Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 10, 2023, 7:46 a.m.	July 10, 2023, 7:48 a.m.

Size	481.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5379d703170770355efdbce86dcdb1d3`
SHA256	`9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5`
CRC32	`B15FF314`
ssdeep	`12288:VRXxReZj3WZfj/2eSseWFaIe2+f8CL47bs/Zf2lDU:Vx7cyF2eSsewS8W47eZO`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check infoStealer_browser_b_Zero - browser info stealer Network_Downloader - File Downloader Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

RiotGames.exe "C:\Users\test22\AppData\Local\Temp\RiotGames.exe"
660
- cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2072
  - reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    2152
- Terminal.exe "C:\ProgramData\Terminal\Terminal.exe"
  2208
  - cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    2256
    - reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2436
  - svchost.exe svchost.exe
    2376

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
141.95.16.111	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 141.95.16.111:2404	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49166 141.95.16.111:2404	None	None	None

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 10, 2023, 7:46 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 10, 2023, 7:46 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW July 10, 2023, 7:46 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 10, 2023, 7:46 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 10, 2023, 7:46 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

A process attempted to delay the analysis task. (1 event)

description

Terminal.exe tried to sleep 468 seconds, actually delayed analysis time by 468 seconds

Creates a suspicious process (1 event)

cmdline

svchost.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2076 thread_handle: 0x000000c4 process_identifier: 2072 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1	0
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2260 thread_handle: 0x000000c4 process_identifier: 2256 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1	0

Yara rule detected in process memory (23 events)

description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 10, 2023, 7:46 a.m.	status_code: 0x00000000 process_identifier: 2292 process_handle: 0x000000c0		0	0
NtTerminateProcess July 10, 2023, 7:46 a.m.	status_code: 0x00000000 process_identifier: 2292 process_handle: 0x000000c0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmdline	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Communicates with host for which no DNS query was performed (1 event)

host

141.95.16.111

Installs itself for autorun at Windows startup (50 out of 82 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR	reg_value	"C:\ProgramData\Terminal\Terminal.exe"

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 10, 2023, 7:46 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2376 process_handle: 0x0000013c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 10, 2023, 7:46 a.m.	thread_identifier: 0 callback_function: 0x0040a1cb hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	262627	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 called NtSetContextThread to modify thread in remote process 2376
NtSetContextThread July 10, 2023, 7:46 a.m.	registers.eip: 2005598660 registers.esp: 1047884 registers.edi: 0 registers.eax: 1917965 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000138 process_identifier: 2376	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 resumed a thread in remote process 2376
NtResumeThread July 10, 2023, 7:46 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 2376	1	0	0

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2076 thread_handle: 0x000000c4 process_identifier: 2072 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2212 thread_handle: 0x0000039c process_identifier: 2208 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Terminal\Terminal.exe track: 1 command_line: "C:\ProgramData\Terminal\Terminal.exe" filepath_r: C:\ProgramData\Terminal\Terminal.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a4	1	1
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2156 thread_handle: 0x00000084 process_identifier: 2152 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2260 thread_handle: 0x000000c4 process_identifier: 2256 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000c0	1	1
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2296 thread_handle: 0x000000bc process_identifier: 2292 current_directory: filepath: track: 1 command_line: c:\program files (x86)\google\chrome\application\chrome.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000c0	1	1
NtGetContextThread July 10, 2023, 7:46 a.m.	thread_handle: 0x000000bc		3221225485
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files(x86)\Internet Explorer\ieinstal.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files(x86)\Internet Explorer\ielowutil.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2380 thread_handle: 0x00000138 process_identifier: 2376 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000013c	1	1
NtGetContextThread July 10, 2023, 7:46 a.m.	thread_handle: 0x00000138	1	0
NtMapViewOfSection July 10, 2023, 7:46 a.m.	section_handle: 0x00000144 process_identifier: 2376 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x001a0000 allocation_type: 0 () section_offset: 0 view_size: 528384 process_handle: 0x0000013c	1	0
WriteProcessMemory July 10, 2023, 7:46 a.m.	buffer: base_address: 0x7efde008 process_identifier: 2376 process_handle: 0x0000013c	1	1
NtSetContextThread July 10, 2023, 7:46 a.m.	registers.eip: 2005598660 registers.esp: 1047884 registers.edi: 0 registers.eax: 1917965 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000138 process_identifier: 2376	1	0
NtResumeThread July 10, 2023, 7:46 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 2376	1	0
CreateProcessInternalW July 10, 2023, 7:46 a.m.	thread_identifier: 2440 thread_handle: 0x00000084 process_identifier: 2436 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
ALYac	Generic.Remcos.76FDFBE5
Malwarebytes	Backdoor.Remcos
VIPRE	Generic.Remcos.76FDFBE5
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win32/Remcos.acea52ee
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.GenusT.DMHR
Cyren	W32/Rescoms.W.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Generic.Remcos.76FDFBE5
NANO-Antivirus	Trojan.Win32.Remcos.jwpryz
ViRobot	Trojan.Win.Z.Remcos.493056.AJ
MicroWorld-eScan	Generic.Remcos.76FDFBE5
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11ab327d
Emsisoft	Generic.Remcos.76FDFBE5 (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	Trojan.Inject4.57973
Zillya	Trojan.Rescoms.Win32.1410
TrendMicro	TROJ_GEN.R002C0DF323
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
FireEye	Generic.mg.5379d70317077035
Sophos	Mal/Emogen-Y
Ikarus	Trojan.Win32.Remcos
GData	Generic.Remcos.76FDFBE5
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms
Arcabit	Generic.Remcos.76FDFBE5
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
Microsoft	Trojan:Win32/Remcos!ic
Google	Detected
AhnLab-V3	Backdoor/Win.Remcos.C5370570
McAfee	Remcos-FDQO!5379D7031707
MAX	malware (ai score=83)
VBA32	Win32.Trojan.Dropper.Heur
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DF323
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)

RiotGames.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All