Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 20, 2023, 5:31 p.m.	April 20, 2023, 5:39 p.m.

Size	1.2MB
Type	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5	`f742053cbdcec12c128fa08914285311`
SHA256	`c238d32bf0ff543edd3b8e3277ca1d3a137386d6b458fdf8f98afd41813dd19a`
CRC32	`208B6D0B`
ssdeep	`24576:lOgF4x4F2TyXJuJNPohQzhaqXnX+jdAFFXro72lL5rnX+jdAFFX:Fmm2T0JSNgakqXsYVSiLRsY`
Yara	IsPE64 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2576
- AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2536

Name	Response	Post-Analysis Lookup
www.white-hat.uk	A 94.176.104.86 CNAME white-hat.uk	94.176.104.86
www.thewildphotographer.co.uk	A 96.126.123.244 A 72.14.185.43 A 72.14.178.174 A 45.33.23.183 A 45.79.19.196 A 198.58.118.167 A 45.33.30.197 A 45.33.2.79 A 45.56.79.23 A 45.33.20.235 A 45.33.18.44 A 173.255.194.134	96.126.123.244
www.younrock.com	A 192.187.111.222	81.17.18.196
www.thedivinerudraksha.com	A 85.187.128.34 CNAME thedivinerudraksha.com	85.187.128.34
www.energyservicestation.com	A 213.145.228.111	213.145.228.111
www.bitservicesltd.com	A 161.97.163.8	161.97.163.8
www.shapshit.xyz	A 199.192.30.147	199.192.30.147
www.222ambking.org	A 91.195.240.94	91.195.240.94
www.gritslab.com	A 78.141.192.145 CNAME gritslab.com	78.141.192.145
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
161.97.163.8	Active	Moloch
164.124.101.2	Active	Moloch
192.187.111.222	Active	Moloch
199.192.30.147	Active	Moloch
213.145.228.111	Active	Moloch
45.33.6.223	Active	Moloch
72.14.178.174	Active	Moloch
78.141.192.145	Active	Moloch
85.187.128.34	Active	Moloch
91.195.240.94	Active	Moloch
94.176.104.86	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49182 -> 199.192.30.147:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 20, 2023, 5:31 p.m.			0	0
IsDebuggerPresent April 20, 2023, 5:31 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (5 events)

Time & API	Arguments	Status	Return
CryptExportKey April 20, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002dabd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey April 20, 2023, 5:31 p.m.	buffer: f Ti®<Â±6cøvÄJÐ£ê1Rx¡ crypto_handle: 0x00000000002dabd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey April 20, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000339ae0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000339c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000339c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 20, 2023, 5:31 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.white-hat.uk/u2kb/?zT=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gritslab.com/u2kb/?zT=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.bitservicesltd.com/u2kb/?zT=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.222ambking.org/u2kb/?zT=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.energyservicestation.com/u2kb/?zT=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.younrock.com/u2kb/?zT=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.thewildphotographer.co.uk/u2kb/?zT=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.shapshit.xyz/u2kb/?zT=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&DcmN_=UH29gni5kTv7LF
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.thedivinerudraksha.com/u2kb/?zT=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&DcmN_=UH29gni5kTv7LF

Performs some HTTP requests (18 events)

request	GET http://www.white-hat.uk/u2kb/?zT=PXfMycAZpTAipct8YN0l/5TWhYE4yPgF2k7967nf/qU1A0mUqq9Jlnm9rK8XSf3D04yKTuePtKPnTCgwye3M0h5ZtqacmtcmNe/sHow=&DcmN_=UH29gni5kTv7LF
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
request	POST http://www.gritslab.com/u2kb/
request	GET http://www.gritslab.com/u2kb/?zT=ydCzFiH7iMWnz6xHMKiyYVGDKfWH5+fYQUsmgPEoYCSsyD6HgT3yOGCjssC2N8mKn+GjINYvhr7iKNezbHZCh47jo+mhlV2uXG5eH60=&DcmN_=UH29gni5kTv7LF
request	POST http://www.bitservicesltd.com/u2kb/
request	GET http://www.bitservicesltd.com/u2kb/?zT=rr+sOBvEXsBdGevUk44F/k+BAr88zC1YNHmXivr92FQhRIIYsedR2a+6GoV1WAKeGdj+MTdX512lJXz4UaWEmNABCelIWOCZ3yhH4Z4=&DcmN_=UH29gni5kTv7LF
request	POST http://www.222ambking.org/u2kb/
request	GET http://www.222ambking.org/u2kb/?zT=IEUpLmGg2fqLmrhwD8IHX/zhiiNjbOQDFcodV2ACJcW4bHSQscR3Nc4uRx31p3m0gGv03uToPch8hDrce1eNAdUBSmpSNalx6DQXGQo=&DcmN_=UH29gni5kTv7LF
request	POST http://www.energyservicestation.com/u2kb/
request	GET http://www.energyservicestation.com/u2kb/?zT=IK59b/MdFRha+CUVM3V2TqbXgrTjD6F66TLC1fPPNwLnZq29gpb1hRWNlrDr258EhEsSnFmalKQEmudxTrusBmUmj2xyJgahFTdaUmU=&DcmN_=UH29gni5kTv7LF
request	POST http://www.younrock.com/u2kb/
request	GET http://www.younrock.com/u2kb/?zT=05tPwqSdqXO2xf32BmsnsHpgCfZIa2c80hhB3sQ3FFDNPs5AZDU6TyUQmX911UO6Ssjq2b6k9nBD4uDOZrqd7XHQTF+IIpbM/DoOhU4=&DcmN_=UH29gni5kTv7LF
request	POST http://www.thewildphotographer.co.uk/u2kb/
request	GET http://www.thewildphotographer.co.uk/u2kb/?zT=pn+zaWXo7szcfRSxp4kAcR5iap+7ulP+x3705F5u21IqvN9WG9kcDL2FxdXl2W/5MjovaUotkmG6JgF/Eyaa9PeBR2yUVivPQ+uGbEI=&DcmN_=UH29gni5kTv7LF
request	POST http://www.shapshit.xyz/u2kb/
request	GET http://www.shapshit.xyz/u2kb/?zT=Yd5Rzn4EVOpL1Cl/eY8jjeGdoEKZlYBpl8BtE0ZhlgLGbR5cH1Fn7sihS3XP3GCDon1xi4vL0lQ4XtydV6BMyXIOMzObAfzgUMU2ykM=&DcmN_=UH29gni5kTv7LF
request	POST http://www.thedivinerudraksha.com/u2kb/
request	GET http://www.thedivinerudraksha.com/u2kb/?zT=im5SXjRwbJIZeY2yetpTdO7N29MJtck2UhYi2fNZ2Kf/X7lq2SPRiB6LR8y/FeM3y7tdA/WTtliq4uHTfapDkaA0PJ0fXInXaKlPglI=&DcmN_=UH29gni5kTv7LF

Sends data using the HTTP POST Method (8 events)

request	POST http://www.gritslab.com/u2kb/
request	POST http://www.bitservicesltd.com/u2kb/
request	POST http://www.222ambking.org/u2kb/
request	POST http://www.energyservicestation.com/u2kb/
request	POST http://www.younrock.com/u2kb/
request	POST http://www.thewildphotographer.co.uk/u2kb/
request	POST http://www.shapshit.xyz/u2kb/
request	POST http://www.thedivinerudraksha.com/u2kb/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 83 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a11000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40ab000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a12000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a14000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9426a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9431c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94346000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94262000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9426b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94391000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 6 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000000000 process_handle: 0xffffffffffffffff		-1073741800
NtProtectVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000000007b process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9426c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00135600', u'virtual_address': u'0x00002000', u'entropy': 7.9659964726759585, u'name': u'.text', u'virtual_size': u'0x001354c1'}

entropy

7.96599647268

description

A section with a high entropy has been found

entropy

0.998386446148

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 20, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 20, 2023, 5:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (34 events)

Time & API	Arguments	Status
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2792 process_handle: 0x000000000000029c
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2792 process_handle: 0x000000000000029c	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2828 process_handle: 0x00000000000002a8
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2828 process_handle: 0x00000000000002a8	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2864 process_handle: 0x00000000000002b8
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2864 process_handle: 0x00000000000002b8	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2900 process_handle: 0x00000000000002c0
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2900 process_handle: 0x00000000000002c0	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2936 process_handle: 0x00000000000002c8
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2936 process_handle: 0x00000000000002c8	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2972 process_handle: 0x00000000000002d0
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2972 process_handle: 0x00000000000002d0	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 3008 process_handle: 0x00000000000002dc
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 3008 process_handle: 0x00000000000002dc	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 3044 process_handle: 0x00000000000002e4
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 3044 process_handle: 0x00000000000002e4	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 1216 process_handle: 0x00000000000002ec
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 1216 process_handle: 0x00000000000002ec	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2072 process_handle: 0x00000000000002f4
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2072 process_handle: 0x00000000000002f4	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2120 process_handle: 0x00000000000002fc
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2120 process_handle: 0x00000000000002fc	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 1356 process_handle: 0x0000000000000304
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 1356 process_handle: 0x0000000000000304	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 1400 process_handle: 0x000000000000030c
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 1400 process_handle: 0x000000000000030c	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2224 process_handle: 0x0000000000000314
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2224 process_handle: 0x0000000000000314	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2244 process_handle: 0x000000000000031c
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2244 process_handle: 0x000000000000031c	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2368 process_handle: 0x0000000000000324
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2368 process_handle: 0x0000000000000324	1
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2424 process_handle: 0x000000000000032c
NtTerminateProcess April 20, 2023, 5:31 p.m.	status_code: 0xffffffff process_identifier: 2424 process_handle: 0x000000000000032c	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
cmdline	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 937442d3297518692432f004be2c37b4632c3b75
buffer	Buffer with sha1: 1878e907d74b816e628c6e5c0952b5e03b57208f

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2936 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002bc		-1073741800
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2972 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002c4		-1073741800
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2536 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000328	1	0

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2576 manipulating memory of non-child process 2936
Process injection	Process 2576 manipulating memory of non-child process 2972
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2936 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002bc	-1073741800	0
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2972 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002c4	-1073741800	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 resumed a thread in remote process 2536
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x000000000000032c suspend_count: 1 process_identifier: 2536	1	0	0

Executed a process and injected code into it, probably while unpacking (29 events)

Time & API	Arguments	Status	Return
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 2576	1	0
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x0000000000000140 suspend_count: 1 process_identifier: 2576	1	0
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x0000000000000180 suspend_count: 1 process_identifier: 2576	1	0
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x0000000000000288 suspend_count: 1 process_identifier: 2576	1	0
NtGetContextThread April 20, 2023, 5:31 p.m.	thread_handle: 0x00000000000000d4	1	0
NtGetContextThread April 20, 2023, 5:31 p.m.	thread_handle: 0x00000000000000d4	1	0
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 2576	1	0
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2796 thread_handle: 0x000000000000028c process_identifier: 2792 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000290	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2832 thread_handle: 0x000000000000029c process_identifier: 2828 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002a0	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2868 thread_handle: 0x00000000000002a8 process_identifier: 2864 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002a4	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2904 thread_handle: 0x00000000000002b8 process_identifier: 2900 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002b4	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2940 thread_handle: 0x00000000000002c0 process_identifier: 2936 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Setup.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Setup.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002bc	1	1
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2936 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002bc		-1073741800
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2976 thread_handle: 0x00000000000002c8 process_identifier: 2972 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\KOR\SetupUtility.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\KOR\SetupUtility.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002c4	1	1
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2972 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002c4		-1073741800
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 3012 thread_handle: 0x00000000000002d0 process_identifier: 3008 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002cc	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 3048 thread_handle: 0x00000000000002dc process_identifier: 3044 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002d8	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 1120 thread_handle: 0x00000000000002e4 process_identifier: 1216 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002e0	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2076 thread_handle: 0x00000000000002ec process_identifier: 2072 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002e8	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2124 thread_handle: 0x00000000000002f4 process_identifier: 2120 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002f0	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 1336 thread_handle: 0x00000000000002fc process_identifier: 1356 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002f8	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2164 thread_handle: 0x0000000000000304 process_identifier: 1400 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000300	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2228 thread_handle: 0x000000000000030c process_identifier: 2224 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000308	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2240 thread_handle: 0x0000000000000314 process_identifier: 2244 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000310	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2404 thread_handle: 0x000000000000031c process_identifier: 2368 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000318	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2420 thread_handle: 0x0000000000000324 process_identifier: 2424 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000320	1	1
CreateProcessInternalW April 20, 2023, 5:31 p.m.	thread_identifier: 2520 thread_handle: 0x000000000000032c process_identifier: 2536 current_directory: filepath: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000328	1	1
NtAllocateVirtualMemory April 20, 2023, 5:31 p.m.	process_identifier: 2536 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000328	1	0
NtResumeThread April 20, 2023, 5:31 p.m.	thread_handle: 0x000000000000032c suspend_count: 1 process_identifier: 2536	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Lionic	Trojan.Win32.Noon.4!c
MicroWorld-eScan	Trojan.GenericKD.66443422
CAT-QuickHeal	TrojanSpy.MSIL
McAfee	Artemis!F742053CBDCE
Cylance	unsafe
Sangfor	Spyware.Msil.Kryptik.Vqeg
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:MSIL/Kryptik.f4bac4f4
K7GW	Trojan ( 005a3abc1 )
K7AntiVirus	Trojan ( 005a3abc1 )
Arcabit	Trojan.Generic.D3F5D89E
VirIT	Trojan.Win64.MSIL_Heur.A
Cyren	W64/ABRisk.JEAP-1762
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AIPR
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.66443422
Avast	Win64:RATX-gen [Trj]
Tencent	Msil.Trojan-Spy.Noon.Wylw
Emsisoft	Trojan.GenericKD.66443422 (B)
F-Secure	Trojan.TR/AD.BadNetLdr.mquxr
VIPRE	Trojan.GenericKD.66443422
McAfee-GW-Edition	BehavesLike.Win64.Generic.tc
FireEye	Trojan.GenericKD.66443422
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	TR/AD.BadNetLdr.mquxr
Gridinsoft	Ransom.Win64.Sabsik.sa
Microsoft	Trojan:Win32/Formbook.RG!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Trojan.GenericKD.66443422
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5413660
ALYac	Trojan.GenericKD.66443422
MAX	malware (ai score=84)
Malwarebytes	Spyware.FormBook
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CDH23
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:dVw04GvwEHcNI1LjFvlHfA)
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	PossibleThreat
AVG	Win64:RATX-gen [Trj]
DeepInstinct	MALICIOUS

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All