Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 12, 2021, 12:04 p.m.	May 12, 2021, 12:06 p.m.

Size	603.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fcbe097d79c7051e75b2e5049bef5999`
SHA256	`9171cd06885b2fba3cd37d0b3651c90dc787d6f2e432e4a1b13defb0efb36df6`
CRC32	`AFE16D19`
ssdeep	`12288:xx1w/L8rYOLUYQLDnvio4kTnckHdzT+Sb3YUj6cjwPLPwSOBsK9KXb:DQCYASLDnv4MHdz6SkW6OwPLPwSOF9Kr`
Yara	Malicious_Library_Zero - Malicious_Library Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2208
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  8248

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 12:04 p.m.			0	0
IsDebuggerPresent May 12, 2021, 12:04 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2021, 12:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0068f430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 12:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0068f4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 12:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0068f4b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2021, 12:04 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 12, 2021, 12:06 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 0x7f5c32 0x7f6102 0x7f5fea 0x7f48db 0x7f2ed0 0x7f23e6 0x7f20d4 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f05f @ 0x7203f05f microsoft+0x3e4d4 @ 0x7203e4d4 microsoft+0x3cda4 @ 0x7203cda4 0x7f143e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d microsoft+0x50c17 @ 0x72050c17 microsoft+0x3f05f @ 0x7203f05f microsoft+0x3e4d4 @ 0x7203e4d4 microsoft+0x3cda4 @ 0x7203cda4 0x7f1025 0x7f0b3b 0x7f09df DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x6fbc70df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x6fc1412e exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 5098576 registers.edi: 0 registers.eax: 5098576 registers.ebp: 5098656 registers.edx: 0 registers.ebx: 6874328 registers.esi: 6379176 registers.ecx: 2377696445	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 12, 2021, 12:06 p.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
0x7f5c32
0x7f6102
0x7f5fea
0x7f48db
0x7f2ed0
0x7f23e6
0x7f20d4
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f05f @ 0x7203f05f
microsoft+0x3e4d4 @ 0x7203e4d4
microsoft+0x3cda4 @ 0x7203cda4
0x7f143e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
microsoft+0x50c17 @ 0x72050c17
microsoft+0x3f05f @ 0x7203f05f
microsoft+0x3e4d4 @ 0x7203e4d4
microsoft+0x3cda4 @ 0x7203cda4
0x7f1025
0x7f0b3b
0x7f09df
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x6fbc70df
LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x6fc1412e

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 5098576
registers.edi: 0
registers.eax: 5098576
registers.ebp: 5098656
registers.edx: 0
registers.ebx: 6874328
registers.esi: 6379176
registers.ecx: 2377696445

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 76 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:04 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f70178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f701a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f701c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fea48e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fea482 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f70208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3dd0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3df4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3dfc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e08 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e0c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e10 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e14 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e1c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc3e20 process_handle: 0xffffffff		3221225550

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00096200', u'virtual_address': u'0x00002000', u'entropy': 7.719192813724078, u'name': u'.text', u'virtual_size': u'0x0009618c'}

entropy

7.71919281372

description

A section with a high entropy has been found

entropy

0.996680497925

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 12, 2021, 12:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 12, 2021, 12:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Terminates another process (6 events)

Time & API	Arguments	Status
NtTerminateProcess May 12, 2021, 12:06 p.m.	status_code: 0xffffffff process_identifier: 7316 process_handle: 0x00000298
NtTerminateProcess May 12, 2021, 12:06 p.m.	status_code: 0xffffffff process_identifier: 7316 process_handle: 0x00000298	1
NtTerminateProcess May 12, 2021, 12:06 p.m.	status_code: 0xffffffff process_identifier: 1036 process_handle: 0x000002a8
NtTerminateProcess May 12, 2021, 12:06 p.m.	status_code: 0xffffffff process_identifier: 1036 process_handle: 0x000002a8	1
NtTerminateProcess May 12, 2021, 12:06 p.m.	status_code: 0xffffffff process_identifier: 9100 process_handle: 0x000002b0
NtTerminateProcess May 12, 2021, 12:06 p.m.	status_code: 0xffffffff process_identifier: 9100 process_handle: 0x000002b0	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 7316 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294		3221225496
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 1036 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 9100 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 8248 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac	1	0

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2208 manipulating memory of non-child process 7316
Process injection	Process 2208 manipulating memory of non-child process 1036
Process injection	Process 2208 manipulating memory of non-child process 9100
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 7316 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 1036 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 9100 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 12, 2021, 12:06 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL2Sà rÐÐ@@.textpr ` base_address: 0x00400000 process_identifier: 8248 process_handle: 0x000002ac	1	1	0
WriteProcessMemory May 12, 2021, 12:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8248 process_handle: 0x000002ac	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 12, 2021, 12:06 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL2Sà rÐÐ@@.textpr ` base_address: 0x00400000 process_identifier: 8248 process_handle: 0x000002ac	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 called NtSetContextThread to modify thread in remote process 8248
NtSetContextThread May 12, 2021, 12:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313296 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 8248	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 resumed a thread in remote process 8248
NtResumeThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 8248	1	0	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.fcbe097d79c7051e
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
BitDefenderTheta	Gen:NN.ZemsilCO.34688.Lm0@aqmFRsn
Cyren	W32/MSIL_Kryptik.CYQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AAVJ
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.94%
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.CYQ!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (W)

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread May 12, 2021, 12:04 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread May 12, 2021, 12:04 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread May 12, 2021, 12:04 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread May 12, 2021, 12:06 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2208	1	0
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread May 12, 2021, 12:06 p.m.	registers.eip: 1874996100 registers.esp: 5098784 registers.edi: 5098844 registers.eax: -1506514334 registers.ebp: 5098860 registers.edx: 37880356 registers.ebx: 0 registers.esi: 37880356 registers.ecx: 37880356 thread_handle: 0x000000e0 process_identifier: 2208	1	0
NtResumeThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2208	1	0
CreateProcessInternalW May 12, 2021, 12:06 p.m.	thread_identifier: 6080 thread_handle: 0x00000290 process_identifier: 7316 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000294	1	1
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x00000290	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 7316 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294		3221225496
CreateProcessInternalW May 12, 2021, 12:06 p.m.	thread_identifier: 4012 thread_handle: 0x00000298 process_identifier: 1036 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x00000298	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 1036 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0		3221225496
CreateProcessInternalW May 12, 2021, 12:06 p.m.	thread_identifier: 4788 thread_handle: 0x000002a8 process_identifier: 9100 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000002a8	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 9100 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496
CreateProcessInternalW May 12, 2021, 12:06 p.m.	thread_identifier: 7012 thread_handle: 0x000002b0 process_identifier: 8248 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtGetContextThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory May 12, 2021, 12:06 p.m.	process_identifier: 8248 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002ac	1	0
WriteProcessMemory May 12, 2021, 12:06 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL2Sà rÐÐ@@.textpr ` base_address: 0x00400000 process_identifier: 8248 process_handle: 0x000002ac	1	1
WriteProcessMemory May 12, 2021, 12:06 p.m.	buffer: base_address: 0x00401000 process_identifier: 8248 process_handle: 0x000002ac	1	1
WriteProcessMemory May 12, 2021, 12:06 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8248 process_handle: 0x000002ac	1	1
NtSetContextThread May 12, 2021, 12:06 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313296 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 8248	1	0
NtResumeThread May 12, 2021, 12:06 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 8248	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All