popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

66ecb452ba19c_sfbdsgfd.exe

Client SW User Data Stealer Gen1 LokiBot info stealer ftp Client Generic Malware UPX Downloader Antivirus Malicious Library Malicious Packer Code injection Create Service HTTP ScreenShot Internet API Http API DGA Socket PWS
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 20, 2024, 10:33 a.m. Sept. 20, 2024, 10:54 a.m.
Size 216.4KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 242293154c0caabd9953b0b1804926a7
SHA256 43e7575547a95e5c4d7b7ad2915c830f252ab206a0baf9691206200a644e7b94
CRC32 0C6E462F
ssdeep 6144:U/ipLSItOvhdzG9NznVfi6DN567zTMMEO:8iBS0On+V7DN567n7EO
PDB Path c:\rje\tg\v7he0fr\obj\Release\uÿ.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
t.me
A 149.154.167.99
149.154.167.99
steamcommunity.com
A 104.74.170.104
202.43.50.213
IP Address Status Action
104.74.170.104 Active Moloch
147.45.44.104 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
46.8.231.109 Active Moloch
78.47.207.136 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49164 -> 46.8.231.109:80 2044243 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 46.8.231.109:80 2044244 ET MALWARE Win32/Stealc Requesting browsers Config from C2 Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.103:49164 2051828 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 46.8.231.109:80 2044246 ET MALWARE Win32/Stealc Requesting plugins Config from C2 Malware Command and Control Activity Detected
TCP 46.8.231.109:80 -> 192.168.56.103:49164 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49164 -> 46.8.231.109:80 2044248 ET MALWARE Win32/Stealc Submitting System Information to C2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 46.8.231.109:80 2044301 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 46.8.231.109:80 -> 192.168.56.103:49164 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 46.8.231.109:80 -> 192.168.56.103:49164 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 46.8.231.109:80 -> 192.168.56.103:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 78.47.207.136:443 -> 192.168.56.103:49187 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49180 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49182 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 46.8.231.109:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 147.45.44.104:80 -> 192.168.56.103:49167 2400022 ET DROP Spamhaus DROP Listed Traffic Inbound group 23 Misc Attack
TCP 192.168.56.103:49167 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.103:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49184 -> 104.74.170.104:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49181 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49184
104.74.170.104:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The system cannot find the file specified.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Waiting for 10
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path c:\rje\tg\v7he0fr\obj\Release\uÿ.pdb
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://46.8.231.109/c4754d4f680ead72.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.44.104/prog/66ecb44c35444_vfdhsgdf.exe
suspicious_features GET method with no useragent header suspicious_request GET https://steamcommunity.com/profiles/76561199768374681
request GET http://46.8.231.109/
request POST http://46.8.231.109/c4754d4f680ead72.php
request GET http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
request GET http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
request GET http://147.45.44.104/prog/66ecb454d2b4a_lgfdsjgds.exe
request GET http://147.45.44.104/prog/66ecb44c35444_vfdhsgdf.exe
request GET https://steamcommunity.com/profiles/76561199768374681
request POST http://46.8.231.109/c4754d4f680ead72.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cb0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00532000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00680000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743e1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x61e00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7355c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7336b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732ca000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c42000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73253000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fa1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00562000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02461000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2844
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2844
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fd0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00472000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT
file C:\Users\test22IIJJDGHJKK.exe
file C:\ProgramData\freebl3.dll
file C:\ProgramData\msvcp140.dll
file C:\Users\test22HCGCAAKJDH.exe
file C:\ProgramData\nss3.dll
file C:\ProgramData\vcruntime140.dll
file C:\ProgramData\mozglue.dll
file C:\ProgramData\softokn3.dll
cmdline "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CFBAKKJDBKJJ" & exit
cmdline C:\Windows\System32\cmd.exe /c start "" "C:\Users\test22HCGCAAKJDH.exe"
cmdline C:\Windows\System32\cmd.exe /c start "" "C:\Users\test22IIJJDGHJKK.exe"
cmdline C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CFBAKKJDBKJJ" & exit
cmdline "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22IIJJDGHJKK.exe"
cmdline "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22HCGCAAKJDH.exe"
file C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
file C:\Users\test22IIJJDGHJKK.exe
file C:\Users\test22HCGCAAKJDH.exe
wmi
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c start "" "C:\Users\test22IIJJDGHJKK.exe"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c start "" "C:\Users\test22HCGCAAKJDH.exe"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CFBAKKJDBKJJ" & exit
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000032c
process_name: RegAsm.exe
process_identifier: 2132
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: cmd.exe
process_identifier: 3028
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: conhost.exe
process_identifier: 3036
1 1 0

Process32NextW

 snapshot_handle: 0x000005bc
process_name: pw.exe
process_identifier: 3060
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc’¿à! &  @ àa0: Ð ˆ* Ð 0 ¨@ <   Ð.text„% & `P`.data|'@ (, @`À.rdatapDp FT @`@.bss(À €`À.edataˆ*Ð ,š @0@.idataÐ Æ @0À.CRT, Ô @0À.tls Ö @0À.rsrc¨0 Ø @0À.reloc<@ >Þ @0B/48€  @@B/19RȐ Ê" @B/31]'`(ì @B/45š-.@B/57\ À B@0B/70#ÐN@B/81
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! 4pÐ Ëý @AH S› Ȑ xF P/  ð#”   ¤ @.text•  `.rdataÄ @@.data<F0  @À.00cfg€  @@.rsrcx  @@.relocð#  $" @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"! ¶^À¹€ jª @A`ãWä·, ° P/0 ØAS¼øhРì¼ÜäZ.textaµ¶ `.rdata” Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ٓ1Cò_ò_ò_)n°Ÿò_”ŠÌ‹ò_ò^"ò_Ϛ^žò_Ϛ\•ò_Ϛ[Óò_ϚZÑò_Ϛ_œò_Ϛ œò_Ϛ]œò_Richò_PEL‚ê0]à"! (‚`Ù@ ð,à@Ag‚Ïèr ðœèA°¬=`x8¸w@päÀc@.text’&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"! Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð |Ê\€&@.text‰×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"! ÌðPÏSg@ADvS—wð°€ÀP/ÀÈ58qà {Œ.text&ËÌ `.rdataÔ«à¬Ð@@.data˜ |@À.00cfg „@@.rsrc€°†@@.relocÈ5À6Š@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäՄ¤Š†„¤Š†„¤Š†08e††¤Š†Ü†¤Š†„¤‹†¬¤Š†Ö̉‡—¤Š†Ö̎‡¤Š†Ö̏‡Ÿ¤Š†Ö̊‡…¤Š†ÖÌu†…¤Š†Ö̈‡…¤Š†Rich„¤Š†PEL|ê0]à"! ސÙð 0Ôm@Aàã ¸ŒúðA  € 8¸ @´.textôÜÞ `.dataôðâ@À.idata„ä@@.rsrcê@@.reloc  î@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELn²ìfà  2~Q `@  `…,QO`Ðxe(&€ ôO  H.text„1 2 `.rsrcÐ`4@@.reloc €:@B`QHàA VeOàz?ZËÃ#胅Àîbât±HxK„˜“À÷ý+ò,¹®¼57°‡>1G2é%jõÿËþÀuò¸-”EÇ·mRšU†Ýø-6WÈ4œbW²®¯5ã>B¡]Ó§ ⅰs¶Ãf'¯(o¶ýÇ}¿á½k¼Pýåq>j’ÊŽä][T«‘ÆÛ  ‡.ÄÈù¥ÑsŠp}HT-o8.Œñ^šŸ”Ðp°²ÕK7?Ãn‰tEK>^åŒ8p¸Ñ‚Ì¥Ûñ+ bWŒöî‹{:S­¹üjÇZê®Ð£Ü¹ªzd2ãi¤ã­ôî§65¹u |¿vUy1¸®ø#6žëñP·’}÷$ފK¿†\XÖ¢óû$´ÒZÛD ýÒöX×qK…^ ÆI>éLàj’v¾ý´-Hæ-¨KÛÁ„E´Gëƙ×)rª²CŽ,y-^6²Ïòٍ‰ ~MJ)‹'ÀêÓK¤Ë ›"pÕ5¸óË9öšÞA¯“0‰Õ—sCUÃÛ=¦ìáïœ÷FYy±±B µwëÙÉ~° ÄJÕ¶«qF:Yt
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL‡²ìfà  :~Y `@  `…,YO`Ðxm(&€ ôW  H.text„9 : `.rsrcÐ`<@@.reloc €B@B`YHàI ÆI©×­v ‰éY»ú¦nqgzæ2ÉՅ}l?#âBk°jޑNE•ñZÃD)Z qPr‡þ€2¾?o0¿xj)„b9 ¶âò\vωÁ¤*æMËÛÓù ;T‘ò‚–¦S=k‡ˆì‹ZúñËmx­F»Ê™ÈötJkìC½jZnP«ÿðY…aXv´¾DE|Ռªš!$0™±¤}α) d:údL&GÇsPi½;N"á`N@8)¬œnðEá<÷»zÞԘ«êlØg¬p ]OJô9×÷%]ëDÝYb„e?˜T!ÎUª"Á´èàÐiЕný ³©½JOaLïJñ¯ ÿÑ$X3ՆÏUX½œErrz/Ó+ãŕĉ}ø‚¨^&`Zÿ~ný‰%FÍRŠÉ0~FHdZäyÒ`ªá‰‰íâb/ވϒse=›yÿä”#/ÆH¡b _™H(ߤyÕÿ¾ù€âž¯C·“p¾â£K¯v¸ñ¾ÅPuÑ<½¸ÐeÁ©FTÞó—ySW½_7…ÞÕ¡2e –·Š Ð4·€†
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00030800', u'virtual_address': u'0x00002000', u'entropy': 7.991479881280195, u'name': u'.text', u'virtual_size': u'0x00030784'} entropy 7.99147988128 description A section with a high entropy has been found
entropy 0.989795918367 description Overall entropy of this PE file is high
url https://t.me/edm0d
url https://steamcommunity.com/profiles/76561199768374681
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
description Win32 PWS Loki rule Win32_PWS_Loki_m_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
cmdline "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CFBAKKJDBKJJ" & exit
cmdline C:\Windows\System32\cmd.exe /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CFBAKKJDBKJJ" & exit
host 147.45.44.104
host 46.8.231.109
host 78.47.207.136
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 2371584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000234
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2960
region_size: 380928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1552
region_size: 2453504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ×Þfà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: LáA.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAC$÷A ÷A÷A÷A÷A÷A ÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAœöA˜öAöA„öA|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õA”õA€õAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôA”ôA„ôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BȺB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬úA..ÀºBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBĺBÈBÈBÈBÈBÈBÈBÈBȺB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@
base_address: 0x0042b000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL„Ïêfà 6ÞpÌ@Ð@…ªyx€ØJÌz¨.text46 `.rdataÑ-P.:@@.data÷€dh@À.relocØJ€LÌ@B
base_address: 0x00400000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL5}èfà"  Þ>äð@p%“@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 1552
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer: €0€ HX%Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00651000
process_identifier: 1552
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1552
process_handle: 0x00000230
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ×Þfà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL„Ïêfà 6ÞpÌ@Ð@…ªyx€ØJÌz¨.text46 `.rdataÑ-P.:@@.data÷€dh@À.relocØJ€LÌ@B
base_address: 0x00400000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL5}èfà"  Þ>äð@p%“@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 1552
process_handle: 0x00000230
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000005cc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
process RegAsm.exe useragent
process RegAsm.exe useragent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Process injection Process 1880 called NtSetContextThread to modify thread in remote process 2132
Process injection Process 2644 called NtSetContextThread to modify thread in remote process 2960
Process injection Process 2844 called NtSetContextThread to modify thread in remote process 1552
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2555888
registers.edi: 0
registers.eax: 4285584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2132
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3931808
registers.edi: 0
registers.eax: 4246640
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000234
process_identifier: 2960
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1374728
registers.edi: 0
registers.eax: 4292580
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000022c
process_identifier: 1552
1 0 0
Process injection Process 1880 resumed a thread in remote process 2132
Process injection Process 2132 resumed a thread in remote process 2560
Process injection Process 2132 resumed a thread in remote process 2760
Process injection Process 2560 resumed a thread in remote process 2644
Process injection Process 2644 resumed a thread in remote process 2960
Process injection Process 2760 resumed a thread in remote process 2844
Process injection Process 2844 resumed a thread in remote process 1552
Process injection Process 1552 resumed a thread in remote process 1688
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2132
1 0 0

NtResumeThread

 thread_handle: 0x00000574
suspend_count: 1
process_identifier: 2560
1 0 0

NtResumeThread

 thread_handle: 0x0000056c
suspend_count: 1
process_identifier: 2760
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2960
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 1552
1 0 0

NtResumeThread

 thread_handle: 0x0000031c
suspend_count: 1
process_identifier: 1688
1 0 0
Bkav W32.AIDetectMalware.CS
ALYac Gen:Variant.MSILHeracles.178954
Cylance Unsafe
VIPRE Gen:Variant.MSILHeracles.178954
BitDefender Gen:Variant.MSILHeracles.178954
Arcabit Trojan.MSILHeracles.D2BB0A
VirIT Trojan.Win32.MSIL_Heur.A
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/GenKryptik.HBVP
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Pwsx-10035189-0
MicroWorld-eScan Gen:Variant.MSILHeracles.178954
Rising Malware.Obfus/MSIL@AI.83 (RDM.MSIL2:QxGNL11NdJKkNq2/gtlu9w)
Emsisoft Gen:Variant.MSILHeracles.178954 (B)
CTX exe.unknown.msilheracles
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.242293154c0caabd
Google Detected
Gridinsoft Trojan.Win32.Packed.dd!ni
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Variant.MSILHeracles.178954
Varist W32/MSIL_Agent.ILW.gen!Eldorado
DeepInstinct MALICIOUS
Ikarus Trojan-Spy.LummaStealer
huorong Trojan/MSIL.Agent.li
Fortinet MSIL/GenKryptik.HBSY!tr
AVG Win32:PWSX-gen [Trj]
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 1880
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1880
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 1880
1 0 0

NtResumeThread

 thread_handle: 0x00000204
suspend_count: 1
process_identifier: 1880
1 0 0

NtResumeThread

 thread_handle: 0x00000218
suspend_count: 1
process_identifier: 1880
1 0 0

CreateProcessInternalW

 thread_identifier: 2136
thread_handle: 0x00000230
process_identifier: 2132
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000234
1 1 0

NtGetContextThread

 thread_handle: 0x00000230
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 2371584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000234
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ×Þfà  ÈB"dà@0$@È©<à#|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data”+!° œ@À.reloc*Dà#F¨@B
base_address: 0x00400000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: LáA.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAŽÈAC$÷A ÷A÷A÷A÷A÷A ÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAœöA˜öAöA„öA|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õA”õA€õAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôA”ôA„ôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BȺB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬úA..ÀºBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBŒÈBĺBÈBÈBÈBÈBÈBÈBÈBȺB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@
base_address: 0x0042b000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0063e000
process_identifier: 2132
process_handle: 0x00000234
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2132
process_handle: 0x00000234
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2555888
registers.edi: 0
registers.eax: 4285584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2132
1 0 0

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2132
1 0 0

CreateProcessInternalW

 thread_identifier: 2564
thread_handle: 0x00000574
process_identifier: 2560
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22IIJJDGHJKK.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000056c
1 1 0

NtResumeThread

 thread_handle: 0x00000574
suspend_count: 1
process_identifier: 2560
1 0 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x0000056c
process_identifier: 2760
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\test22HCGCAAKJDH.exe"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000570
1 1 0

NtResumeThread

 thread_handle: 0x0000056c
suspend_count: 1
process_identifier: 2760
1 0 0

CreateProcessInternalW

 thread_identifier: 2648
thread_handle: 0x00000084
process_identifier: 2644
current_directory:
filepath: C:\Users\test22IIJJDGHJKK.exe
track: 1
command_line: "C:\Users\test22IIJJDGHJKK.exe"
filepath_r: C:\Users\test22IIJJDGHJKK.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2644
1 0 0

CreateProcessInternalW

 thread_identifier: 2964
thread_handle: 0x00000234
process_identifier: 2960
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000230
1 1 0

NtGetContextThread

 thread_handle: 0x00000234
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2960
region_size: 380928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0

WriteProcessMemory

 buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL„Ïêfà 6ÞpÌ@Ð@…ªyx€ØJÌz¨.text46 `.rdataÑ-P.:@@.data÷€dh@À.relocØJ€LÌ@B
base_address: 0x00400000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00445000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00448000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00458000
process_identifier: 2960
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2960
process_handle: 0x00000230
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3931808
registers.edi: 0
registers.eax: 4246640
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000234
process_identifier: 2960
1 0 0

NtResumeThread

 thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2960
1 0 0

CreateProcessInternalW

 thread_identifier: 2848
thread_handle: 0x00000084
process_identifier: 2844
current_directory:
filepath: C:\Users\test22HCGCAAKJDH.exe
track: 1
command_line: "C:\Users\test22HCGCAAKJDH.exe"
filepath_r: C:\Users\test22HCGCAAKJDH.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x0000019c
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2844
1 0 0

CreateProcessInternalW

 thread_identifier: 1740
thread_handle: 0x0000022c
process_identifier: 1552
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000230
1 1 0

NtGetContextThread

 thread_handle: 0x0000022c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1552
region_size: 2453504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $?dè]^ »]^ »]^ »2(¡»E^ »2(”»R^ »2( »b^ »T&‰»X^ »T&™»M^ »Ý' º^^ »]^ »Æ^ »2(¥»M^ »2(—»\^ »Rich]^ »PEL5}èfà"  Þ>äð@p%“@‚ÀSX˜ÀSX˜€«È%° %Ì2ð.textÝÝÞ à.rdatažÉðÊâ@@.data,H!À(¬@À.rsrc°%Ô@@.relocH %JÖ@B
base_address: 0x00400000
process_identifier: 1552
process_handle: 0x00000230
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 1552
process_handle: 0x00000230
1 1 0