Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 14, 2021, 3:31 p.m.	Oct. 14, 2021, 3:33 p.m.

Size	657.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3fc196a38075b3009bbb2c7991f07cd3`
SHA256	`0bb5a52f4fe79a8c7fbb4462c472827d0a58e78b985dd102e6f444d41613e19e`
CRC32	`90ED3CAB`
ssdeep	`12288:lkASB5SqHstIYcU6TBVrpLQRFw7qO504/dRBb7Se1v/klohx/i77MGc:lmB5vMtIYcUAXGFC5TdPb7n58lo2cGc`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1948
- vbc.exe "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
  2916
  - vbc.exe "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
    2400
    - svchost.com "C:\Windows\svchost.com" "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
      528
      - vbc.exe C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
        2568
        
        vbc.exe "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
        2204
        
        svchost.com "C:\Windows\svchost.com" "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
        2816
        
        vbc.exe C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
        1628
        
        vbc.exe "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
        2900
        
        svchost.com "C:\Windows\svchost.com" "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"
        1420
        
        vbc.exe C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
        2152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 14, 2021, 3:31 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:31 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:32 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:32 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:32 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:32 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:33 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:33 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2021, 3:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 97 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70542000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70672000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Creates executable files on the filesystem (50 out of 216 events)

file	C:\Program Files (x86)\G2BRUN\jre7\bin\jqs.exe
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file	C:\Program Files (x86)\G2BRUN\jre7\bin\javacpl.exe
file	C:\Program Files (x86)\iniLINE\CrossEX\crossex\UnInstallCrossEXLocal.exe
file	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
file	C:\Program Files (x86)\Wizvera\Delfino-G3\unins000.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssvagent.exe
file	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.82\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\1042\ONELEV.EXE
file	C:\Windows\svchost.com
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
file	C:\Python27\Scripts\easy_install.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEPADSV.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE
file	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Program Files (x86)\7-Zip\7z.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\unpack200.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe
file	C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.82\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\dwtrig20.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE
file	C:\Program Files (x86)\Common Files\Adobe\__ARM\1.0\AdobeARM.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\markany\maeps\MaPrtDataUpdater.exe
file	C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.82\GoogleCrashHandler.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.82\GoogleUpdateCore.exe
file	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
file	C:\util\TCPView\Tcpvcon.exe
file	C:\Program Files (x86)\G2BRUN\jre7\bin\java.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE

Creates a suspicious process (1 event)

cmdline

"C:\Windows\svchost.com" "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
file	C:\Windows\svchost.com

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\vcredist_x64[1].exe
file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 14, 2021, 3:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (30 events)

description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 14, 2021, 3:33 p.m.	status_code: 0xffffffff process_identifier: 2404 process_handle: 0x0000026c		0	0
NtTerminateProcess Oct. 14, 2021, 3:33 p.m.	status_code: 0xffffffff process_identifier: 2404 process_handle: 0x0000026c	1	0	0

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2400 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2204 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:33 p.m.	process_identifier: 2404 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496
NtAllocateVirtualMemory Oct. 14, 2021, 3:33 p.m.	process_identifier: 2900 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

reg_value

C:\Windows\svchost.com "%1" %*

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1628 manipulating memory of non-child process 2404
NtAllocateVirtualMemory Oct. 14, 2021, 3:33 p.m.	process_identifier: 2404 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496	0

Potential code injection by writing to the memory of another process (18 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: @2À@@@t@ @#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øàÀÀÀÿÿÿÿÿÿÿÿÿ @ ,EíÍû¤WÉ<AïË½ïWÝ{JÖçöJÞ>@}ü{ëíêÄþGÌA2ÿNÛõ¥Ð2ªË+^þÇºãWËµáÙnÊXý±.tÛNóÄtîâhîÀ`²òTø5ý@@ base_address: 0x00409000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: XRÜPàS4QT@QLTPQT\QÌTpQ UQöVôQÄW(R8XLRfR~RR®RÊRØRèRôRSS&S8SJS\SnS\|SSS²S¾SÐSìSþST.T>TZTjTTTªT¸TÚTìTüTU$U.U@UVUfU~UUU²UÂUÖUìUVV&V4VJVZVlVzVVV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWW WºWÐWÜWêWøWXXX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA base_address: 0x00415000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: `A`A@pA base_address: 0x00417000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: 0 000"0020:0B0J0R0Z0b0j0r0z0000¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(111ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r777¥77·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u88888³8º8Ä8Î8Ø8ä8ï89999/9:9[9s99ª9²9ò9:W:w::¿;Ì;ÿ;<<'<0<;<D<K<Z<a<<Ü<ä<i====þ=>>>b>k>>§>³>»>î>?2?\?e?u?}??????±?º?Ø?Þ?æ? 00(0@0L0T0k0z00ª0Â0æ0î0ô0ú0,1P1n1~111ñ1ü1222$2u2\|2222¤2ª2°2·2Á2h33¯3»3Ã34#4+4O4o44°4É4Ú4ï4ü45Ù5668A8Q8g888²8Ç899929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:::Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g==¨=ó=>>N>R>X>\>a>h>n>v>>>>Ä>Ï>ì>ö>?%?/?7?=?K?f?{???©?®?³?Õ?é?0 N0W0}00466?6:7C7¡;²;ò;ù;<)<2<><E<Ä< =/=;=B=L=V=m=~===== =¦==±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x???£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z00000¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1121:1B1J1R1Z1b1j1r1z1111§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x222£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w333¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4\|4444¡4n5í9Ê:ò:;<Y<<Ù<Z==ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 44À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;;;;¦;Ý;<¢<?¼?Ê?`L033Î45¶6ô:(;=;c;Ø;<<Â<ç<ó<û<====:=Z=ì=>A>v>§>Ã>ý>?K??º?p 040R00«0·0Ä0Ö0å011I11²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J66¯6ì67U7w7Ö7u88 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;;<<¤<==u=¸=.>c>¤>¾>ñ>?Æ?ñ?h030F0X0\0`0d0h0l0p0t0x0\|000000000 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p0000 base_address: 0x00418000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: @2À@@@t@ @#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øàÀÀÀÿÿÿÿÿÿÿÿÿ @ ,EíÍû¤WÉ<AïË½ïWÝ{JÖçöJÞ>@}ü{ëíêÄþGÌA2ÿNÛõ¥Ð2ªË+^þÇºãWËµáÙnÊXý±.tÛNóÄtîâhîÀ`²òTø5ý@@ base_address: 0x00409000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: XRÜPàS4QT@QLTPQT\QÌTpQ UQöVôQÄW(R8XLRfR~RR®RÊRØRèRôRSS&S8SJS\SnS\|SSS²S¾SÐSìSþST.T>TZTjTTTªT¸TÚTìTüTU$U.U@UVUfU~UUU²UÂUÖUìUVV&V4VJVZVlVzVVV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWW WºWÐWÜWêWøWXXX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA base_address: 0x00415000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: `A`A@pA base_address: 0x00417000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: 0 000"0020:0B0J0R0Z0b0j0r0z0000¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(111ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r777¥77·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u88888³8º8Ä8Î8Ø8ä8ï89999/9:9[9s99ª9²9ò9:W:w::¿;Ì;ÿ;<<'<0<;<D<K<Z<a<<Ü<ä<i====þ=>>>b>k>>§>³>»>î>?2?\?e?u?}??????±?º?Ø?Þ?æ? 00(0@0L0T0k0z00ª0Â0æ0î0ô0ú0,1P1n1~111ñ1ü1222$2u2\|2222¤2ª2°2·2Á2h33¯3»3Ã34#4+4O4o44°4É4Ú4ï4ü45Ù5668A8Q8g888²8Ç899929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:::Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g==¨=ó=>>N>R>X>\>a>h>n>v>>>>Ä>Ï>ì>ö>?%?/?7?=?K?f?{???©?®?³?Õ?é?0 N0W0}00466?6:7C7¡;²;ò;ù;<)<2<><E<Ä< =/=;=B=L=V=m=~===== =¦==±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x???£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z00000¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1121:1B1J1R1Z1b1j1r1z1111§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x222£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w333¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4\|4444¡4n5í9Ê:ò:;<Y<<Ù<Z==ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 44À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;;;;¦;Ý;<¢<?¼?Ê?`L033Î45¶6ô:(;=;c;Ø;<<Â<ç<ó<û<====:=Z=ì=>A>v>§>Ã>ý>?K??º?p 040R00«0·0Ä0Ö0å011I11²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J66¯6ì67U7w7Ö7u88 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;;<<¤<==u=¸=.>c>¤>¾>ñ>?Æ?ñ?h030F0X0\0`0d0h0l0p0t0x0\|000000000 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p0000 base_address: 0x00418000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: @2À@@@t@ @#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øàÀÀÀÿÿÿÿÿÿÿÿÿ @ ,EíÍû¤WÉ<AïË½ïWÝ{JÖçöJÞ>@}ü{ëíêÄþGÌA2ÿNÛõ¥Ð2ªË+^þÇºãWËµáÙnÊXý±.tÛNóÄtîâhîÀ`²òTø5ý@@ base_address: 0x00409000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: XRÜPàS4QT@QLTPQT\QÌTpQ UQöVôQÄW(R8XLRfR~RR®RÊRØRèRôRSS&S8SJS\SnS\|SSS²S¾SÐSìSþST.T>TZTjTTTªT¸TÚTìTüTU$U.U@UVUfU~UUU²UÂUÖUìUVV&V4VJVZVlVzVVV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWW WºWÐWÜWêWøWXXX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA base_address: 0x00415000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: `A`A@pA base_address: 0x00417000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: 0 000"0020:0B0J0R0Z0b0j0r0z0000¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(111ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r777¥77·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u88888³8º8Ä8Î8Ø8ä8ï89999/9:9[9s99ª9²9ò9:W:w::¿;Ì;ÿ;<<'<0<;<D<K<Z<a<<Ü<ä<i====þ=>>>b>k>>§>³>»>î>?2?\?e?u?}??????±?º?Ø?Þ?æ? 00(0@0L0T0k0z00ª0Â0æ0î0ô0ú0,1P1n1~111ñ1ü1222$2u2\|2222¤2ª2°2·2Á2h33¯3»3Ã34#4+4O4o44°4É4Ú4ï4ü45Ù5668A8Q8g888²8Ç899929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:::Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g==¨=ó=>>N>R>X>\>a>h>n>v>>>>Ä>Ï>ì>ö>?%?/?7?=?K?f?{???©?®?³?Õ?é?0 N0W0}00466?6:7C7¡;²;ò;ù;<)<2<><E<Ä< =/=;=B=L=V=m=~===== =¦==±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x???£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z00000¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1121:1B1J1R1Z1b1j1r1z1111§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x222£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w333¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4\|4444¡4n5í9Ê:ò:;<Y<<Ù<Z==ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 44À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;;;;¦;Ý;<¢<?¼?Ê?`L033Î45¶6ô:(;=;c;Ø;<<Â<ç<ó<û<====:=Z=ì=>A>v>§>Ã>ý>?K??º?p 040R00«0·0Ä0Ö0å011I11²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J66¯6ì67U7w7Ö7u88 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;;<<¤<==u=¸=.>c>¤>¾>ñ>?Æ?ñ?h030F0X0\0`0d0h0l0p0t0x0\|000000000 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p0000 base_address: 0x00418000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2900 process_handle: 0x00000270	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2900 process_handle: 0x00000270	1	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2916 called NtSetContextThread to modify thread in remote process 2400
Process injection	Process 2568 called NtSetContextThread to modify thread in remote process 2204
Process injection	Process 1628 called NtSetContextThread to modify thread in remote process 2900
NtSetContextThread Oct. 14, 2021, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227300 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 2400	1	0	0
NtSetContextThread Oct. 14, 2021, 3:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227300 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 2204	1	0	0
NtSetContextThread Oct. 14, 2021, 3:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227300 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000026c process_identifier: 2900	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2916 resumed a thread in remote process 2400
Process injection	Process 2568 resumed a thread in remote process 2204
Process injection	Process 1628 resumed a thread in remote process 2900
NtResumeThread Oct. 14, 2021, 3:31 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2400	1	0	0
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2204	1	0	0
NtResumeThread Oct. 14, 2021, 3:33 p.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 2900	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 61 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 14, 2021, 3:31 p.m.	thread_identifier: 2248 thread_handle: 0x000002ac process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Oct. 14, 2021, 3:31 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Oct. 14, 2021, 3:31 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2916	1	0
NtResumeThread Oct. 14, 2021, 3:31 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2916	1	0
CreateProcessInternalW Oct. 14, 2021, 3:31 p.m.	thread_identifier: 2292 thread_handle: 0x0000025c process_identifier: 2400 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread Oct. 14, 2021, 3:31 p.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:31 p.m.	process_identifier: 2400 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: base_address: 0x00401000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: @2À@@@t@ @#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øàÀÀÀÿÿÿÿÿÿÿÿÿ @ ,EíÍû¤WÉ<AïË½ïWÝ{JÖçöJÞ>@}ü{ëíêÄþGÌA2ÿNÛõ¥Ð2ªË+^þÇºãWËµáÙnÊXý±.tÛNóÄtîâhîÀ`²òTø5ý@@ base_address: 0x00409000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: XRÜPàS4QT@QLTPQT\QÌTpQ UQöVôQÄW(R8XLRfR~RR®RÊRØRèRôRSS&S8SJS\SnS\|SSS²S¾SÐSìSþST.T>TZTjTTTªT¸TÚTìTüTU$U.U@UVUfU~UUU²UÂUÖUìUVV&V4VJVZVlVzVVV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWW WºWÐWÜWêWøWXXX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA base_address: 0x00415000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: `A`A@pA base_address: 0x00417000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: 0 000"0020:0B0J0R0Z0b0j0r0z0000¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(111ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r777¥77·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u88888³8º8Ä8Î8Ø8ä8ï89999/9:9[9s99ª9²9ò9:W:w::¿;Ì;ÿ;<<'<0<;<D<K<Z<a<<Ü<ä<i====þ=>>>b>k>>§>³>»>î>?2?\?e?u?}??????±?º?Ø?Þ?æ? 00(0@0L0T0k0z00ª0Â0æ0î0ô0ú0,1P1n1~111ñ1ü1222$2u2\|2222¤2ª2°2·2Á2h33¯3»3Ã34#4+4O4o44°4É4Ú4ï4ü45Ù5668A8Q8g888²8Ç899929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:::Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g==¨=ó=>>N>R>X>\>a>h>n>v>>>>Ä>Ï>ì>ö>?%?/?7?=?K?f?{???©?®?³?Õ?é?0 N0W0}00466?6:7C7¡;²;ò;ù;<)<2<><E<Ä< =/=;=B=L=V=m=~===== =¦==±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x???£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z00000¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1121:1B1J1R1Z1b1j1r1z1111§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x222£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w333¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4\|4444¡4n5í9Ê:ò:;<Y<<Ù<Z==ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 44À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;;;;¦;Ý;<¢<?¼?Ê?`L033Î45¶6ô:(;=;c;Ø;<<Â<ç<ó<û<====:=Z=ì=>A>v>§>Ã>ý>?K??º?p 040R00«0·0Ä0Ö0å011I11²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J66¯6ì67U7w7Ö7u88 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;;<<¤<==u=¸=.>c>¤>¾>ñ>?Æ?ñ?h030F0X0\0`0d0h0l0p0t0x0\|000000000 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p0000 base_address: 0x00418000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: base_address: 0x00419000 process_identifier: 2400 process_handle: 0x00000258	1	1
WriteProcessMemory Oct. 14, 2021, 3:31 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2400 process_handle: 0x00000258	1	1
NtSetContextThread Oct. 14, 2021, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227300 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 2400	1	0
NtResumeThread Oct. 14, 2021, 3:31 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2400	1	0
CreateProcessInternalW Oct. 14, 2021, 3:32 p.m.	thread_identifier: 1972 thread_handle: 0x000002a8 process_identifier: 528 current_directory: C:\Users\test22\AppData\Local\Temp\3582-490 filepath: C:\Windows\svchost.com track: 1 command_line: "C:\Windows\svchost.com" "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe" filepath_r: C:\Windows\svchost.com stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
CreateProcessInternalW Oct. 14, 2021, 3:32 p.m.	thread_identifier: 900 thread_handle: 0x000000a4 process_identifier: 2568 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000a8	1	1
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2568	1	0
CreateProcessInternalW Oct. 14, 2021, 3:32 p.m.	thread_identifier: 2484 thread_handle: 0x00000258 process_identifier: 2204 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtGetContextThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x00000258	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:32 p.m.	process_identifier: 2204 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: base_address: 0x00401000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: @2À@@@t@ @#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øàÀÀÀÿÿÿÿÿÿÿÿÿ @ ,EíÍû¤WÉ<AïË½ïWÝ{JÖçöJÞ>@}ü{ëíêÄþGÌA2ÿNÛõ¥Ð2ªË+^þÇºãWËµáÙnÊXý±.tÛNóÄtîâhîÀ`²òTø5ý@@ base_address: 0x00409000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: XRÜPàS4QT@QLTPQT\QÌTpQ UQöVôQÄW(R8XLRfR~RR®RÊRØRèRôRSS&S8SJS\SnS\|SSS²S¾SÐSìSþST.T>TZTjTTTªT¸TÚTìTüTU$U.U@UVUfU~UUU²UÂUÖUìUVV&V4VJVZVlVzVVV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWW WºWÐWÜWêWøWXXX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA base_address: 0x00415000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: `A`A@pA base_address: 0x00417000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: 0 000"0020:0B0J0R0Z0b0j0r0z0000¾0Æ0Î0Ö0Þ0æ0î0ö0ÿ0 1(111ß2V3¥3ë3þ3t4¸4ù4-595T5ç567r777¥77·7Á7Ë7á7ç7õ7888&8,848F8R8a8m8u88888³8º8Ä8Î8Ø8ä8ï89999/9:9[9s99ª9²9ò9:W:w::¿;Ì;ÿ;<<'<0<;<D<K<Z<a<<Ü<ä<i====þ=>>>b>k>>§>³>»>î>?2?\?e?u?}??????±?º?Ø?Þ?æ? 00(0@0L0T0k0z00ª0Â0æ0î0ô0ú0,1P1n1~111ñ1ü1222$2u2\|2222¤2ª2°2·2Á2h33¯3»3Ã34#4+4O4o44°4É4Ú4ï4ü45Ù5668A8Q8g888²8Ç899929H9`9n9¢9¾9Ê9Þ9è9û9+:X:a:::Ñ:Ø:ú:G;o;·<ß<æ<þ< =T=\=g==¨=ó=>>N>R>X>\>a>h>n>v>>>>Ä>Ï>ì>ö>?%?/?7?=?K?f?{???©?®?³?Õ?é?0 N0W0}00466?6:7C7¡;²;ò;ù;<)<2<><E<Ä< =/=;=B=L=V=m=~===== =¦==±=Ë=Ô=Ý=é=ó=>/>@>J>R>Z>b>j>>¼>Ê>Ï>è>ø> ??&?+?0?7?>?H?_?k?x???£?°?Â?È?â?ê?ò?ú?@0 00:0B0J0R0Z0b0j0r0z00000¢0ª0²0º0Â0Ê0Ò0Ú0â0ê0ò0ú01 111"1121:1B1J1R1Z1b1j1r1z1111§1³1À1Ò1ß1ë1ø1 22#202B2J2R2_2k2x222£2°2Â2Ï2Û2è2ú233 323?3K3X3j3w333¢3¯3»3È3Ú3ç3ó3444$4(4,484<4@4L4P4T4`4d4h4t4x4\|4444¡4n5í9Ê:ò:;<Y<<Ù<Z==ù=>Ô>ï>?¨?ê?P\ 0b0¸0å0]1¹12I22¸23¸3ü3 44À4é45»5ß5ü5~66_8H9®9,;:;A;H;c;o;;;;¦;Ý;<¢<?¼?Ê?`L033Î45¶6ô:(;=;c;Ø;<<Â<ç<ó<û<====:=Z=ì=>A>v>§>Ã>ý>?K??º?p 040R00«0·0Ä0Ö0å011I11²12-2É2_3n34o4Ñ4ß4y5ª5Â5Ö5 6J66¯6ì67U7w7Ö7u88 9_9d9w9°9»9Ò9:.:E:c:z:²:ê:;;e;;;<<¤<==u=¸=.>c>¤>¾>ñ>?Æ?ñ?h030F0X0\0`0d0h0l0p0t0x0\|000000000 0¤0¨0¬0°0´0¸0¼0À0Ä0È0Ì0Ð0Ô0Ø0à0ù011%191M1a11Ë120004080è0ì0ð0ô0ø0ü0111111 1$1(122p0000 base_address: 0x00418000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: base_address: 0x00419000 process_identifier: 2204 process_handle: 0x0000025c	1	1
WriteProcessMemory Oct. 14, 2021, 3:32 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2204 process_handle: 0x0000025c	1	1
NtSetContextThread Oct. 14, 2021, 3:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4227300 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000258 process_identifier: 2204	1	0
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 2204	1	0
CreateProcessInternalW Oct. 14, 2021, 3:32 p.m.	thread_identifier: 1312 thread_handle: 0x000002b0 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp\3582-490 filepath: C:\Windows\svchost.com track: 1 command_line: "C:\Windows\svchost.com" "C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe" filepath_r: C:\Windows\svchost.com stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW Oct. 14, 2021, 3:32 p.m.	thread_identifier: 2104 thread_handle: 0x000000a4 process_identifier: 1628 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000a8	1	1
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1628	1	0
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1628	1	0
NtResumeThread Oct. 14, 2021, 3:32 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1628	1	0
CreateProcessInternalW Oct. 14, 2021, 3:33 p.m.	thread_identifier: 2860 thread_handle: 0x0000025c process_identifier: 2404 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread Oct. 14, 2021, 3:33 p.m.	thread_handle: 0x0000025c	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:33 p.m.	process_identifier: 2404 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496
CreateProcessInternalW Oct. 14, 2021, 3:33 p.m.	thread_identifier: 3008 thread_handle: 0x0000026c process_identifier: 2900 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000270	1	1
NtGetContextThread Oct. 14, 2021, 3:33 p.m.	thread_handle: 0x0000026c	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:33 p.m.	process_identifier: 2900 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	1	0
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bàtä@°@PdÌpCODE,rt `DATAx@ÀBSS¨ \|À.idatadP \|@À.tls`À.rdatap@P.relocÌ@P.rsrc@P°¢@P base_address: 0x00400000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: base_address: 0x00401000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: @2À@@@t@ @#@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿ=@@´F@ÌN@O@ØY@äY@øY@üY@üY@Z@$Z@LZ@PZ@Z@´Z@àZ@ @øàÀÀÀÿÿÿÿÿÿÿÿÿ @ ,EíÍû¤WÉ<AïË½ïWÝ{JÖçöJÞ>@}ü{ëíêÄþGÌA2ÿNÛõ¥Ð2ªË+^þÇºãWËµáÙnÊXý±.tÛNóÄtîâhîÀ`²òTø5ý@@ base_address: 0x00409000 process_identifier: 2900 process_handle: 0x00000270	1	1
WriteProcessMemory Oct. 14, 2021, 3:33 p.m.	buffer: XRÜPàS4QT@QLTPQT\QÌTpQ UQöVôQÄW(R8XLRfR~RR®RÊRØRèRôRSS&S8SJS\SnS\|SSS²S¾SÐSìSþST.T>TZTjTTTªT¸TÚTìTüTU$U.U@UVUfU~UUU²UÂUÖUìUVV&V4VJVZVlVzVVV¨V¶VÆVÔVèVWWW,W:WFWVWbWvWW WºWÐWÜWêWøWXXX&XDXTXkernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetVersionGetCurrentThreadIdGetThreadLocaleGetStartupInfoAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAadvapi32.dllRegSetValueExARegOpenKeyExARegCloseKeykernel32.dllWriteFileWinExecSetFilePointerSetFileAttributesASetEndOfFileSetCurrentDirectoryAReleaseMutexReadFileGetWindowsDirectoryAGetTempPathAGetShortPathNameAGetModuleFileNameAGetLogicalDriveStringsAGetLocalTimeGetLastErrorGetFileSizeGetFileAttributesAGetDriveTypeAGetCommandLineAFreeLibraryFindNextFileAFindFirstFileAFindCloseDeleteFileACreateMutexACreateFileACreateDirectoryACloseHandlegdi32.dllStretchDIBitsSetDIBitsSelectObjectGetObjectAGetDIBitsDeleteObjectDeleteDCCreateSolidBrushCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSysColorGetIconInfoGetDCFillRectDestroyIconCopyImageCharLowerBuffAshell32.dllShellExecuteAExtractIconA base_address: 0x00415000 process_identifier: 2900 process_handle: 0x00000270	1	1

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.NeshtaB.PE
Lionic	Virus.Win32.Neshta.tn9H
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.Neshta.A
FireEye	Generic.mg.3fc196a38075b300
CAT-QuickHeal	W32.Neshta.C8
ALYac	Win32.Neshta.A
Cylance	Unsafe
Zillya	Virus.Neshta.Win32.1
Sangfor	Virus.Win32.Neshta.a
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Virus ( 00556e571 )
K7AntiVirus	Virus ( 00556e571 )
Baidu	Win32.Virus.Neshta.a
Cyren	W32/Neshta.OBIX-2981
ESET-NOD32	Win32/Neshta.A
APEX	Malicious
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
BitDefender	Win32.Neshta.A
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
Avast	Win32:Apanas [Trj]
Tencent	Virus.Win32.Neshta.a
Ad-Aware	Win32.Neshta.A
TACHYON	Virus/W32.Neshta
Sophos	ML/PE-A + W32/Neshta-D
Comodo	Win32.Neshta.A@3ypg
DrWeb	Win32.HLLP.Neshta
VIPRE	Virus.Win32.Neshta.a (v)
TrendMicro	PE_NESHTA.A
McAfee-GW-Edition	BehavesLike.Win32.HLLP.jc
Emsisoft	Win32.Neshta.A (B)
Ikarus	Virus.Win32.Neshta
Jiangmin	Virus.Neshta.a
Avira	W32/Neshta.A
Antiy-AVL	Trojan/Generic.ASVirus.20D
Microsoft	Virus:Win32/Neshta.A
Gridinsoft	Virus.Win32.Neshta.ka!s8
Arcabit	Win32.Neshta.A
ViRobot	Win32.Neshta.Gen.A
GData	Win32.Virus.Neshta.D
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Neshta
Acronis	suspicious
McAfee	W32/HLLP.41472.e
MAX	malware (ai score=83)
VBA32	Virus.Win32.Neshta.a
Malwarebytes	Virus.Neshta
Zoner	Virus.Win32.19514
TrendMicro-HouseCall	PE_NESHTA.A

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All