popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

yoomcy.ps1

Backdoor Client SW User Data Stealer RemcosRAT Generic Malware info stealer browser Hide_EXE Chrome Confuser .NET Malicious Packer Downloader Antivirus Google User Data ScreenShot Internet API Create Service Socket Escalate priviledges DNS PWS Sniff Audio
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 3, 2025, 2:43 p.m. March 3, 2025, 2:48 p.m.
Size 1.7MB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 b43cfcc4a181b4fd0d1b5d7287c63c30
SHA256 eff259a217c9ec6d101695fc66f21b6725afdb83f9024bf48fadcbb2c5c704ff
CRC32 FEDC1718
ssdeep 49152:dVFiVSKvTTXxN23RgxncDqPUfQ8Jresj+mx+ipiBvap9V0zoBCm6UvGn64loDtif:u
Yara
  • hide_executable_file - Hide executable file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.20.235.209 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0259b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025af000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02539000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2568
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05610000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00470000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02100000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00417000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00415000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00406000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2836
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0
description RegAsm.exe tried to sleep 394 seconds, actually delayed analysis time by 394 seconds
file C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
file C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description Win Backdoor RemcosRAT rule Win_Backdoor_RemcosRAT
description Communications over RAW Socket rule Network_TCP_Socket
description browser info stealer rule infoStealer_browser_Zero
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications use DNS rule Network_DNS
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Run a KeyLogger rule KeyLogger
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2800
process_handle: 0x00000250
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2800
process_handle: 0x00000250
1 0 0
buffer Buffer with sha1: 69d9859a0a6fe9ed3ed6ffcb3f0a49d2d854cb9b
host 103.20.235.209
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000244
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000254
1 0 0
file C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
Process injection Process 2728 manipulating memory of non-child process 2800
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000244
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿCopyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. ÿÿÿÿ “   ßEâEßE ..€!G”6G”6G”6G”6G”6G”6G”6G”6G”6G„!G˜6G˜6G˜6G˜6G˜6G˜6G˜6Gˆ!GÿÿÿÿâE¨"G¨"G¨"G¨"G¨"Gˆ!GˆäEæEìEè!G€'GCPSTPDT°"Gð"Gÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€'Gþÿÿÿþÿÿÿu˜ÿÿÿÿÏ!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œØØF²HAäØFRKAðØFwHA—E.?AVtype_info@@—E.?AVbad_alloc@std@@—E.?AVbad_array_new_length@std@@—E.?AVlogic_error@std@@—E.?AVlength_error@std@@—E.?AVout_of_range@std@@—E.?AVerror_category@std@@—E.?AV_Generic_error_category@std@@—E.?AV_Facet_base@std@@—E.?AV_Locimp@locale@std@@—E.?AVfacet@locale@std@@—E.?AU_Crt_new_delete@std@@—E.?AVcodecvt_base@std@@—E.?AUctype_base@std@@—E.?AV?$ctype@D@std@@—E.?AV?$codecvt@DDU_Mbstatet@@@std@@—E.?AVbad_exception@std@@—E.H—E.?AVfailure@ios_base@std@@—E.?AVruntime_error@std@@—E.?AVsystem_error@std@@—E.?AVbad_cast@std@@—E.?AV_System_error@std@@—E.?AVexception@std@@
base_address: 0x00472000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe ¦6 ¦6 ¦6¼—W6 ¦6¼—U6£ ¦6¼—T6 ¦6s"6 ¦6–«a6 ¦6Zc£76 ¦6Zc¢7) ¦6Zc¥7 ¦6s56 ¦6 §6O ¦6¥b¯7l ¦6¥bY6 ¦6¥b¤7 ¦6Rich ¦6PEL+C¼gà r&dM@€Ø€ÌJЬ<pæ8Hç¨æ@ü.text[qr `.rdata挐Žv@@.data,^ @À.rsrcÌJ€L@@.reloc¬<Ð>^@B
base_address: 0x00400000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2836
process_handle: 0x00000254
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe ¦6 ¦6 ¦6¼—W6 ¦6¼—U6£ ¦6¼—T6 ¦6s"6 ¦6–«a6 ¦6Zc£76 ¦6Zc¢7) ¦6Zc¥7 ¦6s56 ¦6 §6O ¦6¥b¯7l ¦6¥bY6 ¦6¥b¤7 ¦6Rich ¦6PEL+C¼gà r&dM@€Ø€ÌJЬ<pæ8Hç¨æ@ü.text[qr `.rdata挐Žv@@.data,^ @À.rsrcÌJ€L@@.reloc¬<Ð>^@B
base_address: 0x00400000
process_identifier: 2836
process_handle: 0x00000254
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x00409d0a
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 852423 0
Process injection Process 2728 called NtSetContextThread to modify thread in remote process 2836
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4410724
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000250
process_identifier: 2836
1 0 0
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
Process injection Process 2728 resumed a thread in remote process 2836
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000250
suspend_count: 1
process_identifier: 2836
1 0 0
Lionic Trojan.Script.Generic.4!c
CTX powershell.trojan.jalapeno
Skyhigh BehavesLike.PS.Dropper.tr
ALYac Gen:Variant.Jalapeno.18916
VIPRE Gen:Variant.Jalapeno.18916
Arcabit Trojan.Jalapeno.D49E4 [many]
Symantec ML.Attribute.HighConfidence
ESET-NOD32 PowerShell/TrojanDropper.Agent.APF
TrendMicro-HouseCall Backdoor.PS1.REMCOS.YXFCBZ
Avast Other:Malware-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Jalapeno.18916
MicroWorld-eScan Gen:Variant.Jalapeno.18916
Emsisoft Gen:Variant.Jalapeno.18916 (B)
TrendMicro Backdoor.PS1.REMCOS.YXFCBZ
Sophos Troj/PSDrop-JU
Ikarus Trojan.MSIL.Bladabindi
FireEye Gen:Variant.Jalapeno.18916
Google Detected
Kingsoft Win32.Troj.Undef.a
Microsoft Trojan:Script/Wacatac.B!ml
GData Gen:Variant.Jalapeno.18916 (2x)
Varist ABTrojan.ASAK-
Tencent Win32.Trojan.Generic.Gwnw
huorong Trojan/PS.Encpe.a
AVG Other:Malware-gen [Trj]
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000003d0
suspend_count: 1
process_identifier: 2568
1 0 0

CreateProcessInternalW

 thread_identifier: 2732
thread_handle: 0x000004d4
process_identifier: 2728
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000004dc
1 1 0

NtResumeThread

 thread_handle: 0x000004f4
suspend_count: 1
process_identifier: 2568
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x000001e8
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2728
1 0 0

CreateProcessInternalW

 thread_identifier: 2804
thread_handle: 0x00000240
process_identifier: 2800
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000244
1 1 0

NtGetContextThread

 thread_handle: 0x00000240
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2800
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000244
3221225496 0

WriteProcessMemory

 buffer:
base_address: 0x00000fff
process_identifier: 2800
process_handle: 0x00000244
0 0

CreateProcessInternalW

 thread_identifier: 2840
thread_handle: 0x00000250
process_identifier: 2836
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000254
1 1 0

NtGetContextThread

 thread_handle: 0x00000250
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2836
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000254
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00459000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿCopyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. ÿÿÿÿ “   ßEâEßE ..€!G”6G”6G”6G”6G”6G”6G”6G”6G”6G„!G˜6G˜6G˜6G˜6G˜6G˜6G˜6Gˆ!GÿÿÿÿâE¨"G¨"G¨"G¨"G¨"Gˆ!GˆäEæEìEè!G€'GCPSTPDT°"Gð"Gÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€'Gþÿÿÿþÿÿÿu˜ÿÿÿÿÏ!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œØØF²HAäØFRKAðØFwHA—E.?AVtype_info@@—E.?AVbad_alloc@std@@—E.?AVbad_array_new_length@std@@—E.?AVlogic_error@std@@—E.?AVlength_error@std@@—E.?AVout_of_range@std@@—E.?AVerror_category@std@@—E.?AV_Generic_error_category@std@@—E.?AV_Facet_base@std@@—E.?AV_Locimp@locale@std@@—E.?AVfacet@locale@std@@—E.?AU_Crt_new_delete@std@@—E.?AVcodecvt_base@std@@—E.?AUctype_base@std@@—E.?AV?$ctype@D@std@@—E.?AV?$codecvt@DDU_Mbstatet@@@std@@—E.?AVbad_exception@std@@—E.H—E.?AVfailure@ios_base@std@@—E.?AVruntime_error@std@@—E.?AVsystem_error@std@@—E.?AVbad_cast@std@@—E.?AV_System_error@std@@—E.?AVexception@std@@
base_address: 0x00472000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00478000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0047d000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe ¦6 ¦6 ¦6¼—W6 ¦6¼—U6£ ¦6¼—T6 ¦6s"6 ¦6–«a6 ¦6Zc£76 ¦6Zc¢7) ¦6Zc¥7 ¦6s56 ¦6 §6O ¦6¥b¯7l ¦6¥bY6 ¦6¥b¤7 ¦6Rich ¦6PEL+C¼gà r&dM@€Ø€ÌJЬ<pæ8Hç¨æ@ü.text[qr `.rdata挐Žv@@.data,^ @À.rsrcÌJ€L@@.reloc¬<Ð>^@B
base_address: 0x00400000
process_identifier: 2836
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2836
process_handle: 0x00000254
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4410724
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000250
process_identifier: 2836
1 0 0

NtResumeThread

 thread_handle: 0x00000250
suspend_count: 1
process_identifier: 2836
1 0 0
file C:\Users\test22\AppData\Local\Temp\JXCJKXCJHKJHXCJHKXCXCJHK.exe
dead_host 192.168.56.101:49191
dead_host 192.168.56.101:49171
dead_host 192.168.56.101:49192
dead_host 192.168.56.101:49202
dead_host 103.20.235.209:2401
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49196
dead_host 192.168.56.101:49219
dead_host 192.168.56.101:49176
dead_host 192.168.56.101:49215
dead_host 192.168.56.101:49184
dead_host 192.168.56.101:49180
dead_host 192.168.56.101:49193
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49166
dead_host 192.168.56.101:49168
dead_host 192.168.56.101:49197
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49208
dead_host 192.168.56.101:49172
dead_host 192.168.56.101:49185
dead_host 192.168.56.101:49216
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49194
dead_host 192.168.56.101:49212
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49220
dead_host 192.168.56.101:49198
dead_host 192.168.56.101:49200
dead_host 192.168.56.101:49178
dead_host 192.168.56.101:49209
dead_host 192.168.56.101:49211
dead_host 192.168.56.101:49173
dead_host 192.168.56.101:49186
dead_host 192.168.56.101:49204
dead_host 192.168.56.101:49217
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49213
dead_host 192.168.56.101:49190
dead_host 192.168.56.101:49221
dead_host 192.168.56.101:49170
dead_host 192.168.56.101:49201
dead_host 192.168.56.101:49179
dead_host 192.168.56.101:49210
dead_host 192.168.56.101:49174
dead_host 192.168.56.101:49187
dead_host 192.168.56.101:49205
dead_host 192.168.56.101:49218
dead_host 192.168.56.101:49183