popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

vbc.exe

AgentTesla Generic Malware info stealer browser Chrome Downloader Antivirus Google User Data ScreenShot Create Service KeyLogger Internet API Socket Escalate priviledges DNS Sniff Audio AntiDebug .NET EXE PE File AntiVM PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 23, 2022, 8:15 p.m. Nov. 23, 2022, 8:18 p.m.
Size 2.2MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a9f72304e7fb7043e916fd2aa9634e34
SHA256 e4000ff8a5d786fc3a14a541317115e941add5f6e534f6caead17f18654379f9
CRC32 F0BE0180
ssdeep 24576:M98Q/3Fu1f4qz2Ny8whgPSW/2u0WL9bZp7/14+DbHjc4m9WsPUrM5Vi9RzMpaWb7:Muo1Afnz2Ny3hgKJ3S9bn7NRhXkaswk
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
aryexpcrt.ddns.net
A 68.235.48.108
68.235.48.108
geoplugin.net
A 178.237.33.50
178.237.33.50
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
68.235.48.108 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 68.235.48.108:4982 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 68.235.48.108:4982 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 68.235.48.108:4982 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49166
68.235.48.108:4982 		None None None
TLS 1.3
192.168.56.101:49183
68.235.48.108:4982 		None None None
TLS 1.3
192.168.56.101:49167
68.235.48.108:4982 		None None None

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00446de8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00446da8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00446da8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00446da8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004469a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447368
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004476e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447628
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00447628
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
file C:\Program Files (x86)\Mozilla Firefox\nss3.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1
0x54f7ec
0x54d2b6
0x54c108
0x54c071
0x54bf85
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x727c9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x727c9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x727c9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x727c9fa2
DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x728f0f4d
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x727bbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x727a2ae9
0x54ba7c
0x54b99d
0x548ec3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72821838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72821737
mscorlib+0x2d3711 @ 0x71ab3711
mscorlib+0x308f2d @ 0x71ae8f2d
0x5401e1
0x540096
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2286040
registers.edi: 0
registers.eax: 2286040
registers.ebp: 2286120
registers.edx: 0
registers.ebx: 7597976
registers.esi: 7179456
registers.ecx: 3594242577
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
domain aryexpcrt.ddns.net
request GET http://geoplugin.net/json.gp
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b50000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00540000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ce000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00671000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00673000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00674000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00676000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00677000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00678000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00679000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0067f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b72000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b73000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b74000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b75000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b77000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b78000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b79000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b7c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b7d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b7e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description vbc.exe tried to sleep 254 seconds, actually delayed analysis time by 254 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera\wand.dat
file C:\Users\test22\AppData\Roaming\Opera\Opera7\profile\wand.dat
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
filepath: Powershell
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000130
process_name: pw.exe
process_identifier: 2332
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: taskhost.exe
process_identifier: 2380
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 2952
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 2064
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 2584
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 1520
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: svchost.exe
process_identifier: 1316
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 2184
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 2444
1 1 0

Process32NextW

 snapshot_handle: 0x00000130
process_name: vbc.exe
process_identifier: 2628
1 1 0
section {u'size_of_data': u'0x0022dc00', u'virtual_address': u'0x00002000', u'entropy': 7.280182603244811, u'name': u'.text', u'virtual_size': u'0x0022da34'} entropy 7.28018260324 description A section with a high entropy has been found
entropy 0.998433654061 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
Time & API Arguments Status Return Repeated

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
2 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2112
process_handle: 0x000002d0
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2112
process_handle: 0x000002d0
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2796
process_handle: 0x00000320
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2796
process_handle: 0x00000320
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1304
process_handle: 0x00000338
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 1304
process_handle: 0x00000338
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2952
region_size: 520192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0
file C:\Users\test22\AppData\Roaming\Digsby\digsby.dat
file C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
registry HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry HKEY_CURRENT_USER\Software\Paltalk
Process injection Process 2952 manipulating memory of non-child process 2112
Process injection Process 2952 manipulating memory of non-child process 2796
Process injection Process 2952 manipulating memory of non-child process 1304
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 446464
process_identifier: 2112
process_handle: 0x000002d0
3221225497 0

NtMapViewOfSection

 section_handle: 0x00000334
process_identifier: 2112
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 491520
process_handle: 0x000002d0
3221225496 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 118784
process_identifier: 2796
process_handle: 0x00000320
3221225497 0

NtMapViewOfSection

 section_handle: 0x00000350
process_identifier: 2796
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 147456
process_handle: 0x00000320
3221225496 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 118784
process_identifier: 1304
process_handle: 0x00000338
3221225497 0

NtMapViewOfSection

 section_handle: 0x00000358
process_identifier: 1304
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 147456
process_handle: 0x00000338
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâ˜oâÏÑ⫑ÒãÏÑ⫑Ôã<ÏÑ⫑Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑⳑØãgÏÑⳑ.âÏÑⳑÓãÏÑâRichÏÑâPELï5ucà F.)`@ð€»ð`xK°´9ÀŸ8T øŸ@`¸.textÛDF `.rdataœt`vJ@@.data,\àÀ@À.tls @Î@À.gfids0PÐ@@.rsrcxK`LÔ@@.reloc´9°: @B
base_address: 0x00400000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    |¥E€¨Ez¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿ€¨E˜âF˜âF˜âF˜âF˜âFxáF«E€¬EȺEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu˜0Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œX“F¯4Ad“FU7Ap“Ft4A„fE.?AVtype_info@@„fE.?AVbad_alloc@std@@„fE.?AVbad_array_new_length@std@@„fE.?AVlogic_error@std@@„fE.?AVlength_error@std@@„fE.?AVout_of_range@std@@„fE.?AV_Facet_base@std@@„fE.?AV_Locimp@locale@std@@„fE.?AVfacet@locale@std@@„fE.?AU_Crt_new_delete@std@@„fE.?AVcodecvt_base@std@@„fE.?AUctype_base@std@@„fE.?AV?$ctype@D@std@@„fE.?AV?$codecvt@DDU_Mbstatet@@@std@@„fE.?AVbad_exception@std@@„fE.H„fE.?AVfailure@ios_base@std@@„fE.?AVruntime_error@std@@„fE.?AVsystem_error@std@@„fE.?AVbad_cast@std@@„fE.?AV_System_error@std@@„fE.?AVexception@std@@
base_address: 0x0046e000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x00474000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: F+‡>¿Ù‡>'‡>ÉÇ>zƍw7w ZÞYÎνÎ_//‡>‡>dccá­Nã•ÝpÙ4¥ï¥ïÀW~Z¦ª~«Aºüêæí3ôƒöòFd©¤”6ƒ; b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x00475000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2064
process_handle: 0x00000320
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2232
process_handle: 0x00000320
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2328
process_handle: 0x00000320
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2584
process_handle: 0x00000320
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2388
process_handle: 0x00000320
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1520
process_handle: 0x00000354
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2184
process_handle: 0x0000018c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2444
process_handle: 0x0000018c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2628
process_handle: 0x0000018c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâ˜oâÏÑ⫑ÒãÏÑ⫑Ôã<ÏÑ⫑Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑⳑØãgÏÑⳑ.âÏÑⳑÓãÏÑâRichÏÑâPELï5ucà F.)`@ð€»ð`xK°´9ÀŸ8T øŸ@`¸.textÛDF `.rdataœt`vJ@@.data,\àÀ@À.tls @Î@À.gfids0PÐ@@.rsrcxK`LÔ@@.reloc´9°: @B
base_address: 0x00400000
process_identifier: 2952
process_handle: 0x00000220
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0040932c
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 393649 0
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Process injection Process 2552 called NtSetContextThread to modify thread in remote process 2952
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2064
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2232
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2328
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2584
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2388
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 1520
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2184
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2444
Process injection Process 2952 called NtSetContextThread to modify thread in remote process 2628
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4401454
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000224
process_identifier: 2952
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3865460
registers.edi: 0
registers.eax: 4678260
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2064
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3472160
registers.edi: 0
registers.eax: 4543032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2232
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3276204
registers.edi: 0
registers.eax: 4334086
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2328
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3013352
registers.edi: 0
registers.eax: 4678260
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2584
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3341556
registers.edi: 0
registers.eax: 4543032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2388
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1964276
registers.edi: 0
registers.eax: 4334086
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000358
process_identifier: 1520
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3407740
registers.edi: 0
registers.eax: 4678260
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 2184
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2881984
registers.edi: 0
registers.eax: 4543032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 2444
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3801020
registers.edi: 0
registers.eax: 4334086
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001f0
process_identifier: 2628
1 0 0
Process injection Process 2552 resumed a thread in remote process 2952
Process injection Process 2952 resumed a thread in remote process 2064
Process injection Process 2952 resumed a thread in remote process 2232
Process injection Process 2952 resumed a thread in remote process 2328
Process injection Process 2952 resumed a thread in remote process 2584
Process injection Process 2952 resumed a thread in remote process 2388
Process injection Process 2952 resumed a thread in remote process 1520
Process injection Process 2952 resumed a thread in remote process 2184
Process injection Process 2952 resumed a thread in remote process 2444
Process injection Process 2952 resumed a thread in remote process 2628
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2952
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2064
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2232
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2328
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2584
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2388
1 0 0

NtResumeThread

 thread_handle: 0x00000358
suspend_count: 1
process_identifier: 1520
1 0 0

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2184
1 0 0

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000001f0
suspend_count: 1
process_identifier: 2628
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Bkav W32.AIDetectNet.01
FireEye Generic.mg.a9f72304e7fb7043
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 Win32/Rescoms.B
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan.MSIL.Injuke.gen
Avast Win32:RATX-gen [Trj]
F-Secure Heuristic.HEUR/AGEN.1231966
Sophos Mal/Generic-S
Avira HEUR/AGEN.1231966
Microsoft Trojan:Script/Phonzy.C!ml
ZoneAlarm HEUR:Trojan.MSIL.Injuke.gen
GData Win32.Backdoor.Remcos.8SKO2P
Acronis suspicious
BitDefenderTheta Gen:NN.ZemsilF.34796.lo0@a4uIK6e
MAX malware (ai score=85)
Malwarebytes Trojan.MCrypt.MSIL.Generic
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Agent.NNY!tr.dldr
AVG Win32:RATX-gen [Trj]
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x0000020c
suspend_count: 1
process_identifier: 2552
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtSetContextThread

 registers.eip: 1921133444
registers.esp: 2286248
registers.edi: 37981224
registers.eax: 8
registers.ebp: 2286332
registers.edx: 2043513994
registers.ebx: -302377165
registers.esi: 293465133
registers.ecx: 1854505095
thread_handle: 0x000000e0
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2552
1 0 0

CreateProcessInternalW

 thread_identifier: 2692
thread_handle: 0x00000388
process_identifier: 2688
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000390
1 1 0

CreateProcessInternalW

 thread_identifier: 2956
thread_handle: 0x00000224
process_identifier: 2952
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000220
1 1 0

NtGetContextThread

 thread_handle: 0x00000224
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2952
region_size: 520192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâ˜oâÏÑ⫑ÒãÏÑ⫑Ôã<ÏÑ⫑Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑⳑØãgÏÑⳑ.âÏÑⳑÓãÏÑâRichÏÑâPELï5ucà F.)`@ð€»ð`xK°´9ÀŸ8T øŸ@`¸.textÛDF `.rdataœt`vJ@@.data,\àÀ@À.tls @Î@À.gfids0PÐ@@.rsrcxK`LÔ@@.reloc´9°: @B
base_address: 0x00400000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00456000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: €ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    |¥E€¨Ez¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿ€¨E˜âF˜âF˜âF˜âF˜âFxáF«E€¬EȺEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ€ ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu˜0Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œX“F¯4Ad“FU7Ap“Ft4A„fE.?AVtype_info@@„fE.?AVbad_alloc@std@@„fE.?AVbad_array_new_length@std@@„fE.?AVlogic_error@std@@„fE.?AVlength_error@std@@„fE.?AVout_of_range@std@@„fE.?AV_Facet_base@std@@„fE.?AV_Locimp@locale@std@@„fE.?AVfacet@locale@std@@„fE.?AU_Crt_new_delete@std@@„fE.?AVcodecvt_base@std@@„fE.?AUctype_base@std@@„fE.?AV?$ctype@D@std@@„fE.?AV?$codecvt@DDU_Mbstatet@@@std@@„fE.?AVbad_exception@std@@„fE.H„fE.?AVfailure@ios_base@std@@„fE.?AVruntime_error@std@@„fE.?AVsystem_error@std@@„fE.?AVbad_cast@std@@„fE.?AV_System_error@std@@„fE.?AVexception@std@@
base_address: 0x0046e000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x00474000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: F+‡>¿Ù‡>'‡>ÉÇ>zƍw7w ZÞYÎνÎ_//‡>‡>dccá­Nã•ÝpÙ4¥ï¥ïÀW~Z¦ª~«Aºüêæí3ôƒöòFd©¤”6ƒ; b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x00475000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00476000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0047b000
process_identifier: 2952
process_handle: 0x00000220
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2952
process_handle: 0x00000220
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4401454
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000224
process_identifier: 2952
1 0 0

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2952
1 0 0

NtResumeThread

 thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2688
1 0 0

NtResumeThread

 thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2688
1 0 0

NtResumeThread

 thread_handle: 0x00000444
suspend_count: 1
process_identifier: 2688
1 0 0

NtResumeThread

 thread_handle: 0x0000048c
suspend_count: 1
process_identifier: 2688
1 0 0

CreateProcessInternalW

 thread_identifier: 2116
thread_handle: 0x000001a8
process_identifier: 2112
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\oesyfckkqtfpejlszoylwfnia"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002d0
1 1 0

NtGetContextThread

 thread_handle: 0x000001a8
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 446464
process_identifier: 2112
process_handle: 0x000002d0
3221225497 0

NtMapViewOfSection

 section_handle: 0x00000334
process_identifier: 2112
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 491520
process_handle: 0x000002d0
3221225496 0

CreateProcessInternalW

 thread_identifier: 2068
thread_handle: 0x00000334
process_identifier: 2064
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\oesyfckkqtfpejlszoylwfnia"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000320
1 1 0

NtGetContextThread

 thread_handle: 0x00000334
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 10223616
process_identifier: 2064
process_handle: 0x00000320
3221225497 0

NtMapViewOfSection

 section_handle: 0x0000033c
process_identifier: 2064
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 491520
process_handle: 0x00000320
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2064
process_handle: 0x00000320
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3865460
registers.edi: 0
registers.eax: 4678260
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2064
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2064
1 0 0

CreateProcessInternalW

 thread_identifier: 2260
thread_handle: 0x00000334
process_identifier: 2232
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\rzyrfuvmebxuopzwqzlnhsirbsxo"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000320
1 1 0

NtGetContextThread

 thread_handle: 0x00000334
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 10223616
process_identifier: 2232
process_handle: 0x00000320
3221225497 0

NtMapViewOfSection

 section_handle: 0x00000340
process_identifier: 2232
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00400000
allocation_type: 0 ()
section_offset: 0
view_size: 356352
process_handle: 0x00000320
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2232
process_handle: 0x00000320
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3472160
registers.edi: 0
registers.eax: 4543032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000334
process_identifier: 2232
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2232
1 0 0

CreateProcessInternalW

 thread_identifier: 2376
thread_handle: 0x00000334
process_identifier: 2328
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe /stext "C:\Users\test22\AppData\Local\Temp\bblcgngfajphqdnizkgokecikypwsqn"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000320
1 1 0

NtGetContextThread

 thread_handle: 0x00000334
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 10223616
process_identifier: 2328
process_handle: 0x00000320
3221225497 0