Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 19, 2022, 9:39 a.m.	Nov. 19, 2022, 9:49 a.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e2de5b66b334794c444f3957b2b22d3c`
SHA256	`139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787`
CRC32	`3A1FE3DA`
ssdeep	`49152:dvBRQgqEulcHXpJGtr6YzOAsNK10BfJXA:dBRQG3p4BdyAsw0BfK`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
1948
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
  2168
- vbc.exe C:\Users\test22\AppData\Local\Temp\vbc.exe
  2944

Name	Response	Post-Analysis Lookup
aryexpcrt.ddns.net	A 68.235.48.108	68.235.48.108

IP Address	Status	Action
164.124.101.2	Active	Moloch
68.235.48.108	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 19, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 19, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 19, 2022, 9:40 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004979c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497b08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 19, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00497b08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2022, 9:39 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

aryexpcrt.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 277 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00973000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00974000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00975000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00976000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00977000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00978000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00979000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 268 seconds, actually delayed analysis time by 268 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 19, 2022, 9:40 a.m.	show_type: 0 filepath_r: Powershell parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA== filepath: Powershell	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00246e00', u'virtual_address': u'0x00002000', u'entropy': 7.066669329154246, u'name': u'.text', u'virtual_size': u'0x00246cc0'}

entropy

7.06666932915

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00013600', u'virtual_address': u'0x0024a000', u'entropy': 7.635956844590419, u'name': u'.rsrc', u'virtual_size': u'0x000135a8'}

entropy

7.63595684459

description

A section with a high entropy has been found

entropy

0.999792488068

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 19, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 19, 2022, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (21 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2800 process_handle: 0x0000038c
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2800 process_handle: 0x0000038c	1
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2836 process_handle: 0x00000394
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2836 process_handle: 0x00000394	1
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2872 process_handle: 0x0000039c
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2872 process_handle: 0x0000039c	1
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2908 process_handle: 0x000003a4
NtTerminateProcess Nov. 19, 2022, 9:40 a.m.	status_code: 0xffffffff process_identifier: 2908 process_handle: 0x000003a4	1

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2800 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380		3221225496
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2836 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000388		3221225496
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2872 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390		3221225496
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2908 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398		3221225496
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2944 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1	0

Manipulates memory of a non-child process indicative of process injection (8 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1948 manipulating memory of non-child process 2800
Process injection	Process 1948 manipulating memory of non-child process 2836
Process injection	Process 1948 manipulating memory of non-child process 2872
Process injection	Process 1948 manipulating memory of non-child process 2908
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2800 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	3221225496	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2836 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000388	3221225496	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2872 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390	3221225496	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2908 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398	3221225496	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâoâÏÑâ«ÒãÏÑâ«Ôã<ÏÑâ«Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑâ³ØãgÏÑâ³.âÏÑâ³ÓãÏÑâRichÏÑâPELï5ucàF.)`@ð»ð`$K°´9À8T ø@`¸.textÛDF `.rdatat`vJ@@.data,\àÀ@À.tls @Î@À.gfids0PÐ@@.rsrc$K`LÔ@@.reloc´9°: @B base_address: 0x00400000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ \|¥E¨Ez¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿ¨EâFâFâFâFâFxáF«E¬EÈºEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3XF¯4AdFU7ApFt4AfE.?AVtype_info@@fE.?AVbad_alloc@std@@fE.?AVbad_array_new_length@std@@fE.?AVlogic_error@std@@fE.?AVlength_error@std@@fE.?AVout_of_range@std@@fE.?AV_Facet_base@std@@fE.?AV_Locimp@locale@std@@fE.?AVfacet@locale@std@@fE.?AU_Crt_new_delete@std@@fE.?AVcodecvt_base@std@@fE.?AUctype_base@std@@fE.?AV?$ctype@D@std@@fE.?AV?$codecvt@DDU_Mbstatet@@@std@@fE.?AVbad_exception@std@@fE.HfE.?AVfailure@ios_base@std@@fE.?AVruntime_error@std@@fE.?AVsystem_error@std@@fE.?AVbad_cast@std@@fE.?AV_System_error@std@@fE.?AVexception@std@@ base_address: 0x0046e000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: base_address: 0x00474000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: F+>¿Ù>'>ÉÃ>zÆw7w ZÞYÎÎ½Î_//>>dccáNãÝpÙ4¥ï¥ïÀW~Z¦ª~«Aºüêæí3ôöòFd©¤6; b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00475000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2944 process_handle: 0x000003a0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâoâÏÑâ«ÒãÏÑâ«Ôã<ÏÑâ«Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑâ³ØãgÏÑâ³.âÏÑâ³ÓãÏÑâRichÏÑâPELï5ucàF.)`@ð»ð`$K°´9À8T ø@`¸.textÛDF `.rdatat`vJ@@.data,\àÀ@À.tls @Î@À.gfids0PÐ@@.rsrc$K`LÔ@@.reloc´9°: @B base_address: 0x00400000 process_identifier: 2944 process_handle: 0x000003a0	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Nov. 19, 2022, 9:40 a.m.	thread_identifier: 0 callback_function: 0x0040932c hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131543	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetectNet.01
FireEye	Generic.mg.e2de5b66b334794c
Sangfor	Suspicious.Win32.Save.a
BitDefenderTheta	Gen:NN.ZemsilF.34796.wo0@aifCLtk
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	UDS:Trojan.MSIL.Injuke.gen
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Microsoft	Backdoor:Win32/Remcos.GA!MTB
GData	MSIL.Trojan.PSE.18CGK5P
Acronis	suspicious
Malwarebytes	MachineLearning/Anomalous.94%
Rising	Trojan.Generic/MSIL@AI.98 (RDM.MSIL:ID2IZcC+tie3YFYC6rJdwQ)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.NLO!tr.dldr
CrowdStrike	win/malicious_confidence_100% (D)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 called NtSetContextThread to modify thread in remote process 2944
NtSetContextThread Nov. 19, 2022, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4401454 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a4 process_identifier: 2944	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 resumed a thread in remote process 2944
NtResumeThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2944	1	0	0

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 19, 2022, 9:39 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2022, 9:39 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Nov. 19, 2022, 9:39 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1948	1	0
CreateProcessInternalW Nov. 19, 2022, 9:40 a.m.	thread_identifier: 2172 thread_handle: 0x00000374 process_identifier: 2168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000037c	1	1
CreateProcessInternalW Nov. 19, 2022, 9:40 a.m.	thread_identifier: 2804 thread_handle: 0x00000384 process_identifier: 2800 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtGetContextThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x00000384	1	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2800 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380		3221225496
CreateProcessInternalW Nov. 19, 2022, 9:40 a.m.	thread_identifier: 2840 thread_handle: 0x0000038c process_identifier: 2836 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000388	1	1
NtGetContextThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x0000038c	1	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2836 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000388		3221225496
CreateProcessInternalW Nov. 19, 2022, 9:40 a.m.	thread_identifier: 2876 thread_handle: 0x00000394 process_identifier: 2872 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000390	1	1
NtGetContextThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x00000394	1	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2872 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000390		3221225496
CreateProcessInternalW Nov. 19, 2022, 9:40 a.m.	thread_identifier: 2912 thread_handle: 0x0000039c process_identifier: 2908 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000398	1	1
NtGetContextThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x0000039c	1	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2908 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000398		3221225496
CreateProcessInternalW Nov. 19, 2022, 9:40 a.m.	thread_identifier: 2948 thread_handle: 0x000003a4 process_identifier: 2944 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a0	1	1
NtGetContextThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x000003a4	1	0
NtAllocateVirtualMemory Nov. 19, 2022, 9:40 a.m.	process_identifier: 2944 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	1	0
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâoâÏÑâ«ÒãÏÑâ«Ôã<ÏÑâ«Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑâ³ØãgÏÑâ³.âÏÑâ³ÓãÏÑâRichÏÑâPELï5ucàF.)`@ð»ð`$K°´9À8T ø@`¸.textÛDF `.rdatat`vJ@@.data,\àÀ@À.tls @Î@À.gfids0PÐ@@.rsrc$K`LÔ@@.reloc´9°: @B base_address: 0x00400000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: base_address: 0x00401000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: base_address: 0x00456000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ \|¥E¨Ez¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿ¨EâFâFâFâFâFxáF«E¬EÈºEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3XF¯4AdFU7ApFt4AfE.?AVtype_info@@fE.?AVbad_alloc@std@@fE.?AVbad_array_new_length@std@@fE.?AVlogic_error@std@@fE.?AVlength_error@std@@fE.?AVout_of_range@std@@fE.?AV_Facet_base@std@@fE.?AV_Locimp@locale@std@@fE.?AVfacet@locale@std@@fE.?AU_Crt_new_delete@std@@fE.?AVcodecvt_base@std@@fE.?AUctype_base@std@@fE.?AV?$ctype@D@std@@fE.?AV?$codecvt@DDU_Mbstatet@@@std@@fE.?AVbad_exception@std@@fE.HfE.?AVfailure@ios_base@std@@fE.?AVruntime_error@std@@fE.?AVsystem_error@std@@fE.?AVbad_cast@std@@fE.?AV_System_error@std@@fE.?AVexception@std@@ base_address: 0x0046e000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: base_address: 0x00474000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: F+>¿Ù>'>ÉÃ>zÆw7w ZÞYÎÎ½Î_//>>dccáNãÝpÙ4¥ï¥ïÀW~Z¦ª~«Aºüêæí3ôöòFd©¤6; b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00475000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: base_address: 0x00476000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: base_address: 0x0047b000 process_identifier: 2944 process_handle: 0x000003a0	1	1
WriteProcessMemory Nov. 19, 2022, 9:40 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2944 process_handle: 0x000003a0	1	1
NtSetContextThread Nov. 19, 2022, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4401454 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a4 process_identifier: 2944	1	0
NtResumeThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2944	1	0
NtResumeThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2168	1	0
NtResumeThread Nov. 19, 2022, 9:40 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2168	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (33 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49174
dead_host	68.235.48.108:4982
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49194
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49169

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All