Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 21, 2023, 5:59 p.m.	April 21, 2023, 6:11 p.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e8ab54ff681e5009795d0030d626c9b3`
SHA256	`b7d64cf330e9c964da5082e14b1685d8daf4ae492411ce8f028aadf58a5740dc`
CRC32	`22D1C405`
ssdeep	`24576:LgbhYMrfgwYTCh8pSa5keqUtggYC1xiJR1WbEML9VmX05lzxsWY0DCS3AEH395yQ:yr9MCapSUcCYWhjs8rX`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult NPKI_Zero - File included NPKI Is_DotNET_EXE - (no description) IsPE32 - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
300
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2144
- vbc.exe C:\Users\test22\AppData\Local\Temp\vbc.exe
  2856
  - remcos.exe "C:\ProgramData\Remcos\remcos.exe"
    2932
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      3012
    - remcos.exe C:\ProgramData\Remcos\remcos.exe
      948

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
top.noforabusers1.xyz	A 185.225.74.112	185.225.74.112

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.225.74.112	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 185.225.74.112:2404	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49172 185.225.74.112:2404	None	None	None

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:59 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0081cef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0081cef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0081cff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bbea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bbea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bbea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bbea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bbea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bbea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bcc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bc9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bca60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bca60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046a620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046a6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046a6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2023, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046a6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2023, 5:59 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2023, 5:59 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74111194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73fe2ba1 mscorlib+0x32d27c @ 0x728ed27c mscorlib+0x32d233 @ 0x728ed233 mscorlib+0x32d12a @ 0x728ed12a 0x8c031a 0x8c01db 0x8c0170 0x8c00da 0x8c007e 0x8c0056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4583604 registers.edi: 0 registers.eax: 4583604 registers.ebp: 4583684 registers.edx: 0 registers.ebx: 8614296 registers.esi: 8280968 registers.ecx: 3224692957	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 21, 2023, 5:59 p.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74111194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73fe2ba1
mscorlib+0x32d27c @ 0x728ed27c
mscorlib+0x32d233 @ 0x728ed233
mscorlib+0x32d12a @ 0x728ed12a
0x8c031a
0x8c01db
0x8c0170
0x8c00da
0x8c007e
0x8c0056
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 4583604
registers.edi: 0
registers.eax: 4583604
registers.ebp: 4583684
registers.edx: 0
registers.ebx: 8614296
registers.esi: 8280968
registers.ecx: 3224692957

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 366 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0069b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0067f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04371000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04381000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0439f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04372000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04383000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04384000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04385000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04386000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

remcos.exe tried to sleep 214 seconds, actually delayed analysis time by 214 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 21, 2023, 5:59 p.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath: powershell	1	1	0
ShellExecuteExW April 21, 2023, 5:59 p.m.	show_type: 0 filepath_r: powershell parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 21, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2023, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (42 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (12 events)

Time & API	Arguments	Status
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2640 process_handle: 0x0000023c
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2640 process_handle: 0x0000023c	1
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2676 process_handle: 0x000003a4
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2676 process_handle: 0x000003a4	1
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2712 process_handle: 0x00000208
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2712 process_handle: 0x00000208	1
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2748 process_handle: 0x00000200
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2748 process_handle: 0x00000200	1
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2784 process_handle: 0x00000268
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2784 process_handle: 0x00000268	1
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2820 process_handle: 0x0000037c
NtTerminateProcess April 21, 2023, 5:59 p.m.	status_code: 0xffffffff process_identifier: 2820 process_handle: 0x0000037c	1

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2640 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244		3221225496
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2676 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2712 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c		3221225496
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2748 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204		3221225496
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2784 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc		3221225496
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2820 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c		3221225496
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2856 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 948 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remcos	reg_value	"C:\ProgramData\Remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos	reg_value	"C:\ProgramData\Remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remcos	reg_value	"C:\ProgramData\Remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos	reg_value	"C:\ProgramData\Remcos\remcos.exe"

Manipulates memory of a non-child process indicative of process injection (12 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 300 manipulating memory of non-child process 2640
Process injection	Process 300 manipulating memory of non-child process 2676
Process injection	Process 300 manipulating memory of non-child process 2712
Process injection	Process 300 manipulating memory of non-child process 2748
Process injection	Process 300 manipulating memory of non-child process 2784
Process injection	Process 300 manipulating memory of non-child process 2820
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2640 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	3221225496	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2676 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	3221225496	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2712 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	3221225496	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2748 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	3221225496	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2784 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc	3221225496	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2820 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c	3221225496	0

Potential code injection by writing to the memory of another process (10 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPEL÷ñcàVS.p@ÈÍpKÀ:`²8ô²²@pÈ.textËUV `.rdata¼wpxZ@@.data\|\ðÒ@À.tls Pà@À.gfids0`â@@.rsrcKpLæ@@.reloc:À<2@B base_address: 0x00400000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥F;A¦F´=A¦FÓ:AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x0046f000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x00475000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: Ñ¶>\$v$>Ä$>9Ô>k×Ügþf»$¿ß®ßü<¤<>>0qp~$J$?ôîaê³Añ÷ñ÷àdg@¥¦±Êíû×þ$tfqµ¡%GO b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00476000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPEL÷ñcàVS.p@ÈÍpKÀ:`²8ô²²@pÈ.textËUV `.rdata¼wpxZ@@.data\|\ðÒ@À.tls Pà@À.gfids0`â@@.rsrcKpLæ@@.reloc:À<2@B base_address: 0x00400000 process_identifier: 948 process_handle: 0x00000248	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥F;A¦F´=A¦FÓ:AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x0046f000 process_identifier: 948 process_handle: 0x00000248	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x00475000 process_identifier: 948 process_handle: 0x00000248	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: Ñ¶>\$v$>Ä$>9Ô>k×Ügþf»$¿ß®ßü<¤<>>0qp~$J$?ôîaê³Añ÷ñ÷àdg@¥¦±Êíû×þ$tfqµ¡%GO b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00476000 process_identifier: 948 process_handle: 0x00000248	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 948 process_handle: 0x00000248	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPEL÷ñcàVS.p@ÈÍpKÀ:`²8ô²²@pÈ.textËUV `.rdata¼wpxZ@@.data\|\ðÒ@À.tls Pà@À.gfids0`â@@.rsrcKpLæ@@.reloc:À<2@B base_address: 0x00400000 process_identifier: 2856 process_handle: 0x00000380	1	1	0
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPEL÷ñcàVS.p@ÈÍpKÀ:`²8ô²²@pÈ.textËUV `.rdata¼wpxZ@@.data\|\ðÒ@À.tls Pà@À.gfids0`â@@.rsrcKpLæ@@.reloc:À<2@B base_address: 0x00400000 process_identifier: 948 process_handle: 0x00000248	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA April 21, 2023, 5:59 p.m.	thread_identifier: 0 callback_function: 0x004098a7 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	328153	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 300 called NtSetContextThread to modify thread in remote process 2856
Process injection	Process 2932 called NtSetContextThread to modify thread in remote process 948
NtSetContextThread April 21, 2023, 5:59 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4402771 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 2856	1	0	0
NtSetContextThread April 21, 2023, 5:59 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4402771 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 948	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 300 resumed a thread in remote process 2856
Process injection	Process 2932 resumed a thread in remote process 948
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2856	1	0	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 948	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 75 events)

Time & API	Arguments	Status	Return
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 300	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 300	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 300	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 300	1	0
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread April 21, 2023, 5:59 p.m.	registers.eip: 1946037124 registers.esp: 4583812 registers.edi: 60013764 registers.eax: 100 registers.ebp: 4583828 registers.edx: 100 registers.ebx: 59972360 registers.esi: 56083666 registers.ecx: 255 thread_handle: 0x000000e8 process_identifier: 300	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 300	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 300	1	0
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2148 thread_handle: 0x000003a0 process_identifier: 2144 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a8	1	1
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2644 thread_handle: 0x00000248 process_identifier: 2640 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2640 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244		3221225496
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2680 thread_handle: 0x0000023c process_identifier: 2676 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000240	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000023c	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2676 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240		3221225496
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2716 thread_handle: 0x000003a4 process_identifier: 2712 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000003a4	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2712 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c		3221225496
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2752 thread_handle: 0x00000208 process_identifier: 2748 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000204	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000208	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2748 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204		3221225496
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2788 thread_handle: 0x00000200 process_identifier: 2784 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001fc	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000200	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2784 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc		3221225496
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2824 thread_handle: 0x00000268 process_identifier: 2820 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000020c	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000268	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2820 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c		3221225496
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2860 thread_handle: 0x0000037c process_identifier: 2856 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vbc.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtGetContextThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000037c	1	0
NtAllocateVirtualMemory April 21, 2023, 5:59 p.m.	process_identifier: 2856 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPEL÷ñcàVS.p@ÈÍpKÀ:`²8ô²²@pÈ.textËUV `.rdata¼wpxZ@@.data\|\ðÒ@À.tls Pà@À.gfids0`â@@.rsrcKpLæ@@.reloc:À<2@B base_address: 0x00400000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x00401000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x00457000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥F;A¦F´=A¦FÓ:AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x0046f000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x00475000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: Ñ¶>\$v$>Ä$>9Ô>k×Ügþf»$¿ß®ßü<¤<>>0qp~$J$?ôîaê³Añ÷ñ÷àdg@¥¦±Êíû×þ$tfqµ¡%GO b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00476000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x00477000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: base_address: 0x0047c000 process_identifier: 2856 process_handle: 0x00000380	1	1
WriteProcessMemory April 21, 2023, 5:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2856 process_handle: 0x00000380	1	1
NtSetContextThread April 21, 2023, 5:59 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4402771 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000037c process_identifier: 2856	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2144	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2144	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2144	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2144	1	0
CreateProcessInternalW April 21, 2023, 5:59 p.m.	thread_identifier: 2936 thread_handle: 0x00000224 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Remcos\remcos.exe track: 1 command_line: "C:\ProgramData\Remcos\remcos.exe" filepath_r: C:\ProgramData\Remcos\remcos.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000228	1	1
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2932	1	0
NtResumeThread April 21, 2023, 5:59 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2932	1	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Generic.loK7
MicroWorld-eScan	Gen:Heur.MSIL.Krypt.11
FireEye	Generic.mg.e8ab54ff681e5009
CAT-QuickHeal	TrojanDownloader.MSIL
McAfee	Artemis!E8AB54FF681E
Malwarebytes	Trojan.Crypt.MSIL.Generic
Sangfor	Downloader.Msil.Agent.Vche
K7AntiVirus	Trojan-Downloader ( 005a3c1a1 )
Alibaba	TrojanDownloader:MSIL/Seraph.d305a421
K7GW	Trojan-Downloader ( 005a3c1a1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.MSIL.Krypt.11
BitDefenderTheta	Gen:NN.ZemsilF.36164.!n0@au!psgd
VirIT	Trojan.Win32.GenusT.EGLK
Cyren	W32/ABRisk.QEZM-7219
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.PCF
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Heur.MSIL.Krypt.11
Avast	Win32:PWSX-gen [Trj]
Rising	Malware.Obfus/MSIL@AI.91 (RDM.MSIL2:HAJpShPGx1piBSrbDxv6Zw)
Emsisoft	Gen:Heur.MSIL.Krypt.11 (B)
F-Secure	Heuristic.HEUR/AGEN.1323344
DrWeb	Trojan.Inject4.30942
VIPRE	Gen:Heur.MSIL.Krypt.11
TrendMicro	TROJ_GEN.R002C0WDI23
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tm
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1323344
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:MSIL/Malgent!MSR
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Heur.MSIL.Krypt.11
Google	Detected
ALYac	Gen:Heur.MSIL.Krypt.11
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0WDI23
Tencent	Msil.Trojan-Downloader.Seraph.Fplw
Ikarus	Trojan-Spy.AgentTesla
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.PCF!tr.dldr
AVG	Win32:PWSX-gen [Trj]

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All