Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 22, 2023, 2:44 p.m.	Jan. 22, 2023, 2:46 p.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`33ebd23f0b509a3aef161188722170d2`
SHA256	`03c376f93694b16411d767bd648451d76eb1e472511a96c421a9e50089cb239b`
CRC32	`9089792B`
ssdeep	`49152:wOUefvUighu9cDQcV3CNeeqnNlQJyp31r:`
Yara	IsPE32 - (no description) NPKI_Zero - File included NPKI Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2068
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
  2172
- vbc.exe C:\Users\test22\AppData\Local\Temp\vbc.exe
  2808

Name	Response	Post-Analysis Lookup
infoprokaps.ddns.net	A 178.162.212.214	178.162.212.214
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.162.212.214	Active	Moloch
178.237.33.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 178.162.212.214:36408	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49167 178.162.212.214:36408	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2023, 2:44 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 22, 2023, 2:44 p.m.			0	0
IsDebuggerPresent Jan. 22, 2023, 2:44 p.m.			0	0
IsDebuggerPresent Jan. 22, 2023, 2:44 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00699060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00699060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006991e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006991e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066ba88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bbc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bc48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bf88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2023, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0066bf88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 22, 2023, 2:44 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

infoprokaps.ddns.net

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 272 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00975000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2023, 2:44 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

vbc.exe tried to sleep 237 seconds, actually delayed analysis time by 237 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 22, 2023, 2:44 p.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA== filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 22, 2023, 2:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 22, 2023, 2:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (21 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 22, 2023, 2:45 p.m.	process_identifier: 2808 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâoâÏÑâ«ÒãÏÑâ«Ôã<ÏÑâ«Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑâ³ØãgÏÑâ³.âÏÑâ³ÓãÏÑâRichÏÑâPEL½*¢càH&,`@ðh»ð`$K°È9 8´ X @`¸.text»GH `.rdataüt`vL@@.data4\àÂ@À.tls @Ð@À.gfids0PÒ@@.rsrc$K`LÖ@@.relocÈ9°:"@B base_address: 0x00400000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ \|¥E¨Ez¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿ¨EâFâFâFâFâFxáF«E¬EÈºEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3¸F8AÄF;;AÐFZ8AfE.?AVtype_info@@fE.?AVbad_alloc@std@@fE.?AVbad_array_new_length@std@@fE.?AVlogic_error@std@@fE.?AVlength_error@std@@fE.?AVout_of_range@std@@fE.?AV_Facet_base@std@@fE.?AV_Locimp@locale@std@@fE.?AVfacet@locale@std@@fE.?AU_Crt_new_delete@std@@fE.?AVcodecvt_base@std@@fE.?AUctype_base@std@@fE.?AV?$ctype@D@std@@fE.?AV?$codecvt@DDU_Mbstatet@@@std@@fE.?AVbad_exception@std@@fE.HfE.?AVfailure@ios_base@std@@fE.?AVruntime_error@std@@fE.?AVsystem_error@std@@fE.?AVbad_cast@std@@fE.?AV_System_error@std@@fE.?AVexception@std@@ base_address: 0x0046e000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: base_address: 0x00474000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: öÛ>Pj>¸>)Æ>[Éíyyj\>\¯¯ÑÑ@2è1>>pfÃer>/ævàQÜ÷6lõlõ ZÞ\V.®¡¼âÝíÇð÷dùøô¦f §åt9c> b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00475000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2808 process_handle: 0x00000224	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâoâÏÑâ«ÒãÏÑâ«Ôã<ÏÑâ«Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑâ³ØãgÏÑâ³.âÏÑâ³ÓãÏÑâRichÏÑâPEL½*¢càH&,`@ðh»ð`$K°È9 8´ X @`¸.text»GH `.rdataüt`vL@@.data4\àÂ@À.tls @Ð@À.gfids0PÒ@@.rsrc$K`LÖ@@.relocÈ9°:"@B base_address: 0x00400000 process_identifier: 2808 process_handle: 0x00000224	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Jan. 22, 2023, 2:45 p.m.	thread_identifier: 0 callback_function: 0x0040949d hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131543	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 called NtSetContextThread to modify thread in remote process 2808
NtSetContextThread Jan. 22, 2023, 2:45 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4402214 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a0 process_identifier: 2808	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2808
NtResumeThread Jan. 22, 2023, 2:45 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2808	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.24482
FireEye	Generic.mg.33ebd23f0b509a3a
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.dc316b
Arcabit	IL:Trojan.MSILZilla.D5FA2
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	IL:Trojan.MSILZilla.24482
Emsisoft	IL:Trojan.MSILZilla.24482 (B)
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1232149
Microsoft	Program:Win32/Wacapew.C!ml
GData	IL:Trojan.MSILZilla.24482
Acronis	suspicious
MAX	malware (ai score=87)
Malwarebytes	Malware.AI.2087340352
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:DZoww8Xd1t7PUR4f8yzGQA)
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.36212.go0@aGasrck

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2068	1	0
NtGetContextThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Jan. 22, 2023, 2:44 p.m.	thread_identifier: 2176 thread_handle: 0x00000390 process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000398	1	1
CreateProcessInternalW Jan. 22, 2023, 2:45 p.m.	thread_identifier: 2812 thread_handle: 0x000003a0 process_identifier: 2808 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000224	1	1
NtGetContextThread Jan. 22, 2023, 2:45 p.m.	thread_handle: 0x000003a0	1	0
NtAllocateVirtualMemory Jan. 22, 2023, 2:45 p.m.	process_identifier: 2808 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿±ÏÑâÏÑâÏÑâ²S âÏÑâ²S"â¡ÏÑâ²S#âÏÑâ·UâÏÑâoâÏÑâ«ÒãÏÑâ«Ôã<ÏÑâ«Õã$ÏÑâ·BâÏÑâÏÐâ)ÎÑâ³ØãgÏÑâ³.âÏÑâ³ÓãÏÑâRichÏÑâPEL½*¢càH&,`@ðh»ð`$K°È9 8´ X @`¸.text»GH `.rdataüt`vL@@.data4\àÂ@À.tls @Ð@À.gfids0PÒ@@.rsrc$K`LÖ@@.relocÈ9°:"@B base_address: 0x00400000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: base_address: 0x00401000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: base_address: 0x00456000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ \|¥E¨Ez¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿ¨EâFâFâFâFâFxáF«E¬EÈºEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3¸F8AÄF;;AÐFZ8AfE.?AVtype_info@@fE.?AVbad_alloc@std@@fE.?AVbad_array_new_length@std@@fE.?AVlogic_error@std@@fE.?AVlength_error@std@@fE.?AVout_of_range@std@@fE.?AV_Facet_base@std@@fE.?AV_Locimp@locale@std@@fE.?AVfacet@locale@std@@fE.?AU_Crt_new_delete@std@@fE.?AVcodecvt_base@std@@fE.?AUctype_base@std@@fE.?AV?$ctype@D@std@@fE.?AV?$codecvt@DDU_Mbstatet@@@std@@fE.?AVbad_exception@std@@fE.HfE.?AVfailure@ios_base@std@@fE.?AVruntime_error@std@@fE.?AVsystem_error@std@@fE.?AVbad_cast@std@@fE.?AV_System_error@std@@fE.?AVexception@std@@ base_address: 0x0046e000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: base_address: 0x00474000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: öÛ>Pj>¸>)Æ>[Éíyyj\>\¯¯ÑÑ@2è1>>pfÃer>/ævàQÜ÷6lõlõ ZÞ\V.®¡¼âÝíÇð÷dùøô¦f §åt9c> b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00475000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: base_address: 0x00476000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: base_address: 0x0047b000 process_identifier: 2808 process_handle: 0x00000224	1	1
WriteProcessMemory Jan. 22, 2023, 2:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2808 process_handle: 0x00000224	1	1
NtSetContextThread Jan. 22, 2023, 2:45 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4402214 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003a0 process_identifier: 2808	1	0
NtResumeThread Jan. 22, 2023, 2:45 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2808	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2172	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2172	1	0
NtResumeThread Jan. 22, 2023, 2:44 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2172	1	0
NtResumeThread Jan. 22, 2023, 2:45 p.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2172	1	0

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All