popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Diamotrix.exe

Generic Malware Downloader Malicious Library Code injection HTTP Escalate priviledges Internet API Http API persistence PE64 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 8, 2024, 10:56 a.m. Nov. 8, 2024, 10:59 a.m.
Size 23.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 5c02b91b95c1dec88be1c6dd65674363
SHA256 247004604614a3da2b81c147c8f4a2848b62b8494244744ba213ce7e4f929cc3
CRC32 3E180BB6
ssdeep 384:5JxUsqjKVq5XdfCSUe88rXJy9CCLXOaNxsPDhxWBtIBDMKPS4W4EU:5JxUs9wJz88rX+DdIfDBe
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Network_Downloader - File Downloader
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218
0xbf123218

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xbf123218
registers.r14: 0
registers.r15: 0
registers.rcx: 8796092858368
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2423224
registers.r11: 0
registers.r8: 8796092858368
registers.r9: 3205640728
registers.rdx: 3205640728
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1996317984
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218
0xbe6c3218

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xbe6c3218
registers.r14: 0
registers.r15: 0
registers.rcx: 8796092837888
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2620632
registers.r11: 0
registers.r8: 8796092837888
registers.r9: 3194761752
registers.rdx: 3194761752
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1996317984
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218
0xbf523218

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xbf523218
registers.r14: 0
registers.r15: 0
registers.rcx: 8796092862464
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1571656
registers.r11: 0
registers.r8: 8796092862464
registers.r9: 3209835032
registers.rdx: 3209835032
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1996317984
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353
filepath: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
filepath: C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
1 1 0
cmdline C:\Windows\System32\svchost.exe
description Match Windows Http API call rule Str_Win32_Http_API
description Escalate priviledges rule Escalate_priviledges
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Match Windows Http API call rule Str_Win32_Http_API
description Escalate priviledges rule Escalate_priviledges
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Match Windows Http API call rule Str_Win32_Http_API
description Escalate priviledges rule Escalate_priviledges
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2092
thread_handle: 0x00000000000000b0
process_identifier: 2088
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000000000b4
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000ff890000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000000a8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2088
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000ff360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000000b4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2108
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000ffa90000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000000ac
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Services reg_value C:\Users\test22\AppData\Roaming\03BD451ED4621855818353\03BD451ED4621855818353.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ff890000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: ª b@
base_address: 0x00000000ff897000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: =ìePôe üeôfô$ f4dft¤f´â'$fä'î(0fô(+8f$+Ö,@fØ,h-Hfx-Ë-PfØ-e.Xfx.ß.`fè.ä/hfø/!0pf(0z0xfˆ0 1€f1¦1ˆf¸1Ï1fØ1ò1˜fø12 f2<4¨f 4ú5°f6)6¼f06W6Äf`6ú6Ìf7“7Ôf 7Ô7Üfà7 8äf°8Q9ìf`9Ó9øfà9;g ;<g<ö<g=²=gÀ=Õ= gà=U?(g`?@0g @ï@8gA A@g°A7BHg@B­BPgÀB_CXg
base_address: 0x00000000ff898000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: €0€ H`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo040904b0LCompanyNameMicrosoft Corporation6FileDescriptionSystem0FileVersion1.0.0.1: InternalNameServices.exeJLegalCopyrightCopyright (C) 2024B OriginalFilenameServices.exe2 ProductNameServices4ProductVersion1.3.0.1DVarFileInfo$Translation °
base_address: 0x00000000ff899000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: p  
base_address: 0x00000000ff89a000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: b‰ÿ
base_address: 0x00000000ff897008
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: ‰ÿ
base_address: 0x000007fffffd8010
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ff360000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: ª b@
base_address: 0x00000000ff367000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: =ìePôe üeôfô$ f4dft¤f´â'$fä'î(0fô(+8f$+Ö,@fØ,h-Hfx-Ë-PfØ-e.Xfx.ß.`fè.ä/hfø/!0pf(0z0xfˆ0 1€f1¦1ˆf¸1Ï1fØ1ò1˜fø12 f2<4¨f 4ú5°f6)6¼f06W6Äf`6ú6Ìf7“7Ôf 7Ô7Üfà7 8äf°8Q9ìf`9Ó9øfà9;g ;<g<ö<g=²=gÀ=Õ= gà=U?(g`?@0g @ï@8gA A@g°A7BHg@B­BPgÀB_CXg
base_address: 0x00000000ff368000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: €0€ H`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo040904b0LCompanyNameMicrosoft Corporation6FileDescriptionSystem0FileVersion1.0.0.1: InternalNameServices.exeJLegalCopyrightCopyright (C) 2024B OriginalFilenameServices.exe2 ProductNameServices4ProductVersion1.3.0.1DVarFileInfo$Translation °
base_address: 0x00000000ff369000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: p  
base_address: 0x00000000ff36a000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: b6ÿ
base_address: 0x00000000ff367008
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: 6ÿ
base_address: 0x000007fffffd3010
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ffa90000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: ª b@
base_address: 0x00000000ffa97000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: =ìePôe üeôfô$ f4dft¤f´â'$fä'î(0fô(+8f$+Ö,@fØ,h-Hfx-Ë-PfØ-e.Xfx.ß.`fè.ä/hfø/!0pf(0z0xfˆ0 1€f1¦1ˆf¸1Ï1fØ1ò1˜fø12 f2<4¨f 4ú5°f6)6¼f06W6Äf`6ú6Ìf7“7Ôf 7Ô7Üfà7 8äf°8Q9ìf`9Ó9øfà9;g ;<g<ö<g=²=gÀ=Õ= gà=U?(g`?@0g @ï@8gA A@g°A7BHg@B­BPgÀB_CXg
base_address: 0x00000000ffa98000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: €0€ H`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo040904b0LCompanyNameMicrosoft Corporation6FileDescriptionSystem0FileVersion1.0.0.1: InternalNameServices.exeJLegalCopyrightCopyright (C) 2024B OriginalFilenameServices.exe2 ProductNameServices4ProductVersion1.3.0.1DVarFileInfo$Translation °
base_address: 0x00000000ffa99000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: p  
base_address: 0x00000000ffa9a000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: b©ÿ
base_address: 0x00000000ffa97008
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: ©ÿ
base_address: 0x000007fffffd9010
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ff890000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ff360000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ffa90000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0
Process injection Process 1044 called NtSetContextThread to modify thread in remote process 2064
Process injection Process 1044 called NtSetContextThread to modify thread in remote process 2088
Process injection Process 1044 called NtSetContextThread to modify thread in remote process 2108
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 4287181336
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2423352
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 2003748096
registers.rdx: 8796092858368
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000000a4
process_identifier: 2064
1 0 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 4281741848
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2620760
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 2003748096
registers.rdx: 8796092837888
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000000b0
process_identifier: 2088
1 0 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 4289278488
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1571784
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 2003748096
registers.rdx: 8796092862464
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000000b8
process_identifier: 2108
1 0 0
Process injection Process 1044 resumed a thread in remote process 2064
Process injection Process 1044 resumed a thread in remote process 2088
Process injection Process 1044 resumed a thread in remote process 2108
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000a4
suspend_count: 1
process_identifier: 2064
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000b0
suspend_count: 1
process_identifier: 2088
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000b8
suspend_count: 1
process_identifier: 2108
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2068
thread_handle: 0x00000000000000a4
process_identifier: 2064
current_directory:
filepath: C:\Windows\System32\audiodg.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\audiodg.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000000000a8
1 1 0

NtGetContextThread

 thread_handle: 0x00000000000000a4
1 0 0

NtUnmapViewOfSection

 base_address: 0x00000000ff890000
region_size: 4096
process_identifier: 2064
process_handle: 0x00000000000000a8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000ff890000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000000a8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ff890000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000ff891000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000ff895000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: ª b@
base_address: 0x00000000ff897000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: =ìePôe üeôfô$ f4dft¤f´â'$fä'î(0fô(+8f$+Ö,@fØ,h-Hfx-Ë-PfØ-e.Xfx.ß.`fè.ä/hfø/!0pf(0z0xfˆ0 1€f1¦1ˆf¸1Ï1fØ1ò1˜fø12 f2<4¨f 4ú5°f6)6¼f06W6Äf`6ú6Ìf7“7Ôf 7Ô7Üfà7 8äf°8Q9ìf`9Ó9øfà9;g ;<g<ö<g=²=gÀ=Õ= gà=U?(g`?@0g @ï@8gA A@g°A7BHg@B­BPgÀB_CXg
base_address: 0x00000000ff898000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: €0€ H`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo040904b0LCompanyNameMicrosoft Corporation6FileDescriptionSystem0FileVersion1.0.0.1: InternalNameServices.exeJLegalCopyrightCopyright (C) 2024B OriginalFilenameServices.exe2 ProductNameServices4ProductVersion1.3.0.1DVarFileInfo$Translation °
base_address: 0x00000000ff899000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: p  
base_address: 0x00000000ff89a000
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: b‰ÿ
base_address: 0x00000000ff897008
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

WriteProcessMemory

 buffer: ‰ÿ
base_address: 0x000007fffffd8010
process_identifier: 2064
process_handle: 0x00000000000000a8
1 1 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 4287181336
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2423352
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 2003748096
registers.rdx: 8796092858368
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000000a4
process_identifier: 2064
1 0 0

CreateProcessInternalW

 thread_identifier: 2092
thread_handle: 0x00000000000000b0
process_identifier: 2088
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000000000b4
1 1 0

NtGetContextThread

 thread_handle: 0x00000000000000b0
1 0 0

NtUnmapViewOfSection

 base_address: 0x00000000ff360000
region_size: 4096
process_identifier: 2088
process_handle: 0x00000000000000b4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2088
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000ff360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000000b4
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ff360000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000ff361000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000ff365000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: ª b@
base_address: 0x00000000ff367000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: =ìePôe üeôfô$ f4dft¤f´â'$fä'î(0fô(+8f$+Ö,@fØ,h-Hfx-Ë-PfØ-e.Xfx.ß.`fè.ä/hfø/!0pf(0z0xfˆ0 1€f1¦1ˆf¸1Ï1fØ1ò1˜fø12 f2<4¨f 4ú5°f6)6¼f06W6Äf`6ú6Ìf7“7Ôf 7Ô7Üfà7 8äf°8Q9ìf`9Ó9øfà9;g ;<g<ö<g=²=gÀ=Õ= gà=U?(g`?@0g @ï@8gA A@g°A7BHg@B­BPgÀB_CXg
base_address: 0x00000000ff368000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: €0€ H`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo040904b0LCompanyNameMicrosoft Corporation6FileDescriptionSystem0FileVersion1.0.0.1: InternalNameServices.exeJLegalCopyrightCopyright (C) 2024B OriginalFilenameServices.exe2 ProductNameServices4ProductVersion1.3.0.1DVarFileInfo$Translation °
base_address: 0x00000000ff369000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: p  
base_address: 0x00000000ff36a000
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: b6ÿ
base_address: 0x00000000ff367008
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

WriteProcessMemory

 buffer: 6ÿ
base_address: 0x000007fffffd3010
process_identifier: 2088
process_handle: 0x00000000000000b4
1 1 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 4281741848
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2620760
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 2003748096
registers.rdx: 8796092837888
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000000b0
process_identifier: 2088
1 0 0

CreateProcessInternalW

 thread_identifier: 2112
thread_handle: 0x00000000000000b8
process_identifier: 2108
current_directory:
filepath: C:\Windows\System32\msiexec.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\msiexec.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000000000ac
1 1 0

NtGetContextThread

 thread_handle: 0x00000000000000b8
1 0 0

NtUnmapViewOfSection

 base_address: 0x00000000ffa90000
region_size: 4096
process_identifier: 2108
process_handle: 0x00000000000000ac
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2108
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000ffa90000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000000ac
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@غ´ Í!¸LÍ!This program cannot be run in DOS mode. $a\»i%=Õ:%=Õ:%=Õ:,EF:&=Õ:%=Ô:'=Õ:JK~:-=Õ:JKO:$=Õ:JKH:$=Õ:Rich%=Õ:PEd†ʅ)gð"  4(2@°@`g((€  P.text_34 `.rdataÐP8@@.data@pP@À.pdata€R@@.rsrc(V@@.reloc  Z@B
base_address: 0x00000000ffa90000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000ffa91000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000000ffa95000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: ª b@
base_address: 0x00000000ffa97000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: =ìePôe üeôfô$ f4dft¤f´â'$fä'î(0fô(+8f$+Ö,@fØ,h-Hfx-Ë-PfØ-e.Xfx.ß.`fè.ä/hfø/!0pf(0z0xfˆ0 1€f1¦1ˆf¸1Ï1fØ1ò1˜fø12 f2<4¨f 4ú5°f6)6¼f06W6Äf`6ú6Ìf7“7Ôf 7Ô7Üfà7 8äf°8Q9ìf`9Ó9øfà9;g ;<g<ö<g=²=gÀ=Õ= gà=U?(g`?@0g @ï@8gA A@g°A7BHg@B­BPgÀB_CXg
base_address: 0x00000000ffa98000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: €0€ H`ÄÄ4VS_VERSION_INFO½ïþ?$StringFileInfo040904b0LCompanyNameMicrosoft Corporation6FileDescriptionSystem0FileVersion1.0.0.1: InternalNameServices.exeJLegalCopyrightCopyright (C) 2024B OriginalFilenameServices.exe2 ProductNameServices4ProductVersion1.3.0.1DVarFileInfo$Translation °
base_address: 0x00000000ffa99000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: p  
base_address: 0x00000000ffa9a000
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: b©ÿ
base_address: 0x00000000ffa97008
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

WriteProcessMemory

 buffer: ©ÿ
base_address: 0x000007fffffd9010
process_identifier: 2108
process_handle: 0x00000000000000ac
1 1 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 4289278488
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1571784
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 2003748096
registers.rdx: 8796092862464
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000000b8
process_identifier: 2108
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000a4
suspend_count: 1
process_identifier: 2064
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000b0
suspend_count: 1
process_identifier: 2088
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000b8
suspend_count: 1
process_identifier: 2108
1 0 0
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Androm.m!c
Cynet Malicious (score: 100)
Skyhigh Artemis!Trojan
Cylance Unsafe
CrowdStrike win/malicious_confidence_100% (D)
BitDefender Trojan.GenericKD.74667022
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Generik.BBJFNGG
APEX Malicious
Avast Win32:Dh-A [Heur]
Kaspersky Backdoor.Win32.Androm.vteo
MicroWorld-eScan Trojan.GenericKD.74667022
Rising Trojan.Kryptik@AI.89 (RDML:osYPPtjcT0a1us2m5FMC3w)
Emsisoft Trojan.GenericKD.74667022 (B)
DrWeb Trojan.Inject5.11432
McAfeeD ti!247004604614
CTX exe.trojan.generic
Sophos ML/PE-A
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.5c02b91b95c1dec8
Antiy-AVL Trojan[Backdoor]/Win32.Androm
Kingsoft malware.kb.a.914
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm UDS:Backdoor.Win32.Androm.vteo
GData Win64.Trojan.Agent.LLID4G
AhnLab-V3 Trojan/Win.Injection.C5690155
McAfee Artemis!5C02B91B95C1
DeepInstinct MALICIOUS
Ikarus Win32.Outbreak
huorong HEUR:Trojan/Agent.ac
Fortinet W32/PossibleThreat
AVG Win32:Dh-A [Heur]
Paloalto generic.ml