popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Emotet Gen1 AgentTesla info stealer NSIS Generic Malware browser Google Chrome Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer User Data PWS Escalate priviledges Create Service Sniff Audio Anti_VM Socket
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 9, 2021, 11:19 p.m. Aug. 9, 2021, 11:28 p.m.
Size 1.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0941a59548b4f95082dfa17f85c6557c
SHA256 b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50
CRC32 952FD404
ssdeep 24576:Sr4IPzH6WoE6+a0m+saUGENr8tG5BuPKboy9Ig:S0wLtoJ+sa7ENwEJ0y97
Yara
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
45.137.22.101 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49208
45.137.22.101:5888 		None None None

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system cannot find the file specified.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c1588
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c0e88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c0e88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ad0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72421000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72422000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a92000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a92000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00982000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
process_handle: 0xffffffff
1 0 0
file C:\Program Files (x86)\Microsoft Office\Office12\DSSM.EXE
file C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateCore.exe
file C:\Program Files (x86)\Microsoft Office\Office12\REGFORM.EXE
file C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ODSERV.EXE
file C:\Python27\Scripts\easy_install.exe
file C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
file C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file C:\Program Files (x86)\Microsoft Office\Office12\SELFCERT.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\PPTVIEW.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
file C:\Program Files (x86)\EditPlus\editplus.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE
file C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateComRegisterShell64.exe
file C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateBroker.exe
file C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
file C:\util\TCPView\Tcpvcon.exe
file C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Installer\chrmstp.exe
file C:\Program Files (x86)\Hnc\Common80\HncReporter.exe
file C:\Program Files (x86)\Microsoft Office\Office12\1042\ONELEV.EXE
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files (x86)\Hnc\Hwp80\HncPUAConverter.exe
file C:\Program Files (x86)\Microsoft Office\Office12\MSTORE.EXE
file C:\Program Files (x86)\Hnc\HncDic80\HncDic.exe
file C:\Program Files (x86)\Microsoft Office\Office12\MSTORDB.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACECNFLT.EXE
file C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdate.exe
file C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file C:\Program Files (x86)\Hnc\HncUtils\KeyLayout\KeyLayout.exe
file C:\util\dotnet4.5.exe
file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\INFOPATH.EXE
file C:\Program Files (x86)\Microsoft Office\Office12\GrooveMigrator.exe
file C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file C:\Program Files (x86)\Hnc\Common80\him\HJIMESV.EXE
file C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateOnDemand.exe
file C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\OINFOP12.EXE
file C:\Program Files (x86)\Hnc\Common80\OdfConverter.exe
file C:\Program Files (x86)\Common Files\microsoft shared\IME12\SHARED\IMEPADSV.EXE
cmdline schtasks.exe /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp"
cmdline C:\Windows\System32\schtasks.exe /Create /TN Updates\TfIdAJRB /XML C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp
cmdline "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp"
file C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
file C:\Windows\svchost.com
file C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp"
filepath: schtasks.exe
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Google Chrome User Data Check rule Chrome_User_Data_Check_Zero
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description browser info stealer rule infoStealer_browser_Zero
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
cmdline schtasks.exe /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp"
cmdline C:\Windows\System32\schtasks.exe /Create /TN Updates\TfIdAJRB /XML C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp
cmdline "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp"
host 45.137.22.101
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 495616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000444
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) reg_value C:\Windows\svchost.com "%1" %*
file C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªƒB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,c皨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,c皿cûâ,cîâ-cñã,cy¼%b±â,c|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà  l÷0@€‡Ü€KPˆ80l8Älhl@0t.text¶ `.rdataˆo0p@@.data\= Ž@À.tls àœ@À.gfids0ðž@@.rsrc€KL¢@@.relocˆ8P:î@B
base_address: 0x00400000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ´tE¸wE²tE..€¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F„¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶Fˆ¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢Fˆ¡F8zE¸{EŠEè¡F€§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€§Fþÿÿÿþÿÿÿu˜0Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ46E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@
base_address: 0x0046a000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0046e000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: +ÔÔ„?¤Ø¾Ø„? Ù„?)s„?ÚuZ55g;Ù.~~Dñìð„?„?m(À'Æؒخ’õŒЈûõÛÝÛÝÛ(jk¡iæÞ\šF“£ã¥w¡Ô(´öä¼éÙ  b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0046f000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2260
process_handle: 0x00000444
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªƒB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,c皨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,c皿cûâ,cîâ-cñã,cy¼%b±â,c|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà  l÷0@€‡Ü€KPˆ80l8Älhl@0t.text¶ `.rdataˆo0p@@.data\= Ž@À.tls àœ@À.gfids0ðž@@.rsrc€KL¢@@.relocˆ8P:î@B
base_address: 0x00400000
process_identifier: 2260
process_handle: 0x00000444
1 1 0
Process injection Process 1756 called NtSetContextThread to modify thread in remote process 2260
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4388716
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000448
process_identifier: 2260
1 0 0
Process injection Process 1756 resumed a thread in remote process 2260
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2260
1 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x003ad644
function_name: wine_get_unix_file_name
module: KERNEL32
module_address: 0x75720000
3221225785 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1160
thread_handle: 0x0000026c
process_identifier: 1756
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000274
1 1 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1756
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 1756
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1756
1 0 0

NtResumeThread

 thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1756
1 0 0

NtResumeThread

 thread_handle: 0x00000258
suspend_count: 1
process_identifier: 1756
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 1756
1 0 0

NtResumeThread

 thread_handle: 0x000002d8
suspend_count: 1
process_identifier: 1756
1 0 0

NtResumeThread

 thread_handle: 0x0000030c
suspend_count: 1
process_identifier: 1756
1 0 0

CreateProcessInternalW

 thread_identifier: 2776
thread_handle: 0x00000488
process_identifier: 1512
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\svchost.com
track: 1
command_line: "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp"
filepath_r: C:\Windows\svchost.com
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000048c
1 1 0

CreateProcessInternalW

 thread_identifier: 1224
thread_handle: 0x00000448
process_identifier: 2260
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000444
1 1 0

NtGetContextThread

 thread_handle: 0x00000448
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 495616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000444
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªƒB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,c皨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,c皿cûâ,cîâ-cñã,cy¼%b±â,c|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà  l÷0@€‡Ü€KPˆ80l8Älhl@0t.text¶ `.rdataˆo0p@@.data\= Ž@À.tls àœ@À.gfids0ðž@@.rsrc€KL¢@@.relocˆ8P:î@B
base_address: 0x00400000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00453000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ´tE¸wE²tE..€¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F„¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶Fˆ¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢Fˆ¡F8zE¸{EŠEè¡F€§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ€§Fþÿÿÿþÿÿÿu˜0Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œ46E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@
base_address: 0x0046a000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x0046e000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: +ÔÔ„?¤Ø¾Ø„? Ù„?)s„?ÚuZ55g;Ù.~~Dñìð„?„?m(À'Æؒخ’õŒЈûõÛÝÛÝÛ(jk¡iæÞ\šF“£ã¥w¡Ô(´öä¼éÙ  b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x0046f000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00470000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00475000
process_identifier: 2260
process_handle: 0x00000444
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2260
process_handle: 0x00000444
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4388716
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000448
process_identifier: 2260
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2260
1 0 0

NtResumeThread

 thread_handle: 0x00000484
suspend_count: 1
process_identifier: 1756
1 0 0

NtGetContextThread

 thread_handle: 0x00000484
1 0 0

NtGetContextThread

 thread_handle: 0x00000484
1 0 0

NtResumeThread

 thread_handle: 0x00000484
suspend_count: 1
process_identifier: 1756
1 0 0

CreateProcessInternalW

 thread_identifier: 2232
thread_handle: 0x000000a4
process_identifier: 1408
current_directory:
filepath:
track: 1
command_line: C:\Windows\System32\schtasks.exe /Create /TN Updates\TfIdAJRB /XML C:\Users\test22\AppData\Local\Temp\tmp1FB1.tmp
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000000a8
1 1 0
Bkav W32.NeshtaB.PE
Elastic malicious (high confidence)
MicroWorld-eScan Win32.Neshta.A
FireEye Generic.mg.0941a59548b4f950
CAT-QuickHeal W32.Neshta.C8
ALYac Win32.Neshta.A
Cylance Unsafe
VIPRE Virus.Win32.Neshta.a (v)
K7AntiVirus Virus ( 00556e571 )
K7GW Virus ( 00556e571 )
Cybereason malicious.548b4f
BitDefenderTheta AI:FileInfector.D5C3B0640E
Cyren W32/Neshta.OBIX-2981
Symantec W32.Neshuta
ESET-NOD32 Win32/Neshta.A
APEX Malicious
ClamAV Win.Trojan.Neshuta-1
Kaspersky Virus.Win32.Neshta.a
BitDefender Win32.Neshta.A
NANO-Antivirus Trojan.Win32.Winlock.fmobyw
Avast Win32:Apanas [Trj]
Rising Win32.Neshta.a (CLASSIC)
Ad-Aware Win32.Neshta.A
TACHYON Virus/W32.Neshta
Emsisoft Win32.Neshta.A (B)
Comodo Win32.Neshta.A@3ypg
DrWeb Win32.HLLP.Neshta
TrendMicro PE_NESHTA.A
McAfee-GW-Edition BehavesLike.Win32.HLLP.tc
Sophos ML/PE-A + W32/Neshta-D
Ikarus Virus.Win32.Neshta
Jiangmin Virus.Neshta.a
eGambit Unsafe.AI_Score_100%
Avira W32/Neshta.A
Antiy-AVL Trojan/Generic.ASVirus.20D
Gridinsoft Virus.Neshta.A.sd!yf
Microsoft Virus:Win32/Neshta.A
ViRobot Win32.Neshta.Gen.A
GData Win32.Virus.Neshta.D
Cynet Malicious (score: 100)
AhnLab-V3 Win32/Neshta
Acronis suspicious
McAfee W32/HLLP.41472.e
MAX malware (ai score=83)
VBA32 Virus.Win32.Neshta.a
Malwarebytes Neshta.Virus.FileInfector.DDS
Zoner Virus.Win32.19514
TrendMicro-HouseCall PE_NESHTA.A
Tencent Virus.Win32.Neshta.a
Yandex Trojan.GenAsa!Mo0tdcmmg3o