr8g8QvjrMcMwr+2hQg)
Emsisoft Gen:Variant.Jalapeno.18350 (B)
F-Secure Trojan.TR/AD.Stealc.wjmma
TrendMicro TrojanSpy.Win32.VIDAR.YXEIPZ
McAfeeD ti!A1D7A27D0DB3
CTX exe.trojan.msil
Sophos Mal/Generic-S
Ikarus Trojan-Spy.LummaStealer
FireEye Generic.mg.3817c947e0d26bde
Webroot W32.Trojan.Gen
Google Detected
Avira TR/AD.Stealc.wjmma
Kingsoft MSIL.Trojan-Spy.Stealer.gen
Gridinsoft Malware.Win32.Stealc.tr
Xcitium Malware@#4oguvcobfvvc
Microsoft Trojan:MSIL/Cerbu.AMA!MTB
ZoneAlarm HEUR:Trojan-Spy.MSIL.Stealer.gen
GData Gen:Variant.Jalapeno.18350
Varist W32/MSIL_Kryptik.LNK.gen!Eldorado
AhnLab-V3 Trojan/Win.Generic.C5670639
McAfee Artemis!3817C947E0D2
DeepInstinct MALICIOUS
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Downloader
Panda Trj/GdSda.A
TrendMicro-HouseCall TrojanSpy.Win32.VIDAR.YXEIPZ
Tencent Malware.Win32.Gencirc.10c0468f