Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 24, 2022, 9:27 a.m.	May 24, 2022, 9:40 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bfd832768c77c60e6cea6237509db468`
SHA256	`9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842`
CRC32	`55C10881`
ssdeep	`24576:N1ddtWB/FGxNHhZtlS3rsowzsqqJ/3WqDA2Qnd8Q50ol:NfdtS/MxNHhZ3QsF6GqQJ`
Yara	IsPE32 - (no description) Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2332
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wtuQSfgzp.exe"
  2696
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp"
  2748
- vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
  2836

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
salesumishcn.ddns.net	A 31.42.186.188	31.42.186.188

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
31.42.186.188	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:60117 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49167 31.42.186.188:9854	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 9:27 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 24, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 24, 2022, 9:27 a.m.			0	0
IsDebuggerPresent May 24, 2022, 9:27 a.m.			0	0

Command line console output was observed (18 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\wtuQSfg console_handle: 0x00000053	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: zp.exe console_handle: 0x0000005f	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW May 24, 2022, 9:27 a.m.	buffer: SUCCESS: The scheduled task "Updates\wtuQSfgzp" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: -------------------------- * Remcos v3.5.1 Pro * BreakingSecurity.net -------------------------- console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:15:515 i \| Remcos Agent initialized console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:15:515 i \| Offline Keylogger Started console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:15:515 i \| Access Level: Administrator console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:15:515 i \| Connecting \| TLS On \| salesumishcn.ddns.net:9854 console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:16:046 i \| TLS Handshake... \| salesumishcn.ddns.net:9854 console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:17:250 i \| Connected \| TLS On \| salesumishcn.ddns.net:9854 console_handle: 0x0000000f	1	1
WriteConsoleA May 24, 2022, 9:27 a.m.	buffer: 14:27:18:531 i \| Connection KeepAlive \| Enabled \| Timeout: 60 console_handle: 0x0000000f	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00475e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00475f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00475f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2022, 9:26 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

salesumishcn.ddns.net

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 178 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:26 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02045000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02046000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02047000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02048000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0204e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0204f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2332 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e961000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0207a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02072000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2696 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 258 seconds, actually delayed analysis time by 258 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	schtasks.exe /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wtuQSfgzp.exe"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wtuQSfgzp.exe"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 24, 2022, 9:27 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wtuQSfgzp.exe" filepath: powershell	1	1	0
ShellExecuteExW May 24, 2022, 9:27 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00128600', u'virtual_address': u'0x00002000', u'entropy': 7.932479455585438, u'name': u'.text', u'virtual_size': u'0x00128454'}

entropy

7.93247945559

description

A section with a high entropy has been found

entropy

0.967755102041

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 24, 2022, 9:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 24, 2022, 9:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (22 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2836 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+¼bà0=@@°8ð Kp8ð{8\|(\|@@°.text½.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÁFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFtÁFPÖFPÖFPÖFPÖFPÖFPÖFPÖFxÁFÿÿÿÿpEÂFÂFÂFÂFÂFxÁFðEpE¸EØÁFpÇFCPSTPDT ÂFàÂFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpÇFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ðqFãAüqF!ArF¨AtFE.?AVtype_info@@tFE.?AVbad_alloc@std@@tFE.?AVbad_array_new_length@std@@tFE.?AVlogic_error@std@@tFE.?AVlength_error@std@@tFE.?AVout_of_range@std@@tFE.?AV_Facet_base@std@@tFE.?AV_Locimp@locale@std@@tFE.?AVfacet@locale@std@@tFE.?AU_Crt_new_delete@std@@tFE.?AVcodecvt_base@std@@tFE.?AUctype_base@std@@tFE.?AV?$ctype@D@std@@tFE.?AV?$codecvt@DDU_Mbstatet@@@std@@tFE.?AVbad_exception@std@@tFE.HtFE.?AVfailure@ios_base@std@@tFE.?AVruntime_error@std@@tFE.?AVsystem_error@std@@tFE.?AVbad_cast@std@@tFE.?AV_System_error@std@@tFE.?AVexception@std@@ base_address: 0x0046c000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: base_address: 0x00470000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: eüJüg>¿Ùg>'g>Ig>{° a·`C^CÏ¸¾¸_g>g>MãLáOÍÇqÃ{ß{ß@AþC¦~Á£ýÔç×4ÞàÜÆM) % b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00471000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2836 process_handle: 0x000002c0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+¼bà0=@@°8ð Kp8ð{8\|(\|@@°.text½.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2836 process_handle: 0x000002c0	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 24, 2022, 9:27 a.m.	thread_identifier: 0 callback_function: 0x00408a5e hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	66041	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2332 called NtSetContextThread to modify thread in remote process 2836
NtSetContextThread May 24, 2022, 9:27 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4395837 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2836	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2332 resumed a thread in remote process 2836
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2836	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
FireEye	Generic.mg.bfd832768c77c60e
McAfee	Artemis!BFD832768C77
Sangfor	Trojan.Win32.Agent.aa
Symantec	Scr.Malcode!gdn30
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	BehavesLike.Win32.Trojan.tc
SentinelOne	Static AI - Suspicious PE
Sophos	Mal/Generic-S
APEX	Malicious
Avira	HEUR/AGEN.1221702
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
Malwarebytes	MachineLearning/Anomalous.100%
MaxSecure	Trojan.Malware.300983.susgen
AVG	PWSX-gen [Trj]
Avast	PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread May 24, 2022, 9:26 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread May 24, 2022, 9:26 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread May 24, 2022, 9:26 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2332	1	0
CreateProcessInternalW May 24, 2022, 9:27 a.m.	thread_identifier: 2700 thread_handle: 0x000003bc process_identifier: 2696 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\wtuQSfgzp.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW May 24, 2022, 9:27 a.m.	thread_identifier: 2752 thread_handle: 0x0000037c process_identifier: 2748 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wtuQSfgzp" /XML "C:\Users\test22\AppData\Local\Temp\tmp3B10.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 2332	1	0
CreateProcessInternalW May 24, 2022, 9:27 a.m.	thread_identifier: 2840 thread_handle: 0x000002b4 process_identifier: 2836 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c0	1	1
NtGetContextThread May 24, 2022, 9:27 a.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory May 24, 2022, 9:27 a.m.	process_identifier: 2836 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c0	1	0
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+¼bà0=@@°8ð Kp8ð{8\|(\|@@°.text½.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: base_address: 0x00401000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: base_address: 0x00454000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÁFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFtÁFPÖFPÖFPÖFPÖFPÖFPÖFPÖFxÁFÿÿÿÿpEÂFÂFÂFÂFÂFxÁFðEpE¸EØÁFpÇFCPSTPDT ÂFàÂFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpÇFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ðqFãAüqF!ArF¨AtFE.?AVtype_info@@tFE.?AVbad_alloc@std@@tFE.?AVbad_array_new_length@std@@tFE.?AVlogic_error@std@@tFE.?AVlength_error@std@@tFE.?AVout_of_range@std@@tFE.?AV_Facet_base@std@@tFE.?AV_Locimp@locale@std@@tFE.?AVfacet@locale@std@@tFE.?AU_Crt_new_delete@std@@tFE.?AVcodecvt_base@std@@tFE.?AUctype_base@std@@tFE.?AV?$ctype@D@std@@tFE.?AV?$codecvt@DDU_Mbstatet@@@std@@tFE.?AVbad_exception@std@@tFE.HtFE.?AVfailure@ios_base@std@@tFE.?AVruntime_error@std@@tFE.?AVsystem_error@std@@tFE.?AVbad_cast@std@@tFE.?AV_System_error@std@@tFE.?AVexception@std@@ base_address: 0x0046c000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: base_address: 0x00470000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: eüJüg>¿Ùg>'g>Ig>{° a·`C^CÏ¸¾¸_g>g>MãLáOÍÇqÃ{ß{ß@AþC¦~Á£ýÔç×4ÞàÜÆM) % b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00471000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: base_address: 0x00472000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: base_address: 0x00477000 process_identifier: 2836 process_handle: 0x000002c0	1	1
WriteProcessMemory May 24, 2022, 9:27 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2836 process_handle: 0x000002c0	1	1
NtSetContextThread May 24, 2022, 9:27 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4395837 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2836	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2836	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2696	1	0
NtResumeThread May 24, 2022, 9:27 a.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2696	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All