Details:
no crt functions imported
syscall unhooking using KnownDllUnhook
api hashing using Rotr32 hashing algo
payload encryption using rc4 - payload is saved in .rsrc
process injection - targetting 'SettingSyncHost.exe'
ppid spoofing & blockdlls policy using NtCreateUserProcess
stealthy remote process injection - chunking
using debugging & NtQueueApcThread for payload execution
[hide][Hidden Content]]