Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 27, 2021, 6:47 p.m.	June 27, 2021, 6:54 p.m.

Size	680.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b6bd7e3441e81b784e91079392abd5ec`
SHA256	`555a20d3756ad65f74f4ea768098c703a14bdb667772223abb8ea6e1c084ee7c`
CRC32	`32083DB8`
ssdeep	`12288:LXk+7jaIWwuo3gl7mM94VBfzI175k9UcEKML8yz9ldtDReK+98VAd:LXb7jrqJ947fzUCXxg9lQf2`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2864
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp"
  8168
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  5256
  - cmd.exe "C:\Windows\System32\cmd.exe"
    4964
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
seencroundercontroller.webredirect.org	A 185.235.219.204	185.235.219.204

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.235.219.204	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 27, 2021, 6:48 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 27, 2021, 6:47 p.m.			0	0
IsDebuggerPresent June 27, 2021, 6:47 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 27, 2021, 6:48 p.m.	buffer: SUCCESS: The scheduled task "Updates\cePrUCkWQBqJ" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 27, 2021, 6:48 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW June 27, 2021, 6:48 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW June 27, 2021, 6:48 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 27, 2021, 6:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00663460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00663460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2021, 6:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00663460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 27, 2021, 6:47 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (44 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:47 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 5256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (3 events)

cmdline	C:\Windows\System32\cmd.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp"
cmdline	schtasks.exe /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 27, 2021, 6:48 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp" filepath: schtasks.exe	1	1	0
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 1756 thread_handle: 0x000001d4 process_identifier: 4964 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001cc	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a9400', u'virtual_address': u'0x00002000', u'entropy': 7.444209770872724, u'name': u'.text', u'virtual_size': u'0x000a936c'}

entropy

7.44420977087

description

A section with a high entropy has been found

entropy

0.996320824135

description

Overall entropy of this PE file is high

Yara rule detected in process memory (18 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	email clients info stealer	rule	infoStealer_emailClients_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp"
cmdline	schtasks.exe /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 5256 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 4964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001dc	1
NtProtectVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0x000001dc	1

Potential code injection by writing to the memory of another process (7 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¼{ QÝsQÝsQÝsÒJsPÝsX¥sPÝsX¥sMÝsQÝs·ÝsÒHsRÝsX¥sSÝsvxsPÝsv{sRÝsTÑsPÝsÀ´r:ÝsÀ´êsPÝsÀ´rPÝsRichQÝsPELñ&±\à£W @Ð@ìJp,°´ pI `.text `.rdatab= >@@.data@`J@À.rsrcp,.P@@.reloc´ °~@B.bssÀ@@ base_address: 0x00400000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: m@@@@¼@Ë@Ú@ü@@ @TÍ<¨K¢`Ý;UBÄôK A³ÝJpMÛ(H»ï¾Þï¾ÞH¸ï¾Þï¾Þÿã¸ï¾Þéï¾ÞUìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃä;Ad base_address: 0x00416000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 00 0µ0¼0É0Ð0o1u1\|1111¤1³1Â1Ñ1Ü1â1é1ð1÷12 22"2(2/262=2D2N2n2÷:; ;&;1;<;G;R;];h;;;£;®;¹;Ä;Ï;è;ñ;<!<@<Y<¸<ú<±>Ó>Û> dö0Ü1w44·4Í4Ø4ô455=5D5Å5ù5616P6Â6/7R7Y7r7Ê7E8c8ê89&9J9P99Õ9 :u;¥;<<<8<J<°>ç>?n??Ó?0À$0o00£0ª011«1Ê1å1ò1272y2ð2D33É34"4=4t4à5#6b6v66Ñ6á6ë6ò6û67K7[7\|77 7¬7³7¿7Æ7Ò7Ù7å7ì718C8^8e8²8À8Ñ8)9;9B9N9U9o9v9999 9¬9³98:S:¨:¯:¶:¿:=;D;R;[;;¦;;¶;<-<<<£<L==2>f>?:?@x0?01-1 2O233Ý3ã3)404$5Y5º5$6 6²67@7i77795:X: ;Á;Þ;û;<e<<<ê<=7=T=q==«=È=G>N>d>k>>¢>¿>Ü>ù>H?^?w??£?PP000®0ý0]1\|1Ê193P3v333¼3í3)5X7_7f7n7s7z7777¬7û78 88,838A8G8Q8888§8·8¾8Ú8ó8p99£9ª9´9»9Å9Ì9: :,:2:7:>:L:Q:]:`?~?pl0ó0E1"22H2ñ3÷34/4A4F4L4T4a444 4¬4½4Ö4Ü4æ4í4õ4û455~555¥5¯5¹5Ã5Í5×5á5ë5õ56 6.6L6S6©6³6½6ß6é6ó67&707:7D7a7k7u77Ï7Ù7ã7í788 83888=8D8Q8V8[8888£8¨88º8¿8Ä8Ñ8Ö8Û8è8í8ò8#90959:9G9L9Q9^9c9m9999999 9¤9¨9¬9°9Ê9ü9:':@:Y:f:l:{:£:Å:Ê:æ:ì:ø:;;;5;@;E;T;`;t;;;ñ;<D<a<r<<Æ<Ø<)=C=[=e==°=µ=Ð=Ö=Ü=ô=ü=> >>>>D>O>T>`>f>q>}>>>§>¸>Â>Ë>î>?_?ð?@ 00¥0(1O1b1y11111¦1±1¶1Ú1ï1ô12v22²2â2é2ï23+313;3P3Z3u33¨3³3à3ì3ó3ÿ3444!41494?4E4P4X4_4e4m4x4~4444ª4µ4Á4Æ4Í4×4Ý4æ4ì4ñ4ù4555 505A5F5L5Q5W5a5g5l5z555555¦5«5·5¼5É5Î5)666¤6±6á6è6¶889C9W9a9j9u99¥9«9¶9Ô9þ9:2:[::»:;;;;~;;;;½;Í;Ý;í;ý; <<-<<¯<¿<Ì<Ü<é<ù<==@=s===¦=º=ì=> >ç>+?o?³?÷?td0Ñ0>1Û12A2H2c2©2Ò2 3&333j344C4]4Ä45T55Ê6H7O77â7ü7 88>8W8d8¦8>9V999:P::Í:<<<ú<(=u=´=>2>e>M?? Ä0Ñ0Ø0à0õ01131^1¨1+24292R2k222¶2Ï2è23"3e3~3·34/4B4U4h4{44¡4´4Ð4$5ª5X6d6t666¤6´6Ä6Ï6â6í677;7W7s7Ã8^9c9\|99®9Ç9à9ù9:+:L:e:¦:Á:ü:;;§;º;Í;à;ó;<<5<<<<²<Æ<Ï<Ø<¥=5>J>s>>>®>°ø030l1w1\|1111¢1¬1À1Å1Ê1Ø1à1ç1í1ü1222#2+22292@2G2N2¯23@33ç3õ340444 4¥4°4µ4À4Å4Ï4å45)5b5l555¤5±5¸5¾5Ã56-6T6]6r666¦6À6É6Þ6ë6ø6777+7H7R7k7x777²7½7Ð7ý7 88$818>889W9::-:s;;´;<4<k<<<¬<e=m=°=ì=ù=o>>¥>¶>û>??4?A?Ý?ÀH00\0¡0¿0_142E22î2R33¼3È3Ð3Ú3à3 4444&4,474=4H4N4Y4_4j4p4{44444¢4¨4¼4Ç4Ó4Ø4ß4ë4ñ4õ4û4 5'5F5_555á5-626d66©6´6Æ6Ï6Ø6Þ6í6777$7E7b7g7m7y777©7¾7Ä7Ð7Ø7â7è7ï7õ788 8&8,868;8R8h88¦8Â8Ï8Û8ò8M9Z99½95:»:É:÷:;;);e;£;±;È;ç;ú;<z<<<<<<<Ð<ø<===== =$=+=6=d=j=ù=ÿ=>>">,>N>f>l>r>y>}>>>È>Ï>Ý>ò>ú>W??ù?Ð¸001<1U1g11 1®1Ô1ç1"222:2r22¯2¸2¿2î2þ2333°3º3È3î34b4s4¨4È4Ü4è4-5C5e5}5º5ß5ï5ø5ÿ5£7ª7È7Ý7ñ7868g8r88«8ì8õ8!9,9U9~99ª9þ9:4:§:é:;õ;<L<Æ<ó< ====M={=Ö=Þ=æ=ñ=ý=>>%>5>àpv2µ2l333ª3'56Â6Ý6ò6ü6 797 7Ê7Ï7×7Þ7#888P8[8l888¡8ö8999º9é9 ::q::Ä:ç:;D;r;;Ø; <;</=W=>Á>ß>ý>ð$ß0å0R1_1l1Ü1å1ó12222B2M2l222¸2Å2Ð2ï23-3;3B3I333«3°3·3Ä3Í3Ö3ç3ý34!4,464@4G4444À4Ë4Ø4ò4÷4555#5N5X5g5r5w555G666É6â6757S7[7v77Ä7Ü78A8X8_8p88 8¨8;9F9W9^999«9¹9À9Ç9::G:R:p::¢:¬:Ã:; ;";O;\;v;;M<y<¸<Ù<Á=Ì=Õ=å=ì=ò=û=>>3>>>D>S>Y>c>i>m>>>>¯>»>Ã>É>Ü>:?T???¼b0z00·0Ë0×0§1³1É1Î1æ12232B2_2\|2]3y3333°3Ø3õ344»4ß4ì4ô45&5Z7u7~777¢7Ø7á7ç7ø78 8789V9:%:c:h:©:ì:÷:;;;@;S;^;t;;®;µ;Þ;å;3<C<W<<<¢<== >6>u>>>®>¸>Ç>Ñ>Û>1?6?D?S?°0070p0u00Ö0Ý011b11¼1ï122'212;22¤2®2½2Ã2Ò2í2÷233363@3O3U3d33333¦3Á3Ë3Ö3Ü3æ3444 4*484=4B4G4L4°4Í4ê4 5(5<5V5]5m5t55d6p6w6}6666£6¨66´6»6¿6Å6ã6í6ø67 7 À@4D4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü455555555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5\|555555555 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5Ü5à5ä5è5ì5ð5ô5ø5ü566666666 6$6(6,60646860Ä;È;Ì;ä;è;ì;@8d7h7À7Ä7È7Ì7Ð788p8t88888999999 9$9` 0000000 0$0(0x5 base_address: 0x0041b000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 2`4Æ^ýo1tEWY P½;¨ø jJ+èÜbHÐèi´Âl&*ÏëFO×'{ÂáÔÓ£×-ºÕó>;£Óà}(é-,úéZv:LèèÖC¿>¸bk>ý@ZÁºÃVÝí·²²OIÈå¹>bsMüì¿È'8¨©ª?o²p\ª¯ÛtSÀî`¿rÑ=ù¨sê base_address: 0x0041c000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: UìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃä;Ad Å base_address: 0x004a0000 process_identifier: 4964 process_handle: 0x000001dc	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\vbc.exeèèìñìñP,¨v\|,¨v9¬tò$igÿÿÿÿÿñxòLøà^ªv-%¢ðþÿÿÿ\|,¨v 5¨vè base_address: 0x004b0000 process_identifier: 4964 process_handle: 0x000001dc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¼{ QÝsQÝsQÝsÒJsPÝsX¥sPÝsX¥sMÝsQÝs·ÝsÒHsRÝsX¥sSÝsvxsPÝsv{sRÝsTÑsPÝsÀ´r:ÝsÀ´êsPÝsÀ´rPÝsRichQÝsPELñ&±\à£W @Ð@ìJp,°´ pI `.text `.rdatab= >@@.data@`J@À.rsrcp,.P@@.reloc´ °~@B.bssÀ@@ base_address: 0x00400000 process_identifier: 5256 process_handle: 0x00000368	1	1	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
McAfee	Artemis!B6BD7E3441E8
CrowdStrike	win/malicious_confidence_60% (D)
BitDefenderTheta	Gen:NN.ZemsilCO.34758.Qm0@auPXSxp
Cyren	W32/MSIL_Kryptik.DLO.gen!Eldorado
Symantec	Scr.Malcode!gdn34
APEX	Malicious
Kaspersky	VHO:Trojan.MSIL.Taskun.gen
McAfee-GW-Edition	BehavesLike.Win32.Fareit.jc
Sophos	ML/PE-A
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.95%
SentinelOne	Static AI - Malicious PE
Cybereason	malicious.25092a

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2864 called NtSetContextThread to modify thread in remote process 5256
NtSetContextThread June 27, 2021, 6:48 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4216739 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000036c process_identifier: 5256	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2864 resumed a thread in remote process 5256
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 5256	1	0	0

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
NtResumeThread June 27, 2021, 6:47 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2864	1	0
NtResumeThread June 27, 2021, 6:47 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2864	1	0
NtResumeThread June 27, 2021, 6:47 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2864	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2864	1	0
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 2724 thread_handle: 0x000003cc process_identifier: 8168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cePrUCkWQBqJ" /XML "C:\Users\test22\AppData\Local\Temp\tmpE1F7.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 5752 thread_handle: 0x0000036c process_identifier: 5256 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000368	1	1
NtGetContextThread June 27, 2021, 6:48 p.m.	thread_handle: 0x0000036c	1	0
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 5256 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368	1	0
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¼{ QÝsQÝsQÝsÒJsPÝsX¥sPÝsX¥sMÝsQÝs·ÝsÒHsRÝsX¥sSÝsvxsPÝsv{sRÝsTÑsPÝsÀ´r:ÝsÀ´êsPÝsÀ´rPÝsRichQÝsPELñ&±\à£W @Ð@ìJp,°´ pI `.text `.rdatab= >@@.data@`J@À.rsrcp,.P@@.reloc´ °~@B.bssÀ@@ base_address: 0x00400000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: base_address: 0x00401000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: base_address: 0x00412000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: m@@@@¼@Ë@Ú@ü@@ @TÍ<¨K¢`Ý;UBÄôK A³ÝJpMÛ(H»ï¾Þï¾ÞH¸ï¾Þï¾Þÿã¸ï¾Þéï¾ÞUìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃä;Ad base_address: 0x00416000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: base_address: 0x00418000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 00 0µ0¼0É0Ð0o1u1\|1111¤1³1Â1Ñ1Ü1â1é1ð1÷12 22"2(2/262=2D2N2n2÷:; ;&;1;<;G;R;];h;;;£;®;¹;Ä;Ï;è;ñ;<!<@<Y<¸<ú<±>Ó>Û> dö0Ü1w44·4Í4Ø4ô455=5D5Å5ù5616P6Â6/7R7Y7r7Ê7E8c8ê89&9J9P99Õ9 :u;¥;<<<8<J<°>ç>?n??Ó?0À$0o00£0ª011«1Ê1å1ò1272y2ð2D33É34"4=4t4à5#6b6v66Ñ6á6ë6ò6û67K7[7\|77 7¬7³7¿7Æ7Ò7Ù7å7ì718C8^8e8²8À8Ñ8)9;9B9N9U9o9v9999 9¬9³98:S:¨:¯:¶:¿:=;D;R;[;;¦;;¶;<-<<<£<L==2>f>?:?@x0?01-1 2O233Ý3ã3)404$5Y5º5$6 6²67@7i77795:X: ;Á;Þ;û;<e<<<ê<=7=T=q==«=È=G>N>d>k>>¢>¿>Ü>ù>H?^?w??£?PP000®0ý0]1\|1Ê193P3v333¼3í3)5X7_7f7n7s7z7777¬7û78 88,838A8G8Q8888§8·8¾8Ú8ó8p99£9ª9´9»9Å9Ì9: :,:2:7:>:L:Q:]:`?~?pl0ó0E1"22H2ñ3÷34/4A4F4L4T4a444 4¬4½4Ö4Ü4æ4í4õ4û455~555¥5¯5¹5Ã5Í5×5á5ë5õ56 6.6L6S6©6³6½6ß6é6ó67&707:7D7a7k7u77Ï7Ù7ã7í788 83888=8D8Q8V8[8888£8¨88º8¿8Ä8Ñ8Ö8Û8è8í8ò8#90959:9G9L9Q9^9c9m9999999 9¤9¨9¬9°9Ê9ü9:':@:Y:f:l:{:£:Å:Ê:æ:ì:ø:;;;5;@;E;T;`;t;;;ñ;<D<a<r<<Æ<Ø<)=C=[=e==°=µ=Ð=Ö=Ü=ô=ü=> >>>>D>O>T>`>f>q>}>>>§>¸>Â>Ë>î>?_?ð?@ 00¥0(1O1b1y11111¦1±1¶1Ú1ï1ô12v22²2â2é2ï23+313;3P3Z3u33¨3³3à3ì3ó3ÿ3444!41494?4E4P4X4_4e4m4x4~4444ª4µ4Á4Æ4Í4×4Ý4æ4ì4ñ4ù4555 505A5F5L5Q5W5a5g5l5z555555¦5«5·5¼5É5Î5)666¤6±6á6è6¶889C9W9a9j9u99¥9«9¶9Ô9þ9:2:[::»:;;;;~;;;;½;Í;Ý;í;ý; <<-<<¯<¿<Ì<Ü<é<ù<==@=s===¦=º=ì=> >ç>+?o?³?÷?td0Ñ0>1Û12A2H2c2©2Ò2 3&333j344C4]4Ä45T55Ê6H7O77â7ü7 88>8W8d8¦8>9V999:P::Í:<<<ú<(=u=´=>2>e>M?? Ä0Ñ0Ø0à0õ01131^1¨1+24292R2k222¶2Ï2è23"3e3~3·34/4B4U4h4{44¡4´4Ð4$5ª5X6d6t666¤6´6Ä6Ï6â6í677;7W7s7Ã8^9c9\|99®9Ç9à9ù9:+:L:e:¦:Á:ü:;;§;º;Í;à;ó;<<5<<<<²<Æ<Ï<Ø<¥=5>J>s>>>®>°ø030l1w1\|1111¢1¬1À1Å1Ê1Ø1à1ç1í1ü1222#2+22292@2G2N2¯23@33ç3õ340444 4¥4°4µ4À4Å4Ï4å45)5b5l555¤5±5¸5¾5Ã56-6T6]6r666¦6À6É6Þ6ë6ø6777+7H7R7k7x777²7½7Ð7ý7 88$818>889W9::-:s;;´;<4<k<<<¬<e=m=°=ì=ù=o>>¥>¶>û>??4?A?Ý?ÀH00\0¡0¿0_142E22î2R33¼3È3Ð3Ú3à3 4444&4,474=4H4N4Y4_4j4p4{44444¢4¨4¼4Ç4Ó4Ø4ß4ë4ñ4õ4û4 5'5F5_555á5-626d66©6´6Æ6Ï6Ø6Þ6í6777$7E7b7g7m7y777©7¾7Ä7Ð7Ø7â7è7ï7õ788 8&8,868;8R8h88¦8Â8Ï8Û8ò8M9Z99½95:»:É:÷:;;);e;£;±;È;ç;ú;<z<<<<<<<Ð<ø<===== =$=+=6=d=j=ù=ÿ=>>">,>N>f>l>r>y>}>>>È>Ï>Ý>ò>ú>W??ù?Ð¸001<1U1g11 1®1Ô1ç1"222:2r22¯2¸2¿2î2þ2333°3º3È3î34b4s4¨4È4Ü4è4-5C5e5}5º5ß5ï5ø5ÿ5£7ª7È7Ý7ñ7868g8r88«8ì8õ8!9,9U9~99ª9þ9:4:§:é:;õ;<L<Æ<ó< ====M={=Ö=Þ=æ=ñ=ý=>>%>5>àpv2µ2l333ª3'56Â6Ý6ò6ü6 797 7Ê7Ï7×7Þ7#888P8[8l888¡8ö8999º9é9 ::q::Ä:ç:;D;r;;Ø; <;</=W=>Á>ß>ý>ð$ß0å0R1_1l1Ü1å1ó12222B2M2l222¸2Å2Ð2ï23-3;3B3I333«3°3·3Ä3Í3Ö3ç3ý34!4,464@4G4444À4Ë4Ø4ò4÷4555#5N5X5g5r5w555G666É6â6757S7[7v77Ä7Ü78A8X8_8p88 8¨8;9F9W9^999«9¹9À9Ç9::G:R:p::¢:¬:Ã:; ;";O;\;v;;M<y<¸<Ù<Á=Ì=Õ=å=ì=ò=û=>>3>>>D>S>Y>c>i>m>>>>¯>»>Ã>É>Ü>:?T???¼b0z00·0Ë0×0§1³1É1Î1æ12232B2_2\|2]3y3333°3Ø3õ344»4ß4ì4ô45&5Z7u7~777¢7Ø7á7ç7ø78 8789V9:%:c:h:©:ì:÷:;;;@;S;^;t;;®;µ;Þ;å;3<C<W<<<¢<== >6>u>>>®>¸>Ç>Ñ>Û>1?6?D?S?°0070p0u00Ö0Ý011b11¼1ï122'212;22¤2®2½2Ã2Ò2í2÷233363@3O3U3d33333¦3Á3Ë3Ö3Ü3æ3444 4*484=4B4G4L4°4Í4ê4 5(5<5V5]5m5t55d6p6w6}6666£6¨66´6»6¿6Å6ã6í6ø67 7 À@4D4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü455555555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5\|555555555 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5Ü5à5ä5è5ì5ð5ô5ø5ü566666666 6$6(6,60646860Ä;È;Ì;ä;è;ì;@8d7h7À7Ä7È7Ì7Ð788p8t88888999999 9$9` 0000000 0$0(0x5 base_address: 0x0041b000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: 2`4Æ^ýo1tEWY P½;¨ø jJ+èÜbHÐèi´Âl&*ÏëFO×'{ÂáÔÓ£×-ºÕó>;£Óà}(é-,úéZv:LèèÖC¿>¸bk>ý@ZÁºÃVÝí·²²OIÈå¹>bsMüì¿È'8¨©ª?o²p\ª¯ÛtSÀî`¿rÑ=ù¨sê base_address: 0x0041c000 process_identifier: 5256 process_handle: 0x00000368	1	1
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5256 process_handle: 0x00000368	1	1
NtSetContextThread June 27, 2021, 6:48 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4216739 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000036c process_identifier: 5256	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 5256	1	0
NtResumeThread June 27, 2021, 6:48 p.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 2864	1	0
CreateProcessInternalW June 27, 2021, 6:48 p.m.	thread_identifier: 1756 thread_handle: 0x000001d4 process_identifier: 4964 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 4964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001dc	1	0
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: UìUEÈÒt ÆAêu÷]ÃUìd¡0ì@SVWxé§G03ö_,?EøB<}ôDxEðÀÁë3ÉÛt-}ø¾ÁÎ <aUø\| ÂÀàðëuøA;ËrßUü}ôEðL3ÛD ÂMìÉt<3ÿÊÀMøÑEè ÁÏ ¾ÁøBÉuñUü}øEø}ôÆ;Et EèC;]ìrÄWUüÒKÿÿÿ3À_^[ÉÂuðD$X·DÂëÝUìì¼ESVWXhLw&M ]¸èèþÿÿðÇEÄkern3ÀÇEÈel32EÐEÞEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿÖEàPÿÖEÔPÿÖhX¤SåèyþÿÿhyÌ?EèlþÿÿhEVEôè_þÿÿhDð5àEÀèRþÿÿhî¶PE¤èEþÿÿhÆREè8þÿÿh_xTîEðè+þÿÿhÚöÚOEèþÿÿøhÆp}´èþÿÿh_»ðèþÿÿh-W®[E¼èöýÿÿE¬3ÀPhjPPhSE¨ÿ×jEìPÿÖ]ø}°jh0WjÿÓðötîjE¨PW}ìVWÿU¼WÿUð>M]¸tjEøPPjÿUÀÆEhà.ÿU¤3À}«jDj«««DÿÿÿPèTýÿÿÄÿu jhÿÿÿUE¼ÀuOEPDÿÿÿP3ÀPPPPPPPSÿUôÀ¯PPjPPh@SE¸ÿU´øjÿÿtE¸ë^EüPPjÿUÀéeìMìQPÿU}ìtoEPDÿÿÿP3ÀPPPPPPPSÿUôÀuOPPjPPh@SEÿU´øjÿÿt*EPÿu°VWÿU¬WÿUðEPDÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆEÿu¼ÿUð}åþÿÿ_^[ÉÃä;Ad Å base_address: 0x004a0000 process_identifier: 4964 process_handle: 0x000001dc	1	1
NtAllocateVirtualMemory June 27, 2021, 6:48 p.m.	process_identifier: 4964 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x004b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001dc	1	0
WriteProcessMemory June 27, 2021, 6:48 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\vbc.exeèèìñìñP,¨v\|,¨v9¬tò$igÿÿÿÿÿñxòLøà^ªv-%¢ðþÿÿÿ\|,¨v 5¨vè base_address: 0x004b0000 process_identifier: 4964 process_handle: 0x000001dc	1	1

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All