popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

SMS LOGS.COM

NetWire RAT AgentTesla Generic Malware stealer email info stealer browser UPX Chrome Malicious Library Malicious Packer Google User Data ScreenShot KeyLogger Socket DNS AntiDebug OS Processor Check PE64 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 16, 2021, 12:50 p.m. Oct. 16, 2021, 12:54 p.m.
Size 244.5KB
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 6a4e8dbad4bd58452d15a706ff60bea5
SHA256 58afc43111bd508783f2010caef50731ac54f6e7841cc6715ac4b83a8ab5715f
CRC32 F87156F8
ssdeep 6144:QVOTcK+NrRioGHlz8rz0i/MhzQqqDvFfLc9tPEt2lyOYVuBx:0K+Nr8MrYi/MDqRTcvst2lyOYVo
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • NetWire_RAT_Zero - NetWire RAT
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
info1.dynamic-dns.net
A 122.180.86.185
122.180.86.185
IP Address Status Action
122.180.86.185 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000054f9a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000054faf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000054faf0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
domain info1.dynamic-dns.net
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000810000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2351000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef29eb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000023d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2352000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2354000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2354000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2354000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2354000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bda000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92c8c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cb6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bdb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bfb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92c2c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bfd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bdc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d03000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24064
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002330400
process_handle: 0xffffffffffffffff
-1073741746 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d05000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d08000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92bd2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\Documents\Dlt
filepath: C:\Users\test22\Documents\Dlt
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\Documents\Dlt\dlt.exe
filepath: C:\Users\test22\Documents\Dlt\dlt.exe
1 1 0
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description email clients info stealer rule infoStealer_emailClients_Zero
description browser info stealer rule infoStealer_browser_Zero
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000025c
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dlt.exe reg_value C:\Users\test22\Documents\Dlt\dlt.exe
Time & API Arguments Status Return Repeated

connect

 ip_address: 122.180.86.185
socket: 412
port: 3360
4294967295 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x0000000000400000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(`‰ÿÿ9A†A ƒC q AÃAÆHt‰ÿÿ,C h`Œ‰ÿÿ,C hx¤‰ÿÿFC0BÜ‰ÿÿFC0B¨Šÿÿ>C0zzR| ˆ $ŠÿÿaAƒC0| AÃA @pŠÿÿaAƒC0| AÃA d¼ŠÿÿaAƒC0| AÃA ˆ‹ÿÿICZ E S E JzR| ˆÜ£ÿÿzR| ˆðŠÿÿ+C gzR| ˆ ðŠÿÿKD†A ƒ}ÃEÆ0@‹ÿÿœA‡A †CƒH ‹Aà AÆAÇ,tˆ‹ÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¸‹ÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üð‹ÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8TŒÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x”ÿÿþA‡A †AƒC Ø Aà AÆAÇA °\Žÿÿ‚AƒC x AÃA 4ÔȎÿÿŠA‡A †AƒC0a Aà AÆAÇA 4  ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DxÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<ȏÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<P’ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ГÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<xœÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<€ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0000000000427000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: FyÊ^(ð(ð(ð(ðHost.exe
base_address: 0x000000000042f000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€Ì§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9ˆ9::::G:l:€:ˆ:º:Ø:ô: ;1;L;d;|;”;¬;Ä;Ü;ô; <$<<<T<‰<”<©<Ì<Ñ<Û<=(=X=^=i=¶=3>9>Y>l>·>¿>ó>û>?6?>?c?“?›?¿?Ç?°0¯0a1z1¯1¼1Ü1ó102=2c22“2Ÿ2»2Ã2ï2÷2X3ù3"4¹4d55Ý5‹67@7[7c7r7w7Ž7§7¼7Ç7Ñ7ß7ï78q8y8¶8/9á9:B:g:„::–:Ÿ:¨:±:º:Ã:Ì:Õ:Þ:ç:ð:ù:Ø;â;Z<¸<æ<V=c=r=¤=ã=2>j>}>‰>£>«>»>Ç>á>?6?ë? @70?0á0R1¨1°122÷2 3#3Z3b3q3§3î34L4S4h4}4¨4 5,5F5f5ã5°€O0•0¸0>1„1§1G2k2³2Û2Ž3¦3Æ3å3M4b4…4Ÿ4´4F5h5õ56.6w6ƒ6˜6»6Î67#787[7n7·7Ã7í78R8m8˜8Ã8î89D9o9š9Ã9ê9:>:•:ª:8=Ú=¤>Û>H?~?Àpæ0´1À1ò1þ1%2˜2ç2û2)3n3¦3ô34-4„5á5 6T6‡6Ä6ô6'7d7”7Ç7848g8¤8Ø8 9‹9:ú:9;m; ;Ý; <@<}<­<à<=M=€=½=ñ=$>¤>Þ?ÐHÓ01u1Á1Þ23£3Ñ3þ3{4œ45Z7ý7:E;;¨;Ù;<D<Ž<·<ó<=K=l=ˆ=¢=Â=Ü=ú=à$×03Ù3á3î3’68/8C8m;J<‘>ü>?ðh+0?0S0&2222¤2¿2Ì2'333‘3¥3À3Í3(444’4¦4Á4Î4)555“5§5Â5Ï5.6;6Š6ž6¹6Æ6%7277•7°7½78$8¬8#?/?O?[?Ó?D80¡0w1ù12 2222 212N2[2k2|2…2™2ž2µ2Ÿ8:¨;&<µ<4=>@>ç>÷?(ù0H1Ý1k3Ì3à344Ù406£6­6Â6\7û<  ‚10\Ò0f12`243@3å4@5L5Ã5Ø5û5%6?6M6g6u6ä7(8n88·8û89,9i9ü9 :A:W:|:¹:<;T;Ó;"<Ñ<~=?‹?ä?@10’0÷112[2$4¡67P<Ý405½5Ä5 66V6ß78 878>8|8Š8ã8ê8ú89y9ä9ë9&;-;—=ž=`–0£0°0M1T1p$ 22,2ã2ð2¼3Å3Ð4<—<¢<È<ƒ=˜?€F0–6¦6Ö8Ý8.858a8€8—89"9t={= 8^0e0Í0Ó0à0Š1œ1·1¢2µ2Â233669h9Í9­:º:ò<ú<`>?À$§3Ë3q5¸56777þ7 8=8¸;¿;o=ÐÓ1¯2¶2¹4J9Q9?à0X0‰1¨1¡7¨7k8Í9Ë;Â=ð„14&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5f5n5v5~5†5Ž5–5ž5¦5®5¶5¾5Æ5Î5Ö5Þ5æ5î5ö5þ56666&6.666>6F6N6V6^6f6n6v6~6†6Ž6–6ž6¦6®6¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9ª9/::Ï:;N;U;[;‰;¾;Å;Ë;ù;.<5<;<á<P2!2'2?2F2L2—2×2Þ2ä2:3g3n3t34 44L5S5Y5Û6â6è6E8L8R8¢8©8¯8…<Œ<’<? ??,/2K2U2g2q2À2Î2Û2â2 333!5(5.5F5M5S5 4À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9€9„9ˆ9Œ99”9˜9œ9 9: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d; <¤<¨<¬<°<´<¸<¼<À<Ä<È<Ì<Ð<0 d=h=l=p=t=x=|=€=„=ˆ=Œ=@¬ä3è3ì3ð3ô3ø3ü3444 44L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7€7„7ˆ7Œ77”7˜7œ7 7¤7¨7¬7°7´7¸7¼7À7Ä7È7Ì7Ð7Ô7Ø7Ü7à7ä7è7ì7ð7ô7ø7ü7888 88888 8$8(8D=L=T=\=d=l=t=|=„=Œ=
base_address: 0x0000000000432000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000000007efde008
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x0000000000400000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0
Process injection Process 2276 resumed a thread in remote process 2612
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000258
suspend_count: 1
process_identifier: 2612
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x0000000000000258
process_identifier: 2612
current_directory:
filepath: C:\Windows\SysWOW64\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\SysWOW64\explorer.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000000000025c
1 1 0
dead_host 122.180.86.185:3360
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2276
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2276
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000174
suspend_count: 1
process_identifier: 2276
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000220
suspend_count: 1
process_identifier: 2276
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2276
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2276
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000238
suspend_count: 1
process_identifier: 2276
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000254
suspend_count: 1
process_identifier: 2276
1 0 0

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x0000000000000258
process_identifier: 2612
current_directory:
filepath: C:\Windows\SysWOW64\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\SysWOW64\explorer.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000000000025c
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2612
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000025c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFyÊ^à xh-$ @0 ¾ ð1è ¬ œÔ.textx P`.data|L N @`À.eh_framØpX@0@.bss„f€€`À.edata1ð^@0@.idataè`@0À.reloc¬ t@0B
base_address: 0x0000000000400000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000401000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000422000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: zR| ˆ(`‰ÿÿ9A†A ƒC q AÃAÆHt‰ÿÿ,C h`Œ‰ÿÿ,C hx¤‰ÿÿFC0BÜ‰ÿÿFC0B¨Šÿÿ>C0zzR| ˆ $ŠÿÿaAƒC0| AÃA @pŠÿÿaAƒC0| AÃA d¼ŠÿÿaAƒC0| AÃA ˆ‹ÿÿICZ E S E JzR| ˆÜ£ÿÿzR| ˆðŠÿÿ+C gzR| ˆ ðŠÿÿKD†A ƒ}ÃEÆ0@‹ÿÿœA‡A †CƒH ‹Aà AÆAÇ,tˆ‹ÿÿ\A†A ƒN ÃAÆA HÃAÆT¤¸‹ÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üð‹ÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8TŒÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x”ÿÿþA‡A †AƒC Ø Aà AÆAÇA °\Žÿÿ‚AƒC x AÃA 4ÔȎÿÿŠA‡A †AƒC0a Aà AÆAÇA 4  ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4DxÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<ȏÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<P’ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\ГÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<xœÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<€ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
base_address: 0x0000000000427000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: FyÊ^(ð(ð(ð(ðHost.exe
base_address: 0x000000000042f000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000430000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€Ì§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9ˆ9::::G:l:€:ˆ:º:Ø:ô: ;1;L;d;|;”;¬;Ä;Ü;ô; <$<<<T<‰<”<©<Ì<Ñ<Û<=(=X=^=i=¶=3>9>Y>l>·>¿>ó>û>?6?>?c?“?›?¿?Ç?°0¯0a1z1¯1¼1Ü1ó102=2c22“2Ÿ2»2Ã2ï2÷2X3ù3"4¹4d55Ý5‹67@7[7c7r7w7Ž7§7¼7Ç7Ñ7ß7ï78q8y8¶8/9á9:B:g:„::–:Ÿ:¨:±:º:Ã:Ì:Õ:Þ:ç:ð:ù:Ø;â;Z<¸<æ<V=c=r=¤=ã=2>j>}>‰>£>«>»>Ç>á>?6?ë? @70?0á0R1¨1°122÷2 3#3Z3b3q3§3î34L4S4h4}4¨4 5,5F5f5ã5°€O0•0¸0>1„1§1G2k2³2Û2Ž3¦3Æ3å3M4b4…4Ÿ4´4F5h5õ56.6w6ƒ6˜6»6Î67#787[7n7·7Ã7í78R8m8˜8Ã8î89D9o9š9Ã9ê9:>:•:ª:8=Ú=¤>Û>H?~?Àpæ0´1À1ò1þ1%2˜2ç2û2)3n3¦3ô34-4„5á5 6T6‡6Ä6ô6'7d7”7Ç7848g8¤8Ø8 9‹9:ú:9;m; ;Ý; <@<}<­<à<=M=€=½=ñ=$>¤>Þ?ÐHÓ01u1Á1Þ23£3Ñ3þ3{4œ45Z7ý7:E;;¨;Ù;<D<Ž<·<ó<=K=l=ˆ=¢=Â=Ü=ú=à$×03Ù3á3î3’68/8C8m;J<‘>ü>?ðh+0?0S0&2222¤2¿2Ì2'333‘3¥3À3Í3(444’4¦4Á4Î4)555“5§5Â5Ï5.6;6Š6ž6¹6Æ6%7277•7°7½78$8¬8#?/?O?[?Ó?D80¡0w1ù12 2222 212N2[2k2|2…2™2ž2µ2Ÿ8:¨;&<µ<4=>@>ç>÷?(ù0H1Ý1k3Ì3à344Ù406£6­6Â6\7û<  ‚10\Ò0f12`243@3å4@5L5Ã5Ø5û5%6?6M6g6u6ä7(8n88·8û89,9i9ü9 :A:W:|:¹:<;T;Ó;"<Ñ<~=?‹?ä?@10’0÷112[2$4¡67P<Ý405½5Ä5 66V6ß78 878>8|8Š8ã8ê8ú89y9ä9ë9&;-;—=ž=`–0£0°0M1T1p$ 22,2ã2ð2¼3Å3Ð4<—<¢<È<ƒ=˜?€F0–6¦6Ö8Ý8.858a8€8—89"9t={= 8^0e0Í0Ó0à0Š1œ1·1¢2µ2Â233669h9Í9­:º:ò<ú<`>?À$§3Ë3q5¸56777þ7 8=8¸;¿;o=ÐÓ1¯2¶2¹4J9Q9?à0X0‰1¨1¡7¨7k8Í9Ë;Â=ð„14&4.464>4F4N4V4^4f4n4v4~4†4Ž4–4ž4¦4®4¶4¾4Æ4Î4Ö4Þ4æ4î4ö4þ45555&5.565>5F5N5V5^5f5n5v5~5†5Ž5–5ž5¦5®5¶5¾5Æ5Î5Ö5Þ5æ5î5ö5þ56666&6.666>6F6N6V6^6f6n6v6~6†6Ž6–6ž6¦6®6¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9ª9/::Ï:;N;U;[;‰;¾;Å;Ë;ù;.<5<;<á<P2!2'2?2F2L2—2×2Þ2ä2:3g3n3t34 44L5S5Y5Û6â6è6E8L8R8¢8©8¯8…<Œ<’<? ??,/2K2U2g2q2À2Î2Û2â2 333!5(5.5F5M5S5 4À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9€9„9ˆ9Œ99”9˜9œ9 9: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:€:„:ˆ:Œ::”:˜:œ: :¤:¨:¬:°:´:¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d; <¤<¨<¬<°<´<¸<¼<À<Ä<È<Ì<Ð<0 d=h=l=p=t=x=|=€=„=ˆ=Œ=@¬ä3è3ì3ð3ô3ø3ü3444 44L4P4T4X4\4`4T7X7\7`7d7h7l7p7t7x7|7€7„7ˆ7Œ77”7˜7œ7 7¤7¨7¬7°7´7¸7¼7À7Ä7È7Ì7Ð7Ô7Ø7Ü7à7ä7è7ì7ð7ô7ø7ü7888 88888 8$8(8D=L=T=\=d=l=t=|=„=Œ=
base_address: 0x0000000000432000
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000000007efde008
process_identifier: 2612
process_handle: 0x000000000000025c
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000258
suspend_count: 1
process_identifier: 2612
1 0 0
Elastic malicious (high confidence)
DrWeb Trojan.PackedNET.335
MicroWorld-eScan Trojan.Generic.30292007
FireEye Generic.mg.6a4e8dbad4bd5845
ALYac Trojan.Generic.30292007
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_90% (W)
Cyren W64/MSIL_Kryptik.FSR.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Agent.ACBZ
APEX Malicious
ClamAV Win.Dropper.NetWire-8025706-0
Kaspersky Backdoor.Win32.NetWiredRC.lac
Avast Win32:RATX-gen [Trj]
Rising Backdoor.NetWire!1.C98D (CLASSIC)
McAfee-GW-Edition Artemis!Trojan
Sophos Troj/Recam-HB
SentinelOne Static AI - Malicious PE
Avira TR/Spy.Gen
Microsoft Trojan:Win32/Woreflint.A!cl
Cynet Malicious (score: 99)
AhnLab-V3 Win-Trojan/MSILKrypt14.Exp
McAfee Artemis!6A4E8DBAD4BD
Malwarebytes Malware.AI.4040733249
Ikarus Trojan.Win32.Agent
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Agent.ACBZ!tr
AVG Win32:RATX-gen [Trj]
Cybereason malicious.6ecb7d