popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

file4.exe

AsyncRAT backdoor njRAT Generic Malware .NET framework(MSIL) Downloader Admin Tool (Sysinternals etc ...) task schedule ASPack UPX Malicious Library Malicious Packer Escalate priviledges ScreenShot Create Service Http API DGA PWS Steal credential Socket
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 29, 2025, 10:22 a.m. April 29, 2025, 10:25 a.m.
Size 1.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e08bd789d9f45b08fe924d94b955d869
SHA256 2cc9a71b892bfa00b5b457b391683b6dffde83cbf2360ad7111f2b0a934ddbc0
CRC32 22D74302
ssdeep 24576:7j+KZ1xuVVjfFoynPaVBUR8f+kN10EBRgGApfkxI:7j+aQDgok30UjAL
PDB Path C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Malicious_Packer_Zero - Malicious Packer
  • ASPack_Zero - ASPack packed file
  • Win_Backdoor_njRAT_Zero - Win Backdoor njRAT
  • AsyncRat - AsyncRat Payload
  • Network_Downloader - File Downloader
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
jvjv2044duck33.duckdns.org
A 78.160.80.14
78.160.80.14
IP Address Status Action
164.124.101.2 Active Moloch
78.160.80.14 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:56613 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:56613 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:62576 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:50800 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:50800 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:62576 -> 164.124.101.2:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:62576 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:64178 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2042936 ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain Potentially Bad Traffic
UDP 192.168.56.103:64530 -> 8.8.8.8:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "csrss" has successfully been created.
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name RBIND
domain jvjv2044duck33.duckdns.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a80000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ee1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ee2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00610000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00680000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00292000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00560000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0029a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00561000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00568000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00569000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c31000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c35000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72931000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72932000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00437000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef60000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE
file C:\Users\test22\AppData\Roaming\WINDOWS DEFENDER.EXE
file C:\Users\test22\AppData\Roaming\ULTIME MULTIHACK REBORN.EXE
file C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
cmdline schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\test22\AppData\Roaming\csrss.exe"'
cmdline cmd.exe /k attrib "C:\Users\test22\AppData\Roaming" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Roaming" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
cmdline cmd.exe /k attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
file C:\Users\test22\AppData\Roaming\ULTIME MULTIHACK REBORN.EXE
file C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
file C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE
file C:\Users\test22\AppData\Roaming\csrss.exe
file C:\Users\test22\AppData\Roaming\ULTIME MULTIHACK REBORN.EXE
file C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
file C:\Users\test22\AppData\Roaming\csrss.exe
file C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /k attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /k attrib "C:\Users\test22\AppData\Roaming" +s +h
filepath: cmd.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 2464
thread_handle: 0x00000294
process_identifier: 2460
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000002a4
1 1 0

CreateProcessInternalW

 thread_identifier: 2760
thread_handle: 0x00000214
process_identifier: 2756
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000218
1 1 0
section {u'size_of_data': u'0x000fac00', u'virtual_address': u'0x0000f000', u'entropy': 6.859773555413707, u'name': u'.rsrc', u'virtual_size': u'0x000faa48'} entropy 6.85977355541 description A section with a high entropy has been found
entropy 0.951161688004 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description task schedule rule schtasks_Zero
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2460
process_handle: 0x0000010c
0 0
cmdline C:\Users\test22\Documents\MSDCSC\msdcsc.exe
cmdline "C:\Users\test22\Documents\MSDCSC\msdcsc.exe"
cmdline schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\test22\AppData\Roaming\csrss.exe"'
cmdline cmd.exe /k attrib "C:\Users\test22\AppData\Roaming" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Roaming" +s +h
cmdline "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
cmdline cmd.exe /k attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
cmdline attrib "C:\Users\test22\AppData\Roaming" +s +h
cmdline attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
buffer Buffer with sha1: c443b32577fadc62280cdbd08de5e038eb377c31
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00110000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00120000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00130000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00170000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00180000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00190000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00100000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00110000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00120000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00130000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00170000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00180000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00190000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00220000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00230000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00240000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000218
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description msdcsc.exe tried to sleep 220 seconds, actually delayed analysis time by 220 seconds
description WINDOWS SECURITY NANO.EXE tried to sleep 2728511 seconds, actually delayed analysis time by 2728511 seconds
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host reg_value C:\Program Files (x86)\SMTP Host\smtphost.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit reg_value C:\Windows\system32\userinit.exe,C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate reg_value C:\Users\test22\Documents\MSDCSC\msdcsc.exe
cmdline schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\test22\AppData\Roaming\csrss.exe"'
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
mutex DC_MUTEX-BEY5DN0
regkey HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey HKEY_CURRENT_USER\Software\DC2_USERS
file C:\Users\test22\Documents\MSDCSC\msdcsc.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: kernel32.dll
base_address: 0x000b0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: user32.dll
base_address: 0x000c0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: Sleep
base_address: 0x00110000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: MessageBoxA
base_address: 0x00120000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: ExitThread
base_address: 0x00130000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: DeleteFileA
base_address: 0x00140000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: GetLastError
base_address: 0x00150000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: TerminateProcess
base_address: 0x00160000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: CloseHandle
base_address: 0x00170000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: OpenProcess
base_address: 0x00180000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: GetExitCodeProcess
base_address: 0x00190000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
base_address: 0x001a0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: ×Iu"uF@˜ÕwDTuÀu؀uu†uM€u œ 
base_address: 0x001e0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: U‹ìSVW‹]‹C4P‹C,PÿPÿS‰C ‹C8P‹C0PÿPÿS‰C‹C<P‹C,PÿPÿS‰C‹C@P‹C,PÿPÿS‰C‹CDP‹C,PÿPÿS‰C‹CHP‹C,PÿPÿS‰C‹CTP‹C,PÿPÿS‰C ‹CLP‹C,PÿPÿS‰C$‹CPP‹C,PÿPÿS‰C(ëÿSƒøthôÿS ‹C\PÿS„Àtå‹CXPjjÿS$‹ð…ötWVÿS(WVÿSVÿS jÿS_^[]‹ÀU‹ìÄ@ÿÿÿSV3ɉMô‰Uø‰Eü‹Eüè. ùÿ‹Eøè& ùÿu”3ÀUhFRGdÿ0d‰ …Pÿÿÿ3ɺDè+ëøÿDžPÿÿÿDDž|ÿÿÿfÇE€…@ÿÿÿP…PÿÿÿPjjhjjj‹EüèÔ ùÿPjè)ùÿ‹@ÿÿÿ‹EüèNRùÿ„Àu Eüº\RGè™ùÿ‹Eøè5Rùÿ„Àu Uø3Àèï¡ùÿEô‹UøèxùÿºdRG‹Ãèüüÿÿ‰F,ºtRG‹Ãèíüÿÿ‰F0º€RG‹ÃèÞüÿÿ‰F4ºˆRG‹ÃèÏüÿÿ‰F8º”RG‹ÃèÀüÿÿ‰F<º RG‹Ãè±üÿÿ‰F@º¬RG‹Ãè¢üÿÿ‰FDº¼RG‹Ãè“üÿÿ‰FHºÐRG‹Ãè„üÿÿ‰FTºÜRG‹Ãèuüÿÿ‰FLºèRG‹Ãèfüÿÿ‰FP‹Eôèßùÿ‹Ð‹ÃèRüÿÿ‰F\‹…Hÿÿÿ‰FXhüRGh SGèç)ùÿPèé)ùÿ‰hSGh SGèÐ)ùÿPèÒ)ùÿ‰Fh€RGh SGè¸)ùÿPèº)ùÿ‰F hˆRGh SGè )ùÿPè¢)ùÿ‰F h”RGh SGèˆ)ùÿPèŠ)ùÿ‰Fh RGh SGèp)ùÿPèr)ùÿ‰Fh¬RGh SGèX)ùÿPèZ)ùÿ‰Fh¼RGh SGè@)ùÿPèB)ùÿ‰FhÐRGh SGè()ùÿPè*)ùÿ‰F hÜRGh SGè)ùÿPè)ùÿ‰F$hèRGh SGèø(ùÿPèú(ùÿ‰F(j`j‹Îº”NG‹Ãèõûÿÿ3ÀZYYd‰hMRGEôºèùÿÃ
base_address: 0x001f0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

WriteProcessMemory

 buffer: kernel32.dll
base_address: 0x000b0000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: user32.dll
base_address: 0x000c0000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: Sleep
base_address: 0x000d0000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: MessageBoxA
base_address: 0x000e0000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: CreateProcessA
base_address: 0x000f0000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: GetLastError
base_address: 0x00100000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: SetLastError
base_address: 0x00110000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: CreateMutexA
base_address: 0x00120000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: CloseHandle
base_address: 0x00130000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: ExitThread
base_address: 0x00140000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: OpenProcess
base_address: 0x00150000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: DCPERSFWBP
base_address: 0x00160000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: TerminateProcess
base_address: 0x00170000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: GetExitCodeProcess
base_address: 0x00180000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: DC_MUTEX-BEY5DN0
base_address: 0x00190000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: WaitForSingleObject
base_address: 0x001a0000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: C:\Users\test22\Documents\MSDCSC\msdcsc.exe
base_address: 0x00220000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: ×Iu"uýduÿuÀuru6u©u˜Õw†u؀uuM€ukLu "Ä
base_address: 0x00230000
process_identifier: 2756
process_handle: 0x00000218
1 1 0

WriteProcessMemory

 buffer: U‹ìƒÄ¬SVW‹]‹C@P‹C8PÿPÿS‰C ‹CDP‹C<PÿPÿS‰C‹CTP‹C8PÿPÿS‰C‹CXP‹C8PÿPÿS‰C‹CHP‹C8PÿPÿS‰C‹CLP‹C8PÿPÿS‰C‹CPP‹C8PÿPÿS‰C4‹C`P‹C8PÿPÿS‰C,‹ClP‹C8PÿPÿS‰C(‹ChP‹C8PÿPÿS‰C0‹CdP‹C8PÿPÿS‰C ‹CpP‹C8PÿPÿS‰C$jÿS‹CxPjjÿS4ÿS=·u$‹C|PjjÿS$‹ø…ÿtVWÿS0VWÿS(WÿS,jÿS jÿS‹C\PjjÿS4‹øÿS=·tRWÿS,ÇE¼DE¬PE¼Pjjjjjj‹CtPjÿS…Àt3öhȋE¬PÿSƒèsƒÎÿ…ötèë¼hÐÿS ë²WÿS,hôÿS ë„_^[‹å]U‹ìÄ ÿÿÿSVW‰Mô‰Uø‰Eü‹Eüèëùÿ‹Eøèãùÿ‹EôèÛùÿµtÿÿÿ3ÀUh)XGdÿ0d‰ …0ÿÿÿ3ɺDèÝåøÿDž0ÿÿÿDDž\ÿÿÿfDž`ÿÿÿ‹Eüè0Mùÿ„Àu Eüº@XGè{ùÿ‹EøèMùÿ„Àu Uø3Àèќùÿ¿HXG… ÿÿÿP…0ÿÿÿPjjhjjj‹EüèOùÿPjè $ùÿ‹ ÿÿÿºTXG‹Ãè±÷ÿÿ‰F8ºdXG‹Ãè¢÷ÿÿ‰F<ºpXG‹Ãè“÷ÿÿ‰F@ºxXG‹Ãè„÷ÿÿ‰FDº„XG‹Ãèu÷ÿÿ‰FTº”XG‹Ãèf÷ÿÿ‰FHº¤XG‹ÃèW÷ÿÿ‰FLº´XG‹ÃèH÷ÿÿ‰FPºÄXG‹Ãè9÷ÿÿ‰F`ºÐXG‹Ãè*÷ÿÿ‰FdºÜXG‹Ãè÷ÿÿ‰Fp‹×‹Ãè÷ÿÿ‰FxºèXG‹Ãè÷ÿÿ‰FlºüXG‹Ãèñöÿÿ‰Fh‹Eôèjùÿ‹Ð‹ÃèÝöÿÿ‰F\ºYG‹ÃèÎöÿÿ‰FX‹EøèGùÿ‹Ð‹Ãèºöÿÿ‰Ft‹…(ÿÿÿ‰F|h$YGh4YGèO$ùÿPèQ$ùÿ‰h@YGh4YGè8$ùÿPè:$ùÿ‰FhpXGh4YGè $ùÿPè"$ùÿ‰F hxXGhPYGè$ùÿPè $ùÿ‰FhÄXGh4YGèð#ùÿPèò#ùÿ‰F,h„XGh4YGèØ#ùÿPèÚ#ùÿ‰Fh”XGh4YGèÀ#ùÿPèÂ#ùÿ‰Fh¤XGh4YGè¨#ùÿPèª#ùÿ‰Fh´XGh4YGè#ùÿPè’#ùÿ‰F4hüXGh4YGèx#ùÿPèz#ùÿ‰F0hÐXGh4YGè`#ùÿPèb#ùÿ‰F hèXGh4YGèH#ùÿPèJ#ùÿ‰F(hYGh4YGè0#ùÿPè2#ùÿ‰FhÜXGh4YGè#ùÿPè#ùÿ‰F$h€j‹Îº(SG‹Ãèöÿÿ3ÀZYYd‰h0XGEôºè,ýøÿÃ
base_address: 0x00240000
process_identifier: 2756
process_handle: 0x00000218
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x004818f8
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 66081 0
file C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE:Zone.Identifier
Process injection Process 948 resumed a thread in remote process 2224
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2224
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2256
thread_handle: 0x00000088
process_identifier: 2224
current_directory:
filepath: C:\Users\test22\AppData\Roaming\csrss.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\csrss.exe"
filepath_r: C:\Users\test22\AppData\Roaming\csrss.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2164
thread_handle: 0x00000274
process_identifier: 2160
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\ULTIME MULTIHACK REBORN.EXE
track: 1
command_line: "C:\Users\test22\AppData\Roaming\ULTIME MULTIHACK REBORN.EXE"
filepath_r: C:\Users\test22\AppData\Roaming\ULTIME MULTIHACK REBORN.EXE
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000027c
1 1 0

CreateProcessInternalW

 thread_identifier: 2200
thread_handle: 0x00000278
process_identifier: 2196
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
track: 1
command_line: "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE"
filepath_r: C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000280
1 1 0

CreateProcessInternalW

 thread_identifier: 2240
thread_handle: 0x00000280
process_identifier: 2236
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\WINDOWS DEFENDER.EXE
track: 1
command_line: "C:\Users\test22\AppData\Roaming\WINDOWS DEFENDER.EXE"
filepath_r: C:\Users\test22\AppData\Roaming\WINDOWS DEFENDER.EXE
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2284
thread_handle: 0x000001ec
process_identifier: 2280
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE
track: 1
command_line: "C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE"
filepath_r: C:\Users\test22\AppData\Roaming\WINDOWS SECURITY NANO.EXE
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000025c
1 1 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2160
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2160
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2160
1 0 0

NtResumeThread

 thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000264
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000288
suspend_count: 1
process_identifier: 2280
1 0 0

NtGetContextThread

 thread_handle: 0x000000d8
1 0 0

NtGetContextThread

 thread_handle: 0x000000d8
1 0 0

NtResumeThread

 thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x0000032c
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x0000034c
suspend_count: 1
process_identifier: 2280
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2196
1 0 0

CreateProcessInternalW

 thread_identifier: 2392
thread_handle: 0x000002dc
process_identifier: 2388
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE" +s +h
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2428
thread_handle: 0x000002dc
process_identifier: 2424
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Roaming" +s +h
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2464
thread_handle: 0x00000294
process_identifier: 2460
current_directory:
filepath:
track: 1
command_line: notepad
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: kernel32.dll
base_address: 0x000b0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: user32.dll
base_address: 0x000c0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00110000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: Sleep
base_address: 0x00110000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00120000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: MessageBoxA
base_address: 0x00120000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00130000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: ExitThread
base_address: 0x00130000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: DeleteFileA
base_address: 0x00140000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: GetLastError
base_address: 0x00150000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: TerminateProcess
base_address: 0x00160000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00170000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: CloseHandle
base_address: 0x00170000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00180000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: OpenProcess
base_address: 0x00180000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00190000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: GetExitCodeProcess
base_address: 0x00190000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: C:\Users\test22\AppData\Roaming\VLC MEDIA.EXE
base_address: 0x001a0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: ×Iu"uF@˜ÕwDTuÀu؀uu†uM€u œ 
base_address: 0x001e0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a4
1 0 0

WriteProcessMemory

 buffer: U‹ìSVW‹]‹C4P‹C,PÿPÿS‰C ‹C8P‹C0PÿPÿS‰C‹C<P‹C,PÿPÿS‰C‹C@P‹C,PÿPÿS‰C‹CDP‹C,PÿPÿS‰C‹CHP‹C,PÿPÿS‰C‹CTP‹C,PÿPÿS‰C ‹CLP‹C,PÿPÿS‰C$‹CPP‹C,PÿPÿS‰C(ëÿSƒøthôÿS ‹C\PÿS„Àtå‹CXPjjÿS$‹ð…ötWVÿS(WVÿSVÿS jÿS_^[]‹ÀU‹ìÄ@ÿÿÿSV3ɉMô‰Uø‰Eü‹Eüè. ùÿ‹Eøè& ùÿu”3ÀUhFRGdÿ0d‰ …Pÿÿÿ3ɺDè+ëøÿDžPÿÿÿDDž|ÿÿÿfÇE€…@ÿÿÿP…PÿÿÿPjjhjjj‹EüèÔ ùÿPjè)ùÿ‹@ÿÿÿ‹EüèNRùÿ„Àu Eüº\RGè™ùÿ‹Eøè5Rùÿ„Àu Uø3Àèï¡ùÿEô‹UøèxùÿºdRG‹Ãèüüÿÿ‰F,ºtRG‹Ãèíüÿÿ‰F0º€RG‹ÃèÞüÿÿ‰F4ºˆRG‹ÃèÏüÿÿ‰F8º”RG‹ÃèÀüÿÿ‰F<º RG‹Ãè±üÿÿ‰F@º¬RG‹Ãè¢üÿÿ‰FDº¼RG‹Ãè“üÿÿ‰FHºÐRG‹Ãè„üÿÿ‰FTºÜRG‹Ãèuüÿÿ‰FLºèRG‹Ãèfüÿÿ‰FP‹Eôèßùÿ‹Ð‹ÃèRüÿÿ‰F\‹…Hÿÿÿ‰FXhüRGh SGèç)ùÿPèé)ùÿ‰hSGh SGèÐ)ùÿPèÒ)ùÿ‰Fh€RGh SGè¸)ùÿPèº)ùÿ‰F hˆRGh SGè )ùÿPè¢)ùÿ‰F h”RGh SGèˆ)ùÿPèŠ)ùÿ‰Fh RGh SGèp)ùÿPèr)ùÿ‰Fh¬RGh SGèX)ùÿPèZ)ùÿ‰Fh¼RGh SGè@)ùÿPèB)ùÿ‰FhÐRGh SGè()ùÿPè*)ùÿ‰F hÜRGh SGè)ùÿPè)ùÿ‰F$hèRGh SGèø(ùÿPèú(ùÿ‰F(j`j‹Îº”NG‹Ãèõûÿÿ3ÀZYYd‰hMRGEôºèùÿÃ
base_address: 0x001f0000
process_identifier: 2460
process_handle: 0x000002a4
1 1 0

CreateProcessInternalW

 thread_identifier: 2672
thread_handle: 0x00000494
process_identifier: 2668
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\Documents\MSDCSC\msdcsc.exe
track: 1
command_line: "C:\Users\test22\Documents\MSDCSC\msdcsc.exe"
filepath_r: C:\Users\test22\Documents\MSDCSC\msdcsc.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000490
1 1 0
Bkav W32.AIDetectMalware
tehtris Generic.Malware
Cynet Malicious (score: 100)
CAT-QuickHeal VirTool.Vbinder.CO5
Skyhigh BehavesLike.Win32.VirRansom.th
ALYac Gen:Variant.Ransom.DarkyLock.3
Cylance Unsafe
VIPRE Gen:Variant.Ransom.DarkyLock.3
Sangfor Virus.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
BitDefender Gen:Variant.Ransom.DarkyLock.3
K7GW Trojan ( 0055e3df1 )
K7AntiVirus Trojan ( 0055e3df1 )
Arcabit Trojan.Ransom.DarkyLock.3
Baidu Win32.Trojan-Dropper.Binder.m
VirIT HackTool.Win32.Binder.BS
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Asyncrat
ESET-NOD32 Win32/TrojanDropper.Binder.NBH
APEX Malicious
Avast Win32:MalwareX-gen [Misc]
ClamAV Win.Trojan.DarkKomet-1
Kaspersky HackTool.Win32.Binder.bs
NANO-Antivirus Trojan.Win32.NanoBot.hmqoyu
MicroWorld-eScan Gen:Variant.Ransom.DarkyLock.3
Rising Dropper.Binder!1.AEB1 (CLASSIC)
Emsisoft Gen:Variant.Ransom.DarkyLock.3 (B)
F-Secure Backdoor.BDS/DarkKomet.GS
DrWeb Trojan.MulDrop2.39589
TrendMicro BKDR_FYNLOS.SMM
McAfeeD Real Protect-LS!E08BD789D9F4
Trapmine malicious.high.ml.score
CTX exe.ransomware.darkylock
Sophos Troj/Backdr-ID
SentinelOne Static AI - Malicious PE
Jiangmin HackTool.Binder.bh
Webroot W32.Rogue.Gen
Google Detected
Avira BDS/DarkKomet.GS
Antiy-AVL HackTool/Win32.Binder.bs
Kingsoft malware.kb.a.1000
Gridinsoft Trojan.Win32.Injector.sb!s1
Xcitium TrojWare.Win32.TrojanDropper.Binder.cls@4m6ovz
Microsoft VirTool:Win32/Vbinder!pz
ViRobot Trojan.Win32.A.Swisyn.49120
ZoneAlarm Mal/Vbinder-D
GData Win32.Trojan.Binder.A
Varist W32/Backdoor.FVDJ-1096
AhnLab-V3 HackTool/Win32.Vbinder.R12127
McAfee Trojan-FDDZ!E08BD789D9F4
dead_host 78.160.80.14:1604
dead_host 78.160.80.14:54984