vbc.exe

Queries for the computername (4 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 5, 2023, 2:22 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA March 5, 2023, 2:22 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 5, 2023, 2:22 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 5, 2023, 2:22 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 5, 2023, 2:21 p.m.			0	0
IsDebuggerPresent March 5, 2023, 2:21 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

ncth.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 5, 2023, 2:21 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (37 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:21 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 516 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW March 5, 2023, 2:22 p.m.	number_of_free_clusters: 2425203 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW March 5, 2023, 2:22 p.m.	number_of_free_clusters: 2425203 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 5, 2023, 2:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 5, 2023, 2:22 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.ibsensoftware.com/

Yara rule detected in process memory (11 events)

description	Communications use DNS				rule	Network_DNS
description	PWS Memory				rule	Generic_PWS_Memory_Zero
description	Win32 PWS Loki				rule	Win32_PWS_Loki_Zero
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 5, 2023, 2:22 p.m.	status_code: 0xffffffff process_identifier: 2616 process_handle: 0x000002b4		0	0
NtTerminateProcess March 5, 2023, 2:22 p.m.	status_code: 0xffffffff process_identifier: 2616 process_handle: 0x000002b4	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host	208.67.105.148

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 2616 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 2652 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002b0	1	0	0

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Manipulates memory of a non-child process indicative of process injection (2 events)

Process injection	Process 516 manipulating memory of non-child process 2616
Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 2616 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: MZÿÿ¸@𺴠Í!¸ LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô ­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL  lWà  8 ¢Þ9 P @  €Ў dP \.textõ6 8  `.rdata`@P B< @@.data$^  ~ @À.x € À base_address: 0x00400000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: ™TÍ<¨‡K¢`ˆˆÝ;U base_address: 0x0041a000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2652 process_handle: 0x000002b0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: MZÿÿ¸@𺴠Í!¸ LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô ­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL  lWà  8 ¢Þ9 P @  €Ў dP \.textõ6 8  `.rdata`@P B< @@.data$^  ~ @À.x € À base_address: 0x00400000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 516 called NtSetContextThread to modify thread in remote process 2652
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread March 5, 2023, 2:22 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2652	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 516 resumed a thread in remote process 2652
Time & API	Arguments	Status	Return	Repeated
NtResumeThread March 5, 2023, 2:22 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2652	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

208.67.105.148:80

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return	Repeated
NtResumeThread March 5, 2023, 2:21 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 516	1	0	0
NtResumeThread March 5, 2023, 2:21 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 516	1	0	0
NtResumeThread March 5, 2023, 2:21 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 516	1	0	0
CreateProcessInternalW March 5, 2023, 2:22 p.m.	thread_identifier: 2620 thread_handle: 0x000002ac process_identifier: 2616 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1	0
NtGetContextThread March 5, 2023, 2:22 p.m.	thread_handle: 0x000002ac	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 2616 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0
CreateProcessInternalW March 5, 2023, 2:22 p.m.	thread_identifier: 2656 thread_handle: 0x000002b4 process_identifier: 2652 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\vbc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\vbc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b0	1	1	0
NtGetContextThread March 5, 2023, 2:22 p.m.	thread_handle: 0x000002b4	1	0	0
NtAllocateVirtualMemory March 5, 2023, 2:22 p.m.	process_identifier: 2652 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002b0	1	0	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: MZÿÿ¸@𺴠Í!¸ LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô ­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL  lWà  8 ¢Þ9 P @  €Ў dP \.textõ6 8  `.rdata`@P B< @@.data$^  ~ @À.x € À base_address: 0x00400000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: base_address: 0x00401000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: base_address: 0x00415000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: ™TÍ<¨‡K¢`ˆˆÝ;U base_address: 0x0041a000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: base_address: 0x004a0000 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
WriteProcessMemory March 5, 2023, 2:22 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2652 process_handle: 0x000002b0	1	1	0
NtSetContextThread March 5, 2023, 2:22 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2652	1	0	0
NtResumeThread March 5, 2023, 2:22 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2652	1	0	0
NtResumeThread March 5, 2023, 2:22 p.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2652	1	0	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Noon.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.65765658
FireEye	Generic.mg.e2026d3dd0eee353
ALYac	Trojan.GenericKD.65765712
Malwarebytes	Trojan.MalPack.PNG.Generic
VIPRE	Trojan.GenericKD.65765658
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0059face1 )
Alibaba	TrojanSpy:MSIL/Kryptik.52f214c3
K7GW	Trojan ( 0059face1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Kryptik.IZJ.gen!Eldorado
Symantec	MSIL.Packed.31
ESET-NOD32	a variant of MSIL/Kryptik.AIGC
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.65765658
Avast	Win32:PWSX-gen [Trj]
Tencent	Msil.Trojan-Spy.Noon.Gwnw
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/AD.LokiBot.nhrtl
DrWeb	Trojan.Siggen19.62518
TrendMicro	TrojanSpy.MSIL.NOON.USPAXC423
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.65765658 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/AD.LokiBot.nhrtl
MAX	malware (ai score=89)
Antiy-AVL	Trojan/MSIL.GenKryptik
Microsoft	Trojan:Win32/Pwsteal.Q!bit
Gridinsoft	Ransom.Win32.LokiBot.bot
Xcitium	Malware@#119otamiuu8pq
Arcabit	Trojan.Generic.D3EB811A
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Noon.gen
GData	Trojan.GenericKD.65765658
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R560748
Acronis	suspicious
McAfee	Artemis!E2026D3DD0EE
Cylance	unsafe
TrendMicro-HouseCall	TrojanSpy.MSIL.NOON.USPAXC423
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:BKWuv0t13W40CMUPNFxLBg)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.GFFG!tr