popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Fsbey.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 20, 2021, 7:37 a.m. April 20, 2021, 7:39 a.m.
Size 296.8KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 8ab4c430e65defdd7b9975db28d3c92d
SHA256 b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202
CRC32 B5230C88
ssdeep 6144:818l6GL/xl+HstePVsBMXJlweRotfSCKeqVD1xy:Tl6G7x4stePVaMXvwyQf/Hqd
Yara
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsNET_EXE - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49208 -> 107.149.249.12:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 107.149.249.12:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 107.149.249.12:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 107.149.249.12:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 192.0.78.25:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 192.0.78.25:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 192.0.78.25:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 184.168.139.151:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 184.168.139.151:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 184.168.139.151:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.161.87.55:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.161.87.55:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 104.161.87.55:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 54.147.194.143:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 54.147.194.143:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 54.147.194.143:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x737c7d
0x736c22
0x7349d2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3135ed @ 0x6ff535ed
0x730ec5
0x730d2e
0x73032a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 3205420
registers.edi: 1990713288
registers.eax: 16777216
registers.ebp: 3205624
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x737c7d
0x736c22
0x7349d2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3135ed @ 0x6ff535ed
0x730ec5
0x730d2e
0x73032a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 3205420
registers.edi: 1990713288
registers.eax: 4194304
registers.ebp: 3205624
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x737c7d
0x736c22
0x7349d2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3135ed @ 0x6ff535ed
0x730ec5
0x730d2e
0x73032a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 3205420
registers.edi: 1990713288
registers.eax: 12648448
registers.ebp: 3205624
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.3thaiph.com/spj6/?LZhP=WELcilCtPEVEBOtiTM/sV79+dBkJlHKpkw1Y165Vpka6sd6WRde01ttFnmDHNGdBy+pSbyUZ&U4kp=Ntx4ZhIXOh7XQrX
suspicious_features GET method with no useragent header suspicious_request GET http://www.beautybar.sucks/spj6/?LZhP=/RvMM/n/jqwCaC65EoynYgHRCQVKYKWSUzaDLW3VbuGWvlmwwixnAdJlTChBxsV8Vf/7elXq&U4kp=Ntx4ZhIXOh7XQrX
suspicious_features GET method with no useragent header suspicious_request GET http://www.89xs.xyz/spj6/?LZhP=ChhDJUZ34acyioRDxU0I1eGwFTExh6t3ojTWkZgGpRLxdY0skGw1NzhaR82eRSGOOqXjwiEQ&U4kp=Ntx4ZhIXOh7XQrX
suspicious_features GET method with no useragent header suspicious_request GET http://www.shopjrock.com/spj6/?LZhP=qhnezQWTxjg/HbuTmF+cfz/AJC4nUSxVCtyRe9tzOWPiX7YfE01VM4G2EIPySa5O/Ai5gOof&U4kp=Ntx4ZhIXOh7XQrX
suspicious_features GET method with no useragent header suspicious_request GET http://www.ourforms.net/spj6/?LZhP=b6QgBSz9IsgTBrSxM1TpvmYRkuJztgbn0YznHbeB8Xc6Pticprr/H1NbfIFannWFjAB+Rs5D&U4kp=Ntx4ZhIXOh7XQrX
suspicious_features GET method with no useragent header suspicious_request GET http://www.preciousvessel.com/spj6/?LZhP=AF++6DW1ZB7b6v+G1k1B+DYsQETFO/sfcexAS4/+ytZ88TDwDfNbFwA03zmQ8kbNf+vM1WkW&U4kp=Ntx4ZhIXOh7XQrX
suspicious_features GET method with no useragent header suspicious_request GET http://www.my-watch-strap.com/spj6/?LZhP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.3thaiph.com/spj6/
request GET http://www.3thaiph.com/spj6/?LZhP=WELcilCtPEVEBOtiTM/sV79+dBkJlHKpkw1Y165Vpka6sd6WRde01ttFnmDHNGdBy+pSbyUZ&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.beautybar.sucks/spj6/
request GET http://www.beautybar.sucks/spj6/?LZhP=/RvMM/n/jqwCaC65EoynYgHRCQVKYKWSUzaDLW3VbuGWvlmwwixnAdJlTChBxsV8Vf/7elXq&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.89xs.xyz/spj6/
request GET http://www.89xs.xyz/spj6/?LZhP=ChhDJUZ34acyioRDxU0I1eGwFTExh6t3ojTWkZgGpRLxdY0skGw1NzhaR82eRSGOOqXjwiEQ&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.shopjrock.com/spj6/
request GET http://www.shopjrock.com/spj6/?LZhP=qhnezQWTxjg/HbuTmF+cfz/AJC4nUSxVCtyRe9tzOWPiX7YfE01VM4G2EIPySa5O/Ai5gOof&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.ourforms.net/spj6/
request GET http://www.ourforms.net/spj6/?LZhP=b6QgBSz9IsgTBrSxM1TpvmYRkuJztgbn0YznHbeB8Xc6Pticprr/H1NbfIFannWFjAB+Rs5D&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.preciousvessel.com/spj6/
request GET http://www.preciousvessel.com/spj6/?LZhP=AF++6DW1ZB7b6v+G1k1B+DYsQETFO/sfcexAS4/+ytZ88TDwDfNbFwA03zmQ8kbNf+vM1WkW&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.my-watch-strap.com/spj6/
request GET http://www.my-watch-strap.com/spj6/?LZhP=4ljs57iv7WHWCxw/HP0065oO4y9+WBwXKiIOn+/c+11wOtEmZ+Y6UUQYeW5XnP+wk9BrVhzX&U4kp=Ntx4ZhIXOh7XQrX
request POST http://www.3thaiph.com/spj6/
request POST http://www.beautybar.sucks/spj6/
request POST http://www.89xs.xyz/spj6/
request POST http://www.shopjrock.com/spj6/
request POST http://www.ourforms.net/spj6/
request POST http://www.preciousvessel.com/spj6/
request POST http://www.my-watch-strap.com/spj6/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02060000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00730000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00405000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00731000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00732000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00736000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00738000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c60000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00043800', u'virtual_address': u'0x00002000', u'entropy': 7.960132668658899, u'name': u'.text', u'virtual_size': u'0x00043744'} entropy 7.96013266866 description A section with a high entropy has been found
entropy 0.935875216638 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url https://discord.com/
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000244
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\notepa reg_value "C:\Users\test22\AppData\Local\notepa.exe"
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPEL×ô&Là  pЀ@€@.textÀop `
base_address: 0x00400000
process_identifier: 2876
process_handle: 0x00000244
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2876
process_handle: 0x00000244
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPEL×ô&Là  pЀ@€@.textÀop `
base_address: 0x00400000
process_identifier: 2876
process_handle: 0x00000244
1 1 0
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 2876
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4313104
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000248
process_identifier: 2876
1 0 0
Process injection Process 2648 resumed a thread in remote process 2876
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000248
suspend_count: 1
process_identifier: 2876
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x0000017c
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2648
1 0 0

CreateProcessInternalW

 thread_identifier: 260
thread_handle: 0x00000248
process_identifier: 2876
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\Fsbey.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000244
1 1 0

NtGetContextThread

 thread_handle: 0x00000248
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2876
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000244
1 0 0

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPEL×ô&Là  pЀ@€@.textÀop `
base_address: 0x00400000
process_identifier: 2876
process_handle: 0x00000244
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2876
process_handle: 0x00000244
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2876
process_handle: 0x00000244
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4313104
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000248
process_identifier: 2876
1 0 0

NtResumeThread

 thread_handle: 0x00000248
suspend_count: 1
process_identifier: 2876
1 0 0