Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2023, 11:05 a.m.	March 8, 2023, 11:11 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4560193b469fba0faadbd79d31a9a499`
SHA256	`9bebe1f8ba36a10f4c4da24bb68d6d08e019571f76a1b4473200fd6e26a76a38`
CRC32	`FAE98E33`
ssdeep	`24576:XBUz183gX3QFJPGeGqwOgBe3+GDfNG+rXm2UULfaF04JItxXeerr:x+ze9JgBOa81DQ`
PDB Path	Vahgaktcgi.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) IsPE32 - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2052
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2164
- vbc.exe C:\Users\test22\AppData\Local\Temp\vbc.exe
  2720

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2023, 11:05 a.m.			0	0
IsDebuggerPresent March 8, 2023, 11:05 a.m.			0	0
IsDebuggerPresent March 8, 2023, 11:05 a.m.			0	0
IsDebuggerPresent March 8, 2023, 11:05 a.m.			0	0
IsDebuggerPresent March 8, 2023, 11:05 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00538fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00538fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005390a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005413d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005417d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00541d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00759618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00759618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00759018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Vahgaktcgi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2023, 11:05 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 8, 2023, 11:05 a.m.	stacktrace: 0x6f091c 0x6f07ca 0x6f074a 0x6f0060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6f3c05 registers.esp: 2223464 registers.edi: 2223488 registers.eax: 0 registers.ebp: 2223500 registers.edx: 195 registers.ebx: 44154824 registers.esi: 44183388 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 8, 2023, 11:05 a.m.

stacktrace:

0x6f091c
0x6f07ca
0x6f074a
0x6f0060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6f3c05
registers.esp: 2223464
registers.edi: 2223488
registers.eax: 0
registers.ebp: 2223500
registers.edx: 195
registers.ebx: 44154824
registers.esi: 44183388
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 254 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 8, 2023, 11:05 a.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 8, 2023, 11:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 8, 2023, 11:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 8, 2023, 11:05 a.m.	status_code: 0xffffffff process_identifier: 2684 process_handle: 0x0000020c		0	0
NtTerminateProcess March 8, 2023, 11:05 a.m.	status_code: 0xffffffff process_identifier: 2684 process_handle: 0x0000020c	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2684 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214		3221225496	0
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2720 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000218	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 8, 2023, 11:05 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mxfgtyglw

reg_value

"C:\Users\test22\AppData\Roaming\Opvemawa\Mxfgtyglw.exe"

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 manipulating memory of non-child process 2684
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2684 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL0*dà0¦ @ @Ä¥WÀFà H.text$ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName21df6021-b458-4c06-b6ed-fe44ff8c52f3.exe(LegalCopyright \|)OriginalFilename21df6021-b458-4c06-b6ed-fe44ff8c52f3.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: 6 base_address: 0x0042e000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2720 process_handle: 0x00000218	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL0*dà0¦ @ @Ä¥WÀFà H.text$ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2720 process_handle: 0x00000218	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 called NtSetContextThread to modify thread in remote process 2720
NtSetContextThread March 8, 2023, 11:05 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4367902 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 2720	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 resumed a thread in remote process 2720
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2720	1	0	0

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2052	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2052	1	0
NtGetContextThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW March 8, 2023, 11:05 a.m.	thread_identifier: 2168 thread_handle: 0x00000390 process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000037c	1	1
CreateProcessInternalW March 8, 2023, 11:05 a.m.	thread_identifier: 2688 thread_handle: 0x0000038c process_identifier: 2684 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000214	1	1
NtGetContextThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000038c	1	0
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2684 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000214		3221225496
CreateProcessInternalW March 8, 2023, 11:05 a.m.	thread_identifier: 2724 thread_handle: 0x0000020c process_identifier: 2720 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000218	1	1
NtGetContextThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000020c	1	0
NtAllocateVirtualMemory March 8, 2023, 11:05 a.m.	process_identifier: 2720 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000218	1	0
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL0*dà0¦ @ @Ä¥WÀFà H.text$ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: base_address: 0x00402000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName21df6021-b458-4c06-b6ed-fe44ff8c52f3.exe(LegalCopyright \|)OriginalFilename21df6021-b458-4c06-b6ed-fe44ff8c52f3.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: 6 base_address: 0x0042e000 process_identifier: 2720 process_handle: 0x00000218	1	1
WriteProcessMemory March 8, 2023, 11:05 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2720 process_handle: 0x00000218	1	1
NtSetContextThread March 8, 2023, 11:05 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4367902 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000020c process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread March 8, 2023, 11:05 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2720	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Scarsi.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.65824746
FireEye	Trojan.GenericKD.65824746
McAfee	Artemis!4560193B469F
Cylance	unsafe
Sangfor	Trojan.Msil.Kryptik.V4hv
Alibaba	Trojan:MSIL/Kryptik.fa6eff31
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Tedy.D4B284
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AIGT
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Scarsi.gen
BitDefender	Trojan.GenericKD.65824746
Avast	Win32:PWSX-gen [Trj]
Sophos	Mal/Generic-S
DrWeb	Trojan.Inject4.30942
TrendMicro	Trojan.MSIL.SCARSI.USPAXC723
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.65824746 (B)
Ikarus	Trojan.MSIL.Agent
Webroot	W32.Trojan.Gen
Avira	TR/AD.Nekark.hdfro
Gridinsoft	Trojan.Win32.AgentTesla.bot
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win.Z.Scarsi.2040320
GData	Trojan.GenericKD.65824746
Google	Detected
BitDefenderTheta	Gen:NN.ZemsilF.36308.8n0@aaResec
MAX	malware (ai score=87)
Malwarebytes	Malware.AI.4253946982
TrendMicro-HouseCall	Trojan.MSIL.SCARSI.USPAXC723
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:/o612I2R4xRjODUC/49VGQ)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AIGT!tr
AVG	Win32:PWSX-gen [Trj]

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All