popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

KYKeoxe.exe

AsyncRAT Generic Malware PWS PE File DLL PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 24, 2021, 7:29 p.m. June 24, 2021, 7:45 p.m.
Size 3.4MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 3b25b4407e5343c55f87a0325aad2e9f
SHA256 29c1b0c37cc26128214d5cd1b13120ad78bfc4fe4e195d0d0d180a3b95e937d0
CRC32 81EDECC5
ssdeep 98304:lltsYQgTO1ihLx+mxYe6HhCZFKL6HtEGjNNMLd2le6B2R7qy0Zl9g8bh1:/tq+4a6HhCZFKLMtEmNN8Z6BU7qy0ZlV
PDB Path E:\Auto\VolamLau\AutoKeoxe\KYKeoxe\bin\Debug\Secured\KYKeoxe.pdb
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
kimyen.net
A 103.255.237.239
103.255.237.239
free.timeanddate.com
A 151.101.77.176
CNAME k.shared.global.fastly.net
151.101.193.176
i0.wp.com
A 192.0.77.2
192.0.77.2
ptbtime1.ptb.de
A 192.53.103.108
192.53.103.108
time.ien.it
CNAME ntp.ien.it
A 193.204.114.105
193.204.114.105
utcnist.colorado.edu
CNAME india.colorado.edu
A 128.138.140.44
128.138.140.44
kimyen.info
A 103.28.36.10
103.28.36.10
jxhoitu.com
A 103.90.224.168
103.90.224.168
time.nist.gov
CNAME ntp1.glb.nist.gov
A 128.138.141.172
132.163.97.1
IP Address Status Action
103.255.237.239 Active Moloch
103.28.36.10 Active Moloch
103.90.224.168 Active Moloch
112.213.89.26 Active Moloch
128.138.140.44 Active Moloch
128.138.141.172 Active Moloch
151.101.77.176 Active Moloch
164.124.101.2 Active Moloch
192.0.77.2 Active Moloch
192.53.103.108 Active Moloch
193.204.114.105 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49216 -> 192.0.77.2:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49213 -> 192.0.77.2:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 112.213.89.26:21 -> 192.168.56.101:49209 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
TCP 192.168.56.101:49214 -> 103.90.224.168:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 112.213.89.26:21 -> 192.168.56.101:49218 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49216
192.0.77.2:443 		None None None
TLSv1
192.168.56.101:49213
192.0.77.2:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.wp.com 47:87:8a:14:78:c7:1f:ab:1d:1c:11:26:00:5c:39:39:fc:96:e8:91
TLSv1
192.168.56.101:49214
103.90.224.168:443 		C=US, O=Let's Encrypt, CN=R3 CN=jxhoitu.com 9f:0c:91:8e:e1:fa:a9:95:f4:79:c8:4f:93:b8:92:b8:5b:f2:2e:47

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
pdb_path E:\Auto\VolamLau\AutoKeoxe\KYKeoxe\bin\Debug\Secured\KYKeoxe.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x4baca44
0x4bac848
0x4ba01d2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2
PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x728be303
sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x7262fc2e
sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7260dd03
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x725f1a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x725f1c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x725f244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x725f401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x725f4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x725f4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x725f4595
_Initialize+0x3638 x86+0x4b9c @ 0x73c64b9c
_Initialize+0x9b31 x86+0xb095 @ 0x73c6b095
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x72773669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x72773701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x72773743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x7277399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x72773496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x727740db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x7275bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72742ae9
0x5599970
0x5593fba
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2
DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x72890f4d
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x7275bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72742ae9
0x991c32
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 4e 12 51 6f 89 45 f8 8b 45 f8 8b e5 5d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x9a0907
registers.esp: 8524080
registers.edi: 8524232
registers.eax: 0
registers.ebp: 8524088
registers.edx: 0
registers.ebx: 8551464
registers.esi: 40326448
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4c20b89
0x4c2065f
0x4badb72
0x991c32
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 4e 12 51 6f 89 45 f8 8b 45 f8 8b e5 5d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x9a0907
registers.esp: 8579992
registers.edi: 8580116
registers.eax: 0
registers.ebp: 8580000
registers.edx: 0
registers.ebx: 8580836
registers.esi: 42399808
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4c20b89
0x4c206b3
0x4badb72
0x991c32
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 4e 12 51 6f 89 45 f8 8b 45 f8 8b e5 5d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x9a0907
registers.esp: 8579992
registers.edi: 8580116
registers.eax: 0
registers.ebp: 8580000
registers.edx: 0
registers.ebx: 8580836
registers.esi: 42399808
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://kimyen.net/kykeoxe/phimhuongdan_kykeoxe.txt
suspicious_features GET method with no useragent header suspicious_request GET http://kimyen.net/kykeoxe/1quangcao/KYKeoxePb.txt
suspicious_features GET method with no useragent header suspicious_request GET http://free.timeanddate.com/clock/i3jl68nm/n246/tlir/tt0/tw0/tm3/th1
suspicious_features GET method with no useragent header suspicious_request GET http://kimyen.info/kykeoxe/1quangcao/KYKeoxePb.txt
suspicious_features GET method with no useragent header suspicious_request GET http://kimyen.net/kykeoxe/1quangcao/KYMayphu.txt
suspicious_features GET method with no useragent header suspicious_request GET http://kimyen.net/kykeoxe/1quangcao/KYQuangcao.txt
suspicious_features GET method with no useragent header suspicious_request GET http://kimyen.info/kykeoxe/1quangcao/KYQuangcao.txt
suspicious_features GET method with no useragent header suspicious_request GET https://i0.wp.com/s1.uphinh.org/2021/01/31/autokimyen.gif
suspicious_features GET method with no useragent header suspicious_request GET https://jxhoitu.com/home/static/uploads/userfiles/images/quangcao.gif
suspicious_features GET method with no useragent header suspicious_request GET https://i0.wp.com/s1.uphinh.org/2021/06/06/hoa6.gif
suspicious_features GET method with no useragent header suspicious_request GET https://i0.wp.com/s1.uphinh.org/2021/05/18/lamhoa.gif
request GET http://kimyen.net/kykeoxe/phimhuongdan_kykeoxe.txt
request GET http://kimyen.net/kykeoxe/1quangcao/KYKeoxePb.txt
request GET http://free.timeanddate.com/clock/i3jl68nm/n246/tlir/tt0/tw0/tm3/th1
request GET http://kimyen.info/kykeoxe/1quangcao/KYKeoxePb.txt
request GET http://kimyen.net/kykeoxe/1quangcao/KYMayphu.txt
request GET http://kimyen.net/kykeoxe/1quangcao/KYQuangcao.txt
request GET http://kimyen.info/kykeoxe/1quangcao/KYQuangcao.txt
request GET https://i0.wp.com/s1.uphinh.org/2021/01/31/autokimyen.gif
request GET https://jxhoitu.com/home/static/uploads/userfiles/images/quangcao.gif
request GET https://i0.wp.com/s1.uphinh.org/2021/06/06/hoa6.gif
request GET https://i0.wp.com/s1.uphinh.org/2021/05/18/lamhoa.gif
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cb0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00612000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0062c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00990000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0064b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00647000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00645000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0061a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009af000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00991000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0063a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00637000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0062d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00992000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00993000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0061c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05580000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 102400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05581000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ba0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ba1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0062e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0062a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bae000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00636000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04baf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0062f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06850000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 323584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e91000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e96000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ea7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c25000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c2f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06110000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06111000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description KYKeoxe.exe tried to sleep 1012 seconds, actually delayed analysis time by 1012 seconds
file C:\Users\test22\AppData\Local\Temp\1f65e43c-b9fb-41aa-ab88-639fb518ea61\x86.dll
file C:\Users\test22\AppData\Local\Temp\1f65e43c-b9fb-41aa-ab88-639fb518ea61\x86.dll
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 1158
family: 0
1 0 0
section {u'size_of_data': u'0x00362200', u'virtual_address': u'0x00002000', u'entropy': 7.252953435133661, u'name': u'.text', u'virtual_size': u'0x003620e4'} entropy 7.25295343513 description A section with a high entropy has been found
entropy 0.998414985591 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
buffer Buffer with sha1: 60b473680ad82eb40ca3e15bb8c8d1f981a0ef42
host 112.213.89.26
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06720000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003cc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x076c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003cc
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
Process injection Process 2548 manipulating memory of non-child process 2548
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06720000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003cc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x076c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000003cc
1 0 0
Process injection Process 2548 injected into non-child 2548
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: d
base_address: 0x06720100
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer:  ÕÊÊÉ ýÉþ ÊüþÚØõúÿÍòæðÁØÌÔÔ
base_address: 0x06720104
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: 2
base_address: 0x06720200
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: íëïïãñõ÷ø÷ñðéÂíëïûçð°åî÷ä
base_address: 0x06720204
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x06720300
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: ¼ÉËÀ̼ɪ¯¬°°«ª
base_address: 0x06720304
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: ¾À»y
base_address: 0x076c0008
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x076c000c
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x06720400
process_identifier: 2548
process_handle: 0x00000490
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x06720404
process_identifier: 2548
process_handle: 0x00000490
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x06720408
process_identifier: 2548
process_handle: 0x00000490
1 1 0

WriteProcessMemory

 buffer: 0
base_address: 0x0672040c
process_identifier: 2548
process_handle: 0x00000490
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x06720100
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x06720200
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x06720300
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x06720408
process_identifier: 2548
process_handle: 0x000003cc
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x076c0000
process_identifier: 2548
process_handle: 0x000003cc
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x00ea682a
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00140000
1 2753151 0
dead_host 192.53.103.108:13