popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vhajeja.txt

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x3201 March 17, 2021, 11:33 p.m. March 17, 2021, 11:36 p.m.
Size 7.0MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 2e9820ecd1baa3220c65cfede97c119d
SHA256 3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
CRC32 FDE8D4B9
ssdeep 6144:qEvaYlFt2R69NYi3gn0qkBR4Sotx55fuwJiF1hn2sW8/EE4gKSvC/9lGgS1bAGqr:U
Yara
  • PE_Header_Zero - PE File Signature Zero
  • keylogger - Run a keylogger
  • IsPE32 - (no description)
  • IsNET_EXE - (no description)
  • IsWindowsGUI - (no description)

Name Response Post-Analysis Lookup
MLRyfdAYch.MLRyfdAYch
IP Address Status Action
164.124.101.2 Active Moloch
45.139.236.102 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 초 기다리는 중, 계속하려면 아무 키가 누르십시오 ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'iZUbXiGh'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: 입력 길이 = 41022
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 출력 길이 = 29204
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: CertUtil: -decode 명령이 성공적으로 완료되었습니다.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Microsoft Windows [Version 6.1.7601]
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set BtgSS=U
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ruCphpWhHwtZvAWCrPjEVuOfALHqEkMdmespGPbyjjKPUbDEEBleGTQXshICCWJcgOAzoMWhauaIcZxri
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'ruCphpWhHwtZvAWCrPjEVuOfALHqEkMdmespGPbyjjKPUbDEEBleGTQXshICCWJcgOAzoMWhauaIcZxri'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cewJKFjzSaiUDdDfByXpcRFWKmBoCaTFc
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'cewJKFjzSaiUDdDfByXpcRFWKmBoCaTFc'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: AGzFtUiOUEubDwtunfyXGEbtYlttRAmBmrPXVVqeeHWqPhVmrcTDAbSWofGTQrXx
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'AGzFtUiOUEubDwtunfyXGEbtYlttRAmBmrPXVVqeeHWqPhVmrcTDAbSWofGTQrXx'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: FXAjikCgeVZHvgLfEwcGVwekTOGfijYKCVlfc
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'FXAjikCgeVZHvgLfEwcGVwekTOGfijYKCVlfc'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: VlsfbCSgMqUDjeBOpEVgazFjuQWfyAtcUdykgFDmaFeFxDqW
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'VlsfbCSgMqUDjeBOpEVgazFjuQWfyAtcUdykgFDmaFeFxDqW'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: OLFxuVCFtoHFDpkWnJVWdmEqcWNdZSDPZudPnwOcC
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'OLFxuVCFtoHFDpkWnJVWdmEqcWNdZSDPZudPnwOcC'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set pvWUOvRJ=t
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: yqSgiEYpokFjFRGvSvbbUAzJfitBismdWJKZgeHTeEjdqXRthaDxknZFGoYZmbeRMgdVuGoPOExdheJadqhPNtybKyz
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'yqSgiEYpokFjFRGvSvbbUAzJfitBismdWJKZgeHTeEjdqXRthaDxknZFGoYZmbeRMgdVuGoPOExdheJadqhPNtybKyz'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: rIzFCcELGVXGpNGHtIsDmFImpjrHpSkwhrMyl
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'rIzFCcELGVXGpNGHtIsDmFImpjrHpSkwhrMyl'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ORnXMceGFZbnzwNQFbZUcfsXCNKWzuwBvgUAtBThbCHtpLnphbbgydznmBcYLuhmYWwtujLrDMvSIhNRgAIVI
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'ORnXMceGFZbnzwNQFbZUcfsXCNKWzuwBvgUAtBThbCHtpLnphbbgydznmBcYLuhmYWwtujLrDMvSIhNRgAIVI'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: cuVvwDuVCdfiuhKxeqMzKzTAQkNDJlbsQkAUpKkiXIpyDAiAiUbIpfwehcFPQCjsTXsUMPksOFvepNWft
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'cuVvwDuVCdfiuhKxeqMzKzTAQkNDJlbsQkAUpKkiXIpyDAiAiUbIpfwehcFPQCjsTXsUMPksOFvepNWft'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: vOMPoBlnHOyvdxvRjGpjNsJyTETZSmndKDybFtPPKgovjag
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'vOMPoBlnHOyvdxvRjGpjNsJyTETZSmndKDybFtPPKgovjag'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: GaBduRmytGVDIkFifOLNgYjiRzCmpjTA
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'GaBduRmytGVDIkFifOLNgYjiRzCmpjTA'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: RaAYopSrqaYokimIwibGANHyznMfqVSNchRStoiFTKhGgYGjrQo
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'RaAYopSrqaYokimIwibGANHyznMfqVSNchRStoiFTKhGgYGjrQo'은(는) 내부 또는 외부 명령, 실행할 수 있는 프로그램, 또는 배치 파일이 아닙니다.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00535c70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00535d70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00535d70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6a3a1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6a272ba1
mscorlib+0x2f45f2 @ 0x695245f2
mscorlib+0x30a2fa @ 0x6953a2fa
microsoft+0x54d57 @ 0x6b9c4d57
microsoft+0x54b2d @ 0x6b9c4b2d
0x8a03bd
0x8a007d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a1f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a20264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6a202e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6a2b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6a2b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6a341dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6a341e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6a341f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6a34416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x706bf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70737f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70734de3
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: c9 c2 10 00 89 45 c0 eb ed 64 a1 18 00 00 00 8b
exception.symbol: RaiseException+0x54 BaseReleaseProcessDllPath-0x100 kernelbase+0xb760
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46944
exception.address: 0x75d8b760
registers.esp: 3075472
registers.edi: 0
registers.eax: 3075472
registers.ebp: 3075552
registers.edx: 0
registers.ebx: 5611296
registers.esi: 5364032
registers.ecx: 237776916
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6a3a1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6a272ba1
mscorlib+0x2f45d6 @ 0x695245d6
mscorlib+0x30a2fa @ 0x6953a2fa
microsoft+0x54d57 @ 0x6b9c4d57
microsoft+0x54b2d @ 0x6b9c4b2d
0x8a03bd
0x8a007d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a1f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a20264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6a202e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6a2b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6a2b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6a341dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6a341e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6a341f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6a34416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x706bf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70737f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70734de3
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: c9 c2 10 00 89 45 c0 eb ed 64 a1 18 00 00 00 8b
exception.symbol: RaiseException+0x54 BaseReleaseProcessDllPath-0x100 kernelbase+0xb760
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46944
exception.address: 0x75d8b760
registers.esp: 3075472
registers.edi: 0
registers.eax: 3075472
registers.ebp: 3075552
registers.edx: 0
registers.ebx: 5611296
registers.esi: 5364032
registers.ecx: 237776916
1 0 0

__exception__

 stacktrace: 
0x8a49c6
0x8a3f1f
0x8a081f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a1f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a20264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a271838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a271737
mscorlib+0x2d3711 @ 0x69503711
mscorlib+0x308f2d @ 0x69538f2d
mscorlib+0x2cb060 @ 0x694fb060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a1f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a20264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6a271838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6a271737
mscorlib+0x2d36ad @ 0x695036ad
mscorlib+0x308f2d @ 0x69538f2d
microsoft+0x50c17 @ 0x6b9c0c17
microsoft+0x3f05f @ 0x6b9af05f
microsoft+0x3e4d4 @ 0x6b9ae4d4
0x8a0637
0x8a05eb
0x8a007d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6a1f2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6a20264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6a202e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6a2b74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6a2b7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6a341dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6a341e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6a341f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6a34416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x706bf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x70737f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x70734de3
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: 8b 01 eb 3e 8d 55 e0 0f b6 01 88 02 0f b6 41 01
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x324f62
exception.address: 0x69554f62
registers.esp: 3073236
registers.edi: 3073260
registers.eax: 0
registers.ebp: 3073272
registers.edx: 0
registers.ebx: 102117528
registers.esi: 4194364
registers.ecx: 4194364
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00300000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a1f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6816
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a1f2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00800000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00900000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00472000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0048c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00497000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00496000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ff50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ff58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6208
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01230000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70722000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x60aa2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bf6b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x60461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x60462000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00870000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00642000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00677000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0065c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f34a000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5836
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0064a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 4586940
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 4586940
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\Administrator\AppData\Local\Temp\IXP000.TMP\Rivederlo.pptm
file C:\Users\Administrator\AppData\Local\Temp\IXP000.TMP\Indugia.com
file C:\Users\Administrator\AppData\Roaming\VxVKPwHqNy\izmjTGEBtg.com
file C:\Users\Administrator\AppData\Roaming\VxVKPwHqNy\YWaUCvbrug.js
cmdline "C:\Windows\System32\cmd.exe" /c timeout 1
cmdline cmd.exe /c timeout 1
file C:\Users\Administrator\AppData\Local\Temp\IXP000.TMP\Indugia.com
file C:\Users\Administrator\AppData\Local\Temp\IXP000.TMP\Indugia.com
wmi SELECT * FROM Win32_Processor
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://qual.ocsp.d-trust.net0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url http://www.signatur.rtr.at/de/directory/cps.html0
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over Toredo network rule network_toredo
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
cmdline ping 127.0.0.1 -n 30
wmi SELECT * FROM Win32_Processor
buffer Buffer with sha1: 50b8da4eeaec7df4c7774659c81d6faabf64f998
host 45.139.236.102
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 4868
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000394
1 0 0

NtProtectVirtualMemory

 process_identifier: 5836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000a0000
process_handle: 0x00000214
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description RegAsm.exe tried to sleep 2728228 seconds, actually delayed analysis time by 2728228 seconds
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP\"
file C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\izmjTGEBtg.url
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÊÏeӎ® €Ž® €Ž® €SQƀˆ® €SQĀ€® €SQŀˮ €SQÀ€Ÿ® €Ž® €I® €SQـ‡® €©hu€® €SQ€® €SQǀ® €RichŽ® €PEL#†[Rà  fvÌg€@0Eå@ ¢´ÀœKP X@ .textÌef `.dataŒ€j@À.idatax n@@.rsrcœKÀL€@@.reloc®Ì@B
base_address: 0x00400000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: Næ@»±¿D “rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"System\CurrentControlSet\Control\Session ManagerSystem\CurrentControlSet\Control\Session Manager\FileRenameOperationswextract_cleanup%dCommand.com /c %srundll32.exe %s,InstallHinfSection %s 128 %sSoftware\Microsoft\Windows\CurrentVersion\RunOnceDefaultInstall%s /D:%sPendingFileRenameOperations*MEMCABSHBrowseForFolderSHELL32.DLLDoInfInstallSHGetPathFromIDListþÿÿÿþÿÿÿ
base_address: 0x00408000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7ffd5008
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ Íwúú$ý€›mèÿÿ nHrý±
base_address: 0x7ffd7000
process_identifier: 5836
process_handle: 0x00000214
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÊÏeӎ® €Ž® €Ž® €SQƀˆ® €SQĀ€® €SQŀˮ €SQÀ€Ÿ® €Ž® €I® €SQـ‡® €©hu€® €SQ€® €SQǀ® €RichŽ® €PEL#†[Rà  fvÌg€@0Eå@ ¢´ÀœKP X@ .textÌef `.dataŒ€j@À.idatax n@@.rsrcœKÀL€@@.reloc®Ì@B
base_address: 0x00400000
process_identifier: 4868
process_handle: 0x00000394
1 1 0
Elastic malicious (high confidence)
FireEye Generic.mg.2e9820ecd1baa322
Cybereason malicious.e6c4f7
BitDefenderTheta Gen:NN.ZemsilF.34628.@p0@au1a9Cj
ESET-NOD32 a variant of MSIL/Kryptik.ZOG
APEX Malicious
DrWeb Trojan.PackedNET.531
McAfee-GW-Edition PWS-FCWL!2E9820ECD1BA
Avira HEUR/AGEN.1141648
Microsoft Trojan:MSIL/Kryptik.SO!MTB
Cynet Malicious (score: 100)
McAfee PWS-FCWL!2E9820ECD1BA
Rising Trojan.Kryptik!8.8 (CLOUD)
Fortinet MSIL/Kryptik.ZOG!tr
AVG Win32:Trojan-gen
Avast Win32:Trojan-gen
Process injection Process 6816 called NtSetContextThread to modify thread in remote process 4868
Process injection Process 7780 called NtSetContextThread to modify thread in remote process 5836
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4220876
registers.ebp: 0
registers.edx: 0
registers.ebx: 2147307520
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000390
process_identifier: 4868
1 0 0

NtSetContextThread

 registers.eip: 2007855256
registers.esp: 1900324
registers.edi: 0
registers.eax: 725502
registers.ebp: 0
registers.edx: 0
registers.ebx: 2147315712
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000150
process_identifier: 5836
1 0 0
Process injection Process 6816 resumed a thread in remote process 4868
Process injection Process 3980 resumed a thread in remote process 6208
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000390
suspend_count: 1
process_identifier: 4868
1 0 0

NtResumeThread

 thread_handle: 0x00000064
suspend_count: 0
process_identifier: 6208
1 0 0
dead_host 45.139.236.102:228
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 6816
1 0 0

NtResumeThread

 thread_handle: 0x00000134
suspend_count: 1
process_identifier: 6816
1 0 0

NtResumeThread

 thread_handle: 0x00000180
suspend_count: 1
process_identifier: 6816
1 0 0

NtResumeThread

 thread_handle: 0x000001ec
suspend_count: 1
process_identifier: 6816
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 6816
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 6816
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtSetContextThread

 registers.eip: 1780951940
registers.esp: 3075680
registers.edi: 38346968
registers.eax: 49
registers.ebp: 3075684
registers.edx: 38356548
registers.ebx: 77205504
registers.esi: 5
registers.ecx: 80609280
thread_handle: 0x000000c8
process_identifier: 6816
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 6816
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtSetContextThread

 registers.eip: 1780951940
registers.esp: 3075680
registers.edi: 38346968
registers.eax: 3407992
registers.ebp: 3075684
registers.edx: 38371630
registers.ebx: 93982720
registers.esi: 6
registers.ecx: 96989180
thread_handle: 0x000000c8
process_identifier: 6816
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 6816
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 6816
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x000000c8
1 0 0

NtResumeThread

 thread_handle: 0x000000c8
suspend_count: 1
process_identifier: 6816
1 0 0

NtResumeThread

 thread_handle: 0x00000210
suspend_count: 1
process_identifier: 6816
1 0 0

CreateProcessInternalW

 thread_identifier: 7064
thread_handle: 0x00000334
process_identifier: 3520
current_directory: C:\Users\Administrator\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c timeout 1
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000384
1 1 0

CreateProcessInternalW

 thread_identifier: 5716
thread_handle: 0x00000390
process_identifier: 4868
current_directory:
filepath: C:\Users\Administrator\AppData\Local\Temp\vhajeja.txt
track: 1
command_line:
filepath_r: C:\Users\Administrator\AppData\Local\Temp\vhajeja.txt
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000394
1 1 0

NtGetContextThread

 thread_handle: 0x00000390
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4868
region_size: 995328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000394
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÊÏeӎ® €Ž® €Ž® €SQƀˆ® €SQĀ€® €SQŀˮ €SQÀ€Ÿ® €Ž® €I® €SQـ‡® €©hu€® €SQ€® €SQǀ® €RichŽ® €PEL#†[Rà  fvÌg€@0Eå@ ¢´ÀœKP X@ .textÌef `.dataŒ€j@À.idatax n@@.rsrcœKÀL€@@.reloc®Ì@B
base_address: 0x00400000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: Næ@»±¿D “rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"System\CurrentControlSet\Control\Session ManagerSystem\CurrentControlSet\Control\Session Manager\FileRenameOperationswextract_cleanup%dCommand.com /c %srundll32.exe %s,InstallHinfSection %s 128 %sSoftware\Microsoft\Windows\CurrentVersion\RunOnceDefaultInstall%s /D:%sPendingFileRenameOperations*MEMCABSHBrowseForFolderSHELL32.DLLDoInfInstallSHGetPathFromIDListþÿÿÿþÿÿÿ
base_address: 0x00408000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0040a000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0040c000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004f1000
process_identifier: 4868
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7ffd5008
process_identifier: 4868
process_handle: 0x00000394
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4220876
registers.ebp: 0
registers.edx: 0
registers.ebx: 2147307520
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000390
process_identifier: 4868
1 0 0

NtResumeThread

 thread_handle: 0x00000390
suspend_count: 1
process_identifier: 4868
1 0 0

CreateProcessInternalW

 thread_identifier: 8008
thread_handle: 0x00000058
process_identifier: 628
current_directory: C:\Users\Administrator\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout 1
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000005c
1 1 0

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 4868
1 0 0

CreateProcessInternalW

 thread_identifier: 2392
thread_handle: 0x00000134
process_identifier: 4184
current_directory:
filepath:
track: 1
command_line: cmd /c iZUbXiGh
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000130
1 1 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x00000130
process_identifier: 6592
current_directory:
filepath:
track: 1
command_line: cmd /c certutil -decode Magra.xll Sfugge.vsdx & cmd < Sfugge.vsdx
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000134
1 1 0

CreateProcessInternalW

 thread_identifier: 2788
thread_handle: 0x00000058
process_identifier: 3524
current_directory: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\certutil.exe
track: 1
command_line: certutil -decode Magra.xll Sfugge.vsdx
filepath_r: C:\Windows\system32\certutil.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000005c
1 1 0

CreateProcessInternalW

 thread_identifier: 4992
thread_handle: 0x00000058
process_identifier: 3980
current_directory: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: cmd
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000064
1 1 0

CreateProcessInternalW

 thread_identifier: 7676
thread_handle: 0x00000058
process_identifier: 5028
current_directory: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\findstr.exe
track: 1
command_line: findstr /V /R "^ziflXcoyRnjaBu$" Sui.mid
filepath_r: C:\Windows\system32\findstr.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000064
1 1 0

CreateProcessInternalW

 thread_identifier: 4496
thread_handle: 0x00000060
process_identifier: 2552
current_directory: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\certutil.exe
track: 1
command_line: certutil -decode Rivederlo.pptm g
filepath_r: C:\Windows\system32\certutil.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000064
1 1 0

CreateProcessInternalW

 thread_identifier: 8040
thread_handle: 0x00000064
process_identifier: 6208
current_directory:
filepath: C:\Users\Administrator\AppData\Local\Temp\IXP000.TMP\Indugia.com
track: 1
command_line: Indugia.com g
filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP\Indugia.com
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000060
1 1 0

NtResumeThread

 thread_handle: 0x00000064
suspend_count: 0
process_identifier: 6208
1 0 0