Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 16, 2021, 6:23 p.m.	Sept. 16, 2021, 6:26 p.m.

Size	711.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0764105d28b8e3faae82e41a48f29577`
SHA256	`c15017d56ac6e02cf607d7188d5b4bb5485d9463031ba4effcb29ca84eb83dea`
CRC32	`EE935775`
ssdeep	`12288:d63tCSzSwnbb16enOYd6kxUGTSAPh4/2q4014vt0ffg:UxNnbJ6XYQ+B7S/8014vGffg`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

remcoss.exe "C:\Users\test22\AppData\Local\Temp\remcoss.exe"
2516
- remcoss.exe "C:\Users\test22\AppData\Local\Temp\remcoss.exe"
  1376
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
    2448
    - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"
      2948
      - remcos.exe C:\Users\test22\AppData\Roaming\Remcos\remcos.exe
        2960
        
        remcos.exe "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"
        1384
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe"
        2828
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
        656
        
        schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
        2540
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
  2312
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
    240
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\remcoss.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe"
  276

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
79.134.225.77	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 16, 2021, 6:24 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 16, 2021, 6:25 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 413 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 16, 2021, 6:23 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:23 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:23 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:23 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 6:24 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 16, 2021, 6:24 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 16, 2021, 6:24 p.m.	buffer: SUCCESS: The scheduled task "Nano" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 16, 2021, 6:25 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 16, 2021, 6:25 p.m.	buffer: SUCCESS: The scheduled task "Nano" has successfully been created. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 16, 2021, 6:23 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 113 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00731000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00317000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00315000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:23 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 16, 2021, 6:24 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	remcos.exe tried to sleep 244 seconds, actually delayed analysis time by 244 seconds
description	remcoss.exe tried to sleep 238 seconds, actually delayed analysis time by 238 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (8 events)

cmdline	cmd.exe /c copy "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\remcoss.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	cmd.exe /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\remcoss.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe"
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 16, 2021, 6:24 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f filepath: cmd.exe	1	1
ShellExecuteExW Sept. 16, 2021, 6:24 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c copy "C:\Users\test22\AppData\Local\Temp\remcoss.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 16, 2021, 6:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1
ShellExecuteExW Sept. 16, 2021, 6:24 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" filepath: cmd	1	1
ShellExecuteExW Sept. 16, 2021, 6:25 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f filepath: cmd.exe	1	1
ShellExecuteExW Sept. 16, 2021, 6:25 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c copy "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe" filepath: cmd.exe	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b1000', u'virtual_address': u'0x00002000', u'entropy': 7.346903803603083, u'name': u'.text', u'virtual_size': u'0x000b0e04'}

entropy

7.3469038036

description

A section with a high entropy has been found

entropy

0.995780590717

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 16, 2021, 6:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 16, 2021, 6:24 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (40 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	cmd.exe /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f

Communicates with host for which no DNS query was performed (1 event)

host

79.134.225.77

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 16, 2021, 6:24 p.m.	process_identifier: 1376 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384		3221225496
NtAllocateVirtualMemory Sept. 16, 2021, 6:24 p.m.	process_identifier: 1376 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384	1	0
NtAllocateVirtualMemory Sept. 16, 2021, 6:25 p.m.	process_identifier: 1384 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0

Installs itself for autorun at Windows startup (5 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remcos	reg_value	"C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remcos	reg_value	"C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	cmd.exe /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Potential code injection by writing to the memory of another process (10 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜKP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcKL¢@@.reloc8P:î@B base_address: 0x00160000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x001ca000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x001ce000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x001cf000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x7efde008 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜKP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: base_address: 0x0046e000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1384 process_handle: 0x00000380	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜKP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcKL¢@@.reloc8P:î@B base_address: 0x00160000 process_identifier: 1376 process_handle: 0x00000384	1	1	0
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜKP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 1384 process_handle: 0x00000380	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 1376
Process injection	Process 2960 called NtSetContextThread to modify thread in remote process 1384
NtSetContextThread Sept. 16, 2021, 6:24 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000380 process_identifier: 1376	1	0	0
NtSetContextThread Sept. 16, 2021, 6:25 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 1384	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	cmd /c "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2516 resumed a thread in remote process 1376
Process injection	Process 2960 resumed a thread in remote process 1384
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 1376	1	0	0
NtResumeThread Sept. 16, 2021, 6:25 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 1384	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.0764105d28b8e3fa
McAfee	Artemis!0764105D28B8
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.e84812
Cyren	W32/MSIL_Agent.BCR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACKH
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:PWSX-gen [Trj]
Tencent	Win32.Backdoor.Remcos.Auto
McAfee-GW-Edition	BehavesLike.Win32.Fareit.bc
Sophos	Mal/Generic-S
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Backdoor.Remcos.GD64PW
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.34142.Sm0@ayXl6iaG
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (48 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 16, 2021, 6:23 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 16, 2021, 6:23 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 16, 2021, 6:23 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 16, 2021, 6:23 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 16, 2021, 6:23 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2516	1	0
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 1312 thread_handle: 0x00000380 process_identifier: 1376 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\remcoss.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\remcoss.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\remcoss.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000384	1	1
NtGetContextThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x00000380	1	0
NtAllocateVirtualMemory Sept. 16, 2021, 6:24 p.m.	process_identifier: 1376 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384		3221225496
NtAllocateVirtualMemory Sept. 16, 2021, 6:24 p.m.	process_identifier: 1376 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384	1	0
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜKP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcKL¢@@.reloc8P:î@B base_address: 0x00160000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x00161000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x001b3000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x001ca000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x001ce000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x001cf000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x001d0000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x001d5000 process_identifier: 1376 process_handle: 0x00000384	1	1
WriteProcessMemory Sept. 16, 2021, 6:24 p.m.	buffer: base_address: 0x7efde008 process_identifier: 1376 process_handle: 0x00000384	1	1
NtSetContextThread Sept. 16, 2021, 6:24 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000380 process_identifier: 1376	1	0
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 1376	1	0
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 2532 thread_handle: 0x00000524 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000052c	1	1
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 2540 thread_handle: 0x00000494 process_identifier: 276 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\remcoss.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000530	1	1
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 2304 thread_handle: 0x000002d0 process_identifier: 2448 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 424 thread_handle: 0x00000084 process_identifier: 240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 1172 thread_handle: 0x00000334 process_identifier: 2948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Sept. 16, 2021, 6:24 p.m.	thread_identifier: 2964 thread_handle: 0x00000084 process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Remcos\remcos.exe track: 1 command_line: C:\Users\test22\AppData\Roaming\Remcos\remcos.exe filepath_r: C:\Users\test22\AppData\Roaming\Remcos\remcos.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread Sept. 16, 2021, 6:24 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2960	1	0
CreateProcessInternalW Sept. 16, 2021, 6:25 p.m.	thread_identifier: 2916 thread_handle: 0x0000037c process_identifier: 1384 current_directory: filepath: C:\Users\test22\AppData\Roaming\Remcos\remcos.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" filepath_r: C:\Users\test22\AppData\Roaming\Remcos\remcos.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtGetContextThread Sept. 16, 2021, 6:25 p.m.	thread_handle: 0x0000037c	1	0
NtAllocateVirtualMemory Sept. 16, 2021, 6:25 p.m.	process_identifier: 1384 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜKP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: base_address: 0x00401000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: base_address: 0x00453000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: base_address: 0x0046e000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: base_address: 0x00470000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: base_address: 0x00475000 process_identifier: 1384 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 16, 2021, 6:25 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1384 process_handle: 0x00000380	1	1
NtSetContextThread Sept. 16, 2021, 6:25 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 1384	1	0
NtResumeThread Sept. 16, 2021, 6:25 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 1384	1	0
CreateProcessInternalW Sept. 16, 2021, 6:25 p.m.	thread_identifier: 2492 thread_handle: 0x0000051c process_identifier: 656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000518	1	1
CreateProcessInternalW Sept. 16, 2021, 6:25 p.m.	thread_identifier: 2880 thread_handle: 0x00000468 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" "C:\Users\test22\AppData\Roaming\browser\browser.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000528	1	1
CreateProcessInternalW Sept. 16, 2021, 6:25 p.m.	thread_identifier: 2240 thread_handle: 0x00000084 process_identifier: 2540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\test22\AppData\Roaming\browser\browser.exe'" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (20 events)

dead_host	192.168.56.102:49187
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49185
dead_host	192.168.56.102:49196
dead_host	192.168.56.102:49190
dead_host	192.168.56.102:49197
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49191
dead_host	192.168.56.102:49188
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49189
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49194
dead_host	192.168.56.102:49180
dead_host	192.168.56.102:49195
dead_host	79.134.225.77:2050
dead_host	192.168.56.102:49192
dead_host	192.168.56.102:49186
dead_host	192.168.56.102:49193

remcoss.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All