popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ConsoleApp17.exe

Generic Malware AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 11, 2021, 10:09 a.m. Nov. 11, 2021, 10:10 a.m.
Size 290.0KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 521339ae9fa89c3af1b50456781272a8
SHA256 5d5cd3bd60e148bcfc1b78e13836f43c684b21babdeff5f036cda174ca122f82
CRC32 E46BF37E
ssdeep 384:88eAPKofy1JjaG999999999999J999999999999X99999999999u99999999999/:8F4VskUKrBTO7HehOfV4xPe8rGB0JL4
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
84.252.121.97 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003c0dc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003c0dc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003c0cc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e
0x529c39d
0x529c312
0x5299ebb
0x5295873
0x52971b2
0xacdb4b
0xace8cc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x3133fd @ 0x721833fd
0xac07e8
0xac024e
0xac021b
0xac0183
0xac0077
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7670b479
registers.esp: 1436028
registers.edi: 1980555208
registers.eax: 16777216
registers.ebp: 1436232
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e
0x529c39d
0x529c312
0x5299ebb
0x5295873
0x52971b2
0xacdb4b
0xace8cc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x3133fd @ 0x721833fd
0xac07e8
0xac024e
0xac021b
0xac0183
0xac0077
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7670b479
registers.esp: 1436028
registers.edi: 1980555208
registers.eax: 4194304
registers.ebp: 1436232
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e
0x529c39d
0x529c312
0x5299ebb
0x5295873
0x52971b2
0xacdb4b
0xace8cc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x3133fd @ 0x721833fd
0xac07e8
0xac024e
0xac021b
0xac0183
0xac0077
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7670b479
registers.esp: 1436028
registers.edi: 1980555208
registers.eax: 15138816
registers.ebp: 1436232
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://84.252.121.97/ken/ConsoleApp17.png
request GET http://84.252.121.97/ken/ConsoleApp17.png
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00572000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ac1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ac8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ac9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04eef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ee0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ace000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00acf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05290000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05291000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05293000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05294000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05295000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05296000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05297000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ee1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05298000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05299000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0529a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ee2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0529b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0529c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
host 84.252.121.97
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000254
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPELË®@à  |PԐ@@.textl{| `
base_address: 0x00400000
process_identifier: 2260
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2260
process_handle: 0x00000254
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPELË®@à  |PԐ@@.textl{| `
base_address: 0x00400000
process_identifier: 2260
process_handle: 0x00000254
1 1 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Bulz.776408
FireEye Generic.mg.521339ae9fa89c3a
Cylance Unsafe
Cybereason malicious.11ff91
APEX Malicious
Paloalto generic.ml
Kaspersky VHO:Trojan-Downloader.MSIL.Seraph.gen
BitDefender Gen:Variant.Bulz.776408
Ad-Aware Gen:Variant.Bulz.776408
Emsisoft Gen:Variant.Bulz.776408 (B)
Ikarus Trojan.Inject
Arcabit Trojan.Bulz.DBD8D8
GData Gen:Variant.Bulz.776408
ALYac Gen:Variant.Bulz.776408
MAX malware (ai score=81)
MaxSecure Trojan.Malware.300983.susgen
Process injection Process 2796 called NtSetContextThread to modify thread in remote process 2260
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4314192
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000033c
process_identifier: 2260
1 0 0
Process injection Process 2796 resumed a thread in remote process 2260
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000033c
suspend_count: 1
process_identifier: 2260
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2796
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2796
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2796
1 0 0

NtResumeThread

 thread_handle: 0x00000354
suspend_count: 1
process_identifier: 2796
1 0 0

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x0000033c
process_identifier: 2260
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ConsoleApp17.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000254
1 1 0

NtGetContextThread

 thread_handle: 0x0000033c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000254
1 0 0

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPELË®@à  |PԐ@@.textl{| `
base_address: 0x00400000
process_identifier: 2260
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2260
process_handle: 0x00000254
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2260
process_handle: 0x00000254
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4314192
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000033c
process_identifier: 2260
1 0 0

NtResumeThread

 thread_handle: 0x0000033c
suspend_count: 1
process_identifier: 2260
1 0 0