popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

NEV.exe

Backdoor Client SW User Data Stealer RemcosRAT info stealer browser Chrome Confuser .NET Downloader Google User Data ScreenShot KeyLogger Internet API Create Service Socket Escalate priviledges DNS PWS Sniff Audio AntiDebug PE64 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 28, 2023, 7:42 a.m. June 28, 2023, 8:01 a.m.
Size 532.1KB
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 01248782c871923cce056480ce946ab7
SHA256 74c7371f4ee7b52bb7c9c79610027e6e927e3bfca8ef841407e1610f72f11aa2
CRC32 371E4DAF
ssdeep 12288:WGcYmvZZpBI5AaE7SN2NQnHwE78rcad4Yx8yyeSNIp9Sdcl+YY:WNYujqdE7SN2KnHwO8xXx8yyl
PDB Path NBB872.pdb
Yara
  • IsPE64 - (no description)
  • ConfuserEx_Zero - Confuser .NET
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.65.134.188 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path NBB872.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000ad0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3c8b000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002520000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35f4000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e4a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f72000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f74000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f75000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f77000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f78000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f79000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93efc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f26000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e4b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f7c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f7d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f7e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f7f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e6b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description NEV.exe tried to sleep 173 seconds, actually delayed analysis time by 173 seconds
section {u'size_of_data': u'0x00080400', u'virtual_address': u'0x00002000', u'entropy': 7.93766812503585, u'name': u'.text', u'virtual_size': u'0x000803c7'} entropy 7.93766812504 description A section with a high entropy has been found
entropy 0.998054474708 description Overall entropy of this PE file is high
description Create a windows service rule Create_Service
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description Win Backdoor RemcosRAT rule Win_Backdoor_RemcosRAT
description Communications over RAW Socket rule Network_TCP_Socket
description File Downloader rule Network_Downloader
description browser info stealer rule infoStealer_browser_Zero
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications use DNS rule Network_DNS
description Take ScreenShot rule ScreenShot
description Match Windows Inet API call rule Str_Win32_Internet_API
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Run a KeyLogger rule KeyLogger
host 185.65.134.188
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000164
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000234
1 0 0
Process injection Process 2040 manipulating memory of non-child process 2660
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000164
-1073741800 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€äJÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrcäJ€Lþ@@.relocH;Ð<J@B
base_address: 0x0000000000400000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¬ÅE°ÈEªÅE..€G\G\G\G\G\G\G\G\G\G„G`G`G`G`G`G`G`GˆGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GˆG0ËE°ÌEøÚEèG€GCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€Gþÿÿÿþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ¶FEA$¶F½GA0¶FÜDA´†E.?AVtype_info@@´†E.?AVbad_alloc@std@@´†E.?AVbad_array_new_length@std@@´†E.?AVlogic_error@std@@´†E.?AVlength_error@std@@´†E.?AVout_of_range@std@@´†E.?AV_Facet_base@std@@´†E.?AV_Locimp@locale@std@@´†E.?AVfacet@locale@std@@´†E.?AU_Crt_new_delete@std@@´†E.?AVcodecvt_base@std@@´†E.?AUctype_base@std@@´†E.?AV?$ctype@D@std@@´†E.?AV?$codecvt@DDU_Mbstatet@@@std@@´†E.?AVbad_exception@std@@´†E.H´†E.?AVfailure@ios_base@std@@´†E.?AVruntime_error@std@@´†E.?AVsystem_error@std@@´†E.?AVbad_cast@std@@´†E.?AV_System_error@std@@´†E.?AVexception@std@@
base_address: 0x0000000000470000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0000000000476000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: f5K5§>ñ9 :§>Y:§>iê§>í —µ–:}}P:nõ]õ‘R9R§>§>_‡²†:ß9î 5HW  ðz®}°ºˆ»áà3@œ†Ó#·•‡DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0000000000477000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000000007efde008
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€äJÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrcäJ€Lþ@@.relocH;Ð<J@B
base_address: 0x0000000000400000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040a1cb
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 1966445 0
Process injection Process 2040 resumed a thread in remote process 2696
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000230
suspend_count: 1
process_identifier: 2696
1 0 0
dead_host 10.16.0.18:55433
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2040
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2040
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000144
suspend_count: 1
process_identifier: 2040
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001e0
suspend_count: 1
process_identifier: 2040
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2040
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001f4
suspend_count: 1
process_identifier: 2040
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000218
suspend_count: 1
process_identifier: 2040
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2040
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2040
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001e0
suspend_count: 1
process_identifier: 2040
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2040
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2040
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000134
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2040
1 0 0

CreateProcessInternalW

 thread_identifier: 2664
thread_handle: 0x0000000000000204
process_identifier: 2660
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000000000000164
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2660
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000164
-1073741800 0

CreateProcessInternalW

 thread_identifier: 2700
thread_handle: 0x0000000000000230
process_identifier: 2696
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000000000000234
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000234
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<‰ä%xèŠvxèŠvxèŠvÌt{vkèŠvÌtyvßèŠvÌtxvfèŠvqvyèŠvæHMvzèŠvÕ¶‰wbèŠvÕ¶wBèŠvÕ¶ŽwZèŠvqvaèŠvxè‹vBéŠvͶƒwèŠvͶuvyèŠvͶˆwyèŠvRichxèŠvPEL¥vdà l D€@€HÞ€äJÐH;àÂ8tÃÃ@€ì.text…kl `.rdataüx€zp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrcäJ€Lþ@@.relocH;Ð<J@B
base_address: 0x0000000000400000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000401000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000458000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ¬ÅE°ÈEªÅE..€G\G\G\G\G\G\G\G\G\G„G`G`G`G`G`G`G`GˆGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GˆG0ËE°ÌEøÚEèG€GCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€Gþÿÿÿþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ¶FEA$¶F½GA0¶FÜDA´†E.?AVtype_info@@´†E.?AVbad_alloc@std@@´†E.?AVbad_array_new_length@std@@´†E.?AVlogic_error@std@@´†E.?AVlength_error@std@@´†E.?AVout_of_range@std@@´†E.?AV_Facet_base@std@@´†E.?AV_Locimp@locale@std@@´†E.?AVfacet@locale@std@@´†E.?AU_Crt_new_delete@std@@´†E.?AVcodecvt_base@std@@´†E.?AUctype_base@std@@´†E.?AV?$ctype@D@std@@´†E.?AV?$codecvt@DDU_Mbstatet@@@std@@´†E.?AVbad_exception@std@@´†E.H´†E.?AVfailure@ios_base@std@@´†E.?AVruntime_error@std@@´†E.?AVsystem_error@std@@´†E.?AVbad_cast@std@@´†E.?AV_System_error@std@@´†E.?AVexception@std@@
base_address: 0x0000000000470000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0000000000476000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: f5K5§>ñ9 :§>Y:§>iê§>í —µ–:}}P:nõ]õ‘R9R§>§>_‡²†:ß9î 5HW  ðz®}°ºˆ»áà3@œ†Ó#·•‡DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0000000000477000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000478000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000000000047d000
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000000007efde008
process_identifier: 2696
process_handle: 0x0000000000000234
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000230
suspend_count: 1
process_identifier: 2696
1 0 0
Lionic Trojan.Win32.Remcos.4!c
DrWeb Trojan.Inject4.58153
MicroWorld-eScan Trojan.GenericKD.67412850
McAfee Artemis!01248782C871
Malwarebytes Trojan.Crypt
Sangfor Backdoor.Msil.Kryptik.Vxdm
K7AntiVirus Trojan ( 0059b63d1 )
Alibaba Trojan:MSIL/Kryptik.2227ebbf
K7GW Trojan ( 0059b63d1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D404A372
VirIT Trojan.Win64.MSIL_Heur.A
Cyren W64/MSIL_Kryptik.IYE.gen!Eldorado
Symantec Trojan Horse
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/Kryptik.AHED
Cynet Malicious (score: 99)
Kaspersky HEUR:Backdoor.MSIL.Remcos.gen
BitDefender Trojan.GenericKD.67412850
Avast Win64:RATX-gen [Trj]
Tencent Win32.Trojan.FalseSign.Mqil
Emsisoft Trojan.GenericKD.67412850 (B)
F-Secure Trojan.TR/Kryptik.bpqiv
VIPRE Gen:Variant.Tedy.380160
McAfee-GW-Edition Artemis!Trojan
FireEye Trojan.GenericKD.67412850
Sophos Mal/Generic-S
Avira TR/Kryptik.bpqiv
MAX malware (ai score=87)
Gridinsoft Trojan.Win64.Remcos.bot
Microsoft Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm HEUR:Backdoor.MSIL.Remcos.gen
GData Trojan.GenericKD.67412850
Google Detected
AhnLab-V3 Trojan/Win.Generic.C5438298
VBA32 Backdoor.MSIL.Remcos
ALYac Trojan.GenericKD.67419879
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0DF723
Rising Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:kmcHsGAT7SrBx53P/Fp9fg)
Ikarus Trojan.MSIL.Crypt
MaxSecure Trojan.Malware.1728101.susgen
Fortinet MSIL/Kryptik.AHED!tr
AVG Win64:RATX-gen [Trj]
Cybereason malicious.880866
DeepInstinct MALICIOUS