Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 10, 2021, 9:30 a.m.	June 10, 2021, 9:39 a.m.

Size	856.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a853becef668c582b4598a48ada05331`
SHA256	`9f505b6b238543bdf2f4dedea6e0d2d2b72f285ebcea82b76311878975857b62`
CRC32	`B16CC1BF`
ssdeep	`24576:bbAG1vjqUpzWV+uL9URqBEdANSav9BG2:ZHpqVWqBEyNSav9BG`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\IIxzVKZxCx\src\obj\x86\Debug\AssemblyMetadataAttribute.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
5620
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp"
  1892
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  4788

Name	Response	Post-Analysis Lookup
www.iptrackeronline.com	A 104.26.0.222 A 104.26.1.222 A 172.67.74.63	172.67.74.63
safeduringthecoronavirus.duckdns.org	A 194.5.98.144	194.5.98.144

IP Address	Status	Action
104.26.0.222	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
194.5.98.144	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49815 -> 104.26.0.222:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2029710	ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2	Potentially Bad Traffic
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49815 104.26.0.222:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	fd:85:66:b5:ad:91:10:bc:c3:8b:35:5e:ae:e9:8a:bd:de:97:ac:e9

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 10, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 10, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 10, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 10, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 10, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 10, 2021, 9:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 10, 2021, 9:30 a.m.			0	0
IsDebuggerPresent June 10, 2021, 9:30 a.m.			0	0
IsDebuggerPresent June 10, 2021, 9:31 a.m.			0	0
IsDebuggerPresent June 10, 2021, 9:31 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 10, 2021, 9:31 a.m.	buffer: SUCCESS: The scheduled task "Updates\uzPuBH" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 10, 2021, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00799d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 10, 2021, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00799918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 10, 2021, 9:30 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00799918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 10, 2021, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 10, 2021, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 10, 2021, 9:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00724d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\IIxzVKZxCx\src\obj\x86\Debug\AssemblyMetadataAttribute.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 10, 2021, 9:30 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 10, 2021, 9:31 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 0x4334aa8 0x4334f7a 0x4334e62 0x4333077 0x4331c80 0x43314e5 0x4330e04 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9 mscorlib+0x2d3711 @ 0x6eeb3711 mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x2cb060 @ 0x6eeab060 0x4330dc2 0x719f09 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737 mscorlib+0x2d36ad @ 0x6eeb36ad mscorlib+0x308f2d @ 0x6eee8f2d mscorlib+0x3135ed @ 0x6eef35ed mscorlib+0x9873b1 @ 0x6f5673b1 0x719b69 0x718e18 0x710b12 0x710a19 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x6fbc70df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x6fc1412e mscorlib+0x2f1c22 @ 0x6eed1c22 mscorlib+0x2f1b99 @ 0x6eed1b99 mscorlib+0x30e9a6 @ 0x6eeee9a6 0x71073f 0x7104b9 0x7103cd microsoft+0x129ed1 @ 0x72129ed1 microsoft+0x12ad86 @ 0x7212ad86 microsoft+0x12b191 @ 0x7212b191 0x7100bd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 5685320 registers.edi: 0 registers.eax: 5685320 registers.ebp: 5685400 registers.edx: 0 registers.ebx: 8396672 registers.esi: 7868752 registers.ecx: 3435106536	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 10, 2021, 9:31 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
0x4334aa8
0x4334f7a
0x4334e62
0x4333077
0x4331c80
0x43314e5
0x4330e04
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x6fc2564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x6fbfbe63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x6fbfb998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x6fbfb726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x6fbfbf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x6fbfbce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x6fbbcca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x6fbbcd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x6fca8841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x6fc214e9
mscorlib+0x2d3711 @ 0x6eeb3711
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x2cb060 @ 0x6eeab060
0x4330dc2
0x719f09
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6fc21838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6fc21737
mscorlib+0x2d36ad @ 0x6eeb36ad
mscorlib+0x308f2d @ 0x6eee8f2d
mscorlib+0x3135ed @ 0x6eef35ed
mscorlib+0x9873b1 @ 0x6f5673b1
0x719b69
0x718e18
0x710b12
0x710a19
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x6fbc70df
LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x6fc1412e
mscorlib+0x2f1c22 @ 0x6eed1c22
mscorlib+0x2f1b99 @ 0x6eed1b99
mscorlib+0x30e9a6 @ 0x6eeee9a6
0x71073f
0x7104b9
0x7103cd
microsoft+0x129ed1 @ 0x72129ed1
microsoft+0x12ad86 @ 0x7212ad86
microsoft+0x12b191 @ 0x7212b191
0x7100bd
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 5685320
registers.edi: 0
registers.eax: 5685320
registers.ebp: 5685400
registers.edx: 0
registers.ebx: 8396672
registers.esi: 7868752
registers.ecx: 3435106536

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

safeduringthecoronavirus.duckdns.org

Performs some HTTP requests (2 events)

request	GET http://www.iptrackeronline.com/
request	GET https://www.iptrackeronline.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 154 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:30 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04336000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04337000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05250178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052501a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052501c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e5b8e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052e5b82 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05250208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052bf400 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052bf424 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052bf42c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052bf430 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052bf438 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 5620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052bf43c process_handle: 0xffffffff		3221225550

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 210 seconds, actually delayed analysis time by 210 seconds

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp"
cmdline	schtasks.exe /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 10, 2021, 9:31 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp" filepath: schtasks.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 10, 2021, 9:32 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d1000', u'virtual_address': u'0x00002000', u'entropy': 7.665223962750477, u'name': u'.text', u'virtual_size': u'0x000d0ec4'}

entropy

7.66522396275

description

A section with a high entropy has been found

entropy

0.977206312098

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 10, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 10, 2021, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (14 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp"
cmdline	schtasks.exe /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 4788 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000364	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 10, 2021, 9:32 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp8943.tmp

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELj"ïTà¤ À@ @Ì£OÀhà H.text$ `.rsrchÀ@@.relocà@B base_address: 0x00400000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b00CommentsDescription4 CompanyNameMicrosoft8FileDescriptionClient0FileVersion1.0.0.0,InternalName1.exe\LegalCopyrightCopyright © Microsoft 20134OriginalFilename1.exe<ProductNameClientProduct4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x0045c000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: 4 base_address: 0x0045e000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4788 process_handle: 0x00000364	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELj"ïTà¤ À@ @Ì£OÀhà H.text$ `.rsrchÀ@@.relocà@B base_address: 0x00400000 process_identifier: 4788 process_handle: 0x00000364	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 10, 2021, 9:31 a.m.	thread_identifier: 0 callback_function: 0x006408a2 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	35848785	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

MicroWorld-eScan	Gen:Variant.Bulz.508703
Cyren	W32/MSIL_Agent.CAE.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.ABJN
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Ad-Aware	Gen:Variant.Bulz.508703
TrendMicro	TrojanSpy.MSIL.NEGASTEAL.SMG
APEX	Malicious
Microsoft	Trojan:MSIL/AgentTesla.BHT!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.AgentTesla.R424914
MaxSecure	Trojan.Malware.300983.susgen

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5620 called NtSetContextThread to modify thread in remote process 4788
NtSetContextThread June 10, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4563998 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000368 process_identifier: 4788	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\vbc.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5620 resumed a thread in remote process 4788
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 4788	1	0	0

Executed a process and injected code into it, probably while unpacking (39 events)

Time & API	Arguments	Status	Return
NtResumeThread June 10, 2021, 9:30 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 5620	1	0
NtResumeThread June 10, 2021, 9:30 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 5620	1	0
NtResumeThread June 10, 2021, 9:30 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 5620	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 5620	1	0
NtGetContextThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread June 10, 2021, 9:31 a.m.	registers.eip: 1874996100 registers.esp: 5685528 registers.edi: 5685588 registers.eax: 74911132 registers.ebp: 5685604 registers.edx: 6 registers.ebx: 0 registers.esi: 37009284 registers.ecx: 11 thread_handle: 0x000000e0 process_identifier: 5620	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 5620	1	0
CreateProcessInternalW June 10, 2021, 9:31 a.m.	thread_identifier: 6980 thread_handle: 0x000003c0 process_identifier: 1892 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uzPuBH" /XML "C:\Users\test22\AppData\Local\Temp\tmp8943.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW June 10, 2021, 9:31 a.m.	thread_identifier: 3176 thread_handle: 0x00000368 process_identifier: 4788 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000364	1	1
NtGetContextThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000368	1	0
NtAllocateVirtualMemory June 10, 2021, 9:31 a.m.	process_identifier: 4788 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000364	1	0
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELj"ïTà¤ À@ @Ì£OÀhà H.text$ `.rsrchÀ@@.relocà@B base_address: 0x00400000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: base_address: 0x00402000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: 0HXÀ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°lStringFileInfoH000004b00CommentsDescription4 CompanyNameMicrosoft8FileDescriptionClient0FileVersion1.0.0.0,InternalName1.exe\LegalCopyrightCopyright © Microsoft 20134OriginalFilename1.exe<ProductNameClientProduct4ProductVersion1.0.0.08Assembly Version1.0.0.0 base_address: 0x0045c000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: 4 base_address: 0x0045e000 process_identifier: 4788 process_handle: 0x00000364	1	1
WriteProcessMemory June 10, 2021, 9:31 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 4788 process_handle: 0x00000364	1	1
NtSetContextThread June 10, 2021, 9:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4563998 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000368 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 5620	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:31 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:32 a.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:32 a.m.	thread_handle: 0x00000510 suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:32 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 4788	1	0
NtResumeThread June 10, 2021, 9:32 a.m.	thread_handle: 0x00000568 suspend_count: 1 process_identifier: 4788	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All