Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 20, 2022, 1:13 p.m.	May 20, 2022, 1:34 p.m.

Size	709.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0ffe5b11dd9dd40ecd5351b0b49d740c`
SHA256	`ae5834a44a63d4cf18d52ddc5d2e4bec46d81bc20b2ea24a5f333840e2e71df2`
CRC32	`16E8A031`
ssdeep	`12288:WQpgYTbgXcoCSxHJhkKaOMDnwJmm4TuC81BrFI7KahFiRAUckVf/lu8pEHCgRpa:lpDTkJXHJeKaOKn9TkBuKaeRAsf/GHCj`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2316
- MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2696

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 20, 2022, 1:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 1:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 1:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 1:14 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 1:13 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:13 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:14 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:14 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 20, 2022, 1:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d1090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 1:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d0ed0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 1:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d0ed0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 1:13 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 20, 2022, 1:14 p.m.	stacktrace: 0xaf1710 0xaf0f3b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73987610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 13 d8 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaf1b83 registers.esp: 2682384 registers.edi: 2682408 registers.eax: 0 registers.ebp: 2682420 registers.edx: 195 registers.ebx: 2682676 registers.esi: 35645260 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 20, 2022, 1:14 p.m.

stacktrace:

0xaf1710
0xaf0f3b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738c2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738d264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738d2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739874ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73987610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a11dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a11e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a11f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a1416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f6f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 13 d8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xaf1b83
registers.esp: 2682384
registers.edi: 2682408
registers.eax: 0
registers.ebp: 2682420
registers.edx: 195
registers.ebx: 2682676
registers.esi: 35645260
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 70 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06081000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06087000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06088000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06089000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0608a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05911000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000af600', u'virtual_address': u'0x00002000', u'entropy': 7.792034065971833, u'name': u'.text', u'virtual_size': u'0x000af4dc'}

entropy

7.79203406597

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x000b2000', u'entropy': 7.232676467417558, u'name': u'.rsrc', u'virtual_size': u'0x00001bcc'}

entropy

7.23267646742

description

A section with a high entropy has been found

entropy

0.999294781382

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 1:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 20, 2022, 1:14 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

MSBuild.exe tried to sleep 10912844 seconds, actually delayed analysis time by 10912844 seconds

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7ÓbàN>l @ À@ðkKè H.textDL N `.rsrcèP@@.reloc T@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamebDRgTTGoQmxaEDcTEsmdPTGK.exe(LegalCopyright dOriginalFilenamebDRgTTGoQmxaEDcTEsmdPTGK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: `@< base_address: 0x0043a000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2696 process_handle: 0x0000023c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7ÓbàN>l @ À@ðkKè H.textDL N `.rsrcèP@@.reloc T@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x0000023c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 called NtSetContextThread to modify thread in remote process 2696
NtSetContextThread May 20, 2022, 1:14 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4418622 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000234 process_identifier: 2696	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 resumed a thread in remote process 2696
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2696	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.AveMaria.l!c
tehtris	Generic.Malware
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:Win32/runner.ali1000123
Cyren	W32/MSIL_Troj.CDC.gen!Eldorado
Symantec	Scr.Malcode!gdn30
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AFDN
Paloalto	generic.ml
Kaspersky	Trojan-Spy.Win32.AveMaria.ecb
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Trojan.bc
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.0ffe5b11dd9dd40e
Sophos	Mal/Generic-S
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.RequestPOST.C5133228
McAfee	AgentTesla-FDGQ!0FFE5B11DD9D
APEX	Malicious
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ZXG!tr
AVG	Win32:PWSX-gen [Trj]

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread May 20, 2022, 1:13 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2316	1	0
NtResumeThread May 20, 2022, 1:13 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2316	1	0
NtResumeThread May 20, 2022, 1:13 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2316	1	0
CreateProcessInternalW May 20, 2022, 1:14 p.m.	thread_identifier: 2700 thread_handle: 0x00000234 process_identifier: 2696 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000023c	1	1
NtGetContextThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000234	1	0
NtAllocateVirtualMemory May 20, 2022, 1:14 p.m.	process_identifier: 2696 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7ÓbàN>l @ À@ðkKè H.textDL N `.rsrcèP@@.reloc T@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: base_address: 0x00402000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: 0HX4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ìStringFileInfoÈ000004b0,FileDescription 0FileVersion0.0.0.0\InternalNamebDRgTTGoQmxaEDcTEsmdPTGK.exe(LegalCopyright dOriginalFilenamebDRgTTGoQmxaEDcTEsmdPTGK.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: `@< base_address: 0x0043a000 process_identifier: 2696 process_handle: 0x0000023c	1	1
WriteProcessMemory May 20, 2022, 1:14 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2696 process_handle: 0x0000023c	1	1
NtSetContextThread May 20, 2022, 1:14 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4418622 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000234 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:14 p.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 20, 2022, 1:15 p.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2696	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All