Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2024, 9:40 a.m.	Nov. 11, 2024, 9:57 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9d246f5e01f060fe08c2f15d4e8a58e0`
SHA256	`e791665f9df5d4bef5c9b73cecbdf0ee973e41fba533b8dd76d4c60e5b19d2d1`
CRC32	`ABF984AC`
ssdeep	`24576:RICXwSqZVrMrldw2KP7G3dhzEH4RiIaot1mw:OHSmrSPw2BdWH4RiRot19`
PDB Path	VCV.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description)

xKtzvdEoDAjLmvN.exe "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe"
1460
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe"
  2436
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe"
  2496
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp"
  2556
- xKtzvdEoDAjLmvN.exe "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe"
  2692
  - remcos.exe "C:\ProgramData\Remcos\remcos.exe"
    2820
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      2992
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe"
      3040
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp"
      2104
    - remcos.exe "C:\ProgramData\Remcos\remcos.exe"
      2032
      - svchost.exe svchost.exe
        2724
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2660
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2660 CREDAT:145409
        2800
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2660 CREDAT:79875
        2980
      - svchost.exe svchost.exe
        2132
      - svchost.exe svchost.exe
        2404

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
66.63.162.79	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 9:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:40 a.m.			0	0

Command line console output was observed (38 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\xKtz console_handle: 0x00000053	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: vdEoDAjLmvN.exe console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\uXVGwks console_handle: 0x00000053	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: uXiVBy.exe console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: SUCCESS: The scheduled task "Updates\uXVGwksuXiVBy" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ProgramData\Remcos\remcos.exe console_handle: 0x00000053	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\uXVGwks console_handle: 0x00000053	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: uXiVBy.exe console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 11, 2024, 9:40 a.m.	buffer: Cannot create a file when that file already exists. console_handle: 0x0000000b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 184 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006481e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00647b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00647b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00647b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00647b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00647b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00647b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006485a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006488a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00648660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006486e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047f808 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047fdc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047fdc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047fdc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

VCV.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2024, 9:40 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 773 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ef11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ef12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2436 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (12 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe"
cmdline	http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
cmdline	schtasks.exe /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
cmdline	svchost.exe
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe"

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 11, 2024, 9:40 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe" filepath: powershell	1	1
ShellExecuteExW Nov. 11, 2024, 9:40 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe" filepath: powershell	1	1
ShellExecuteExW Nov. 11, 2024, 9:40 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp" filepath: schtasks.exe	1	1
ShellExecuteExW Nov. 11, 2024, 9:40 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe" filepath: powershell	1	1
ShellExecuteExW Nov. 11, 2024, 9:40 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe" filepath: powershell	1	1
ShellExecuteExW Nov. 11, 2024, 9:40 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp" filepath: schtasks.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:41 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02620000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00103200', u'virtual_address': u'0x00002000', u'entropy': 7.763201519088053, u'name': u'.text', u'virtual_size': u'0x001031f0'}

entropy

7.76320151909

description

A section with a high entropy has been found

entropy

0.997593840231

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 11, 2024, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2024, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2024, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2024, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2024, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2024, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 89 events)

description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2660 CREDAT:145409
cmdline	schtasks.exe /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2660 CREDAT:79875
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

66.63.162.79

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2692 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	1	0	0
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2032 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0	0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M	reg_value	"C:\ProgramData\Remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M	reg_value	"C:\ProgramData\Remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M	reg_value	"C:\ProgramData\Remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M	reg_value	"C:\ProgramData\Remcos\remcos.exe"

Potential code injection by writing to the memory of another process (13 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. ${¸-HÖ~HÖ~HÖ~ü'~[Ö~ü%~ïÖ~ü$~VÖ~AbR~IÖ~Öº~JÖ~åDÕRÖ~åDÓrÖ~åDÒjÖ~AbE~QÖ~H×~vÖ~ÿDß,Ö~ÿD)~IÖ~ÿDÔIÖ~RichHÖ~PEL±ÀgàrJ@ ¸îKàÈ;PÓ8äÓÓ@.textõqr `.rdataÜyzv@@.dataT]ð@À.tls pþ@À.gfids0@@.rsrcKL@@.relocÈ;à<P@B base_address: 0x00400000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ÌÕEÐØEÊÕE..G\&G\&G\&G\&G\&G\&G\&G\&G\&GG`&G`&G`&G`&G`&G`&G`&GGÿÿÿÿÐØE¨G¨G¨G¨G¨GGPÛEÐÜEëEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3@ÆFEIALÆFëKAXÆF IAÔE.?AVtype_info@@ÔE.?AVbad_alloc@std@@ÔE.?AVbad_array_new_length@std@@ÔE.?AVlogic_error@std@@ÔE.?AVlength_error@std@@ÔE.?AVout_of_range@std@@ÔE.?AV_Facet_base@std@@ÔE.?AV_Locimp@locale@std@@ÔE.?AVfacet@locale@std@@ÔE.?AU_Crt_new_delete@std@@ÔE.?AVcodecvt_base@std@@ÔE.?AUctype_base@std@@ÔE.?AV?$ctype@D@std@@ÔE.?AV?$codecvt@DDU_Mbstatet@@@std@@ÔE.?AVbad_exception@std@@ÔE.HÔE.?AVfailure@ios_base@std@@ÔE.?AVruntime_error@std@@ÔE.?AVsystem_error@std@@ÔE.?AVbad_cast@std@@ÔE.?AV_System_error@std@@ÔE.?AVexception@std@@ base_address: 0x00471000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x00477000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: &<<§>@@§>è@§>Ùð§>ó\|&Êß@ÞûÍû YÈX§>§>Ð#¢@n@^¥ ×];;>@ÁÂQçÂFöC!#'µÑÅA¤c¼k b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00478000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. ${¸-HÖ~HÖ~HÖ~ü'~[Ö~ü%~ïÖ~ü$~VÖ~AbR~IÖ~Öº~JÖ~åDÕRÖ~åDÓrÖ~åDÒjÖ~AbE~QÖ~H×~vÖ~ÿDß,Ö~ÿD)~IÖ~ÿDÔIÖ~RichHÖ~PEL±ÀgàrJ@ ¸îKàÈ;PÓ8äÓÓ@.textõqr `.rdataÜyzv@@.dataT]ð@À.tls pþ@À.gfids0@@.rsrcKL@@.relocÈ;à<P@B base_address: 0x00400000 process_identifier: 2032 process_handle: 0x000003ec	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ÌÕEÐØEÊÕE..G\&G\&G\&G\&G\&G\&G\&G\&G\&GG`&G`&G`&G`&G`&G`&G`&GGÿÿÿÿÐØE¨G¨G¨G¨G¨GGPÛEÐÜEëEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3@ÆFEIALÆFëKAXÆF IAÔE.?AVtype_info@@ÔE.?AVbad_alloc@std@@ÔE.?AVbad_array_new_length@std@@ÔE.?AVlogic_error@std@@ÔE.?AVlength_error@std@@ÔE.?AVout_of_range@std@@ÔE.?AV_Facet_base@std@@ÔE.?AV_Locimp@locale@std@@ÔE.?AVfacet@locale@std@@ÔE.?AU_Crt_new_delete@std@@ÔE.?AVcodecvt_base@std@@ÔE.?AUctype_base@std@@ÔE.?AV?$ctype@D@std@@ÔE.?AV?$codecvt@DDU_Mbstatet@@@std@@ÔE.?AVbad_exception@std@@ÔE.HÔE.?AVfailure@ios_base@std@@ÔE.?AVruntime_error@std@@ÔE.?AVsystem_error@std@@ÔE.?AVbad_cast@std@@ÔE.?AV_System_error@std@@ÔE.?AVexception@std@@ base_address: 0x00471000 process_identifier: 2032 process_handle: 0x000003ec	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x00477000 process_identifier: 2032 process_handle: 0x000003ec	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: &<<§>@@§>è@§>Ùð§>ó\|&Êß@ÞûÍû YÈX§>§>Ð#¢@n@^¥ ×];;>@ÁÂQçÂFöC!#'µÑÅA¤c¼k b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00478000 process_identifier: 2032 process_handle: 0x000003ec	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2032 process_handle: 0x000003ec	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: & base_address: 0x7efde008 process_identifier: 2724 process_handle: 0x00000134	1	1
WriteProcessMemory Nov. 11, 2024, 9:41 a.m.	buffer: , base_address: 0x7efde008 process_identifier: 2132 process_handle: 0x00000140	1	1
WriteProcessMemory Nov. 11, 2024, 9:41 a.m.	buffer: $ base_address: 0x7efde008 process_identifier: 2404 process_handle: 0x0000015c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. ${¸-HÖ~HÖ~HÖ~ü'~[Ö~ü%~ïÖ~ü$~VÖ~AbR~IÖ~Öº~JÖ~åDÕRÖ~åDÓrÖ~åDÒjÖ~AbE~QÖ~H×~vÖ~ÿDß,Ö~ÿD)~IÖ~ÿDÔIÖ~RichHÖ~PEL±ÀgàrJ@ ¸îKàÈ;PÓ8äÓÓ@.textõqr `.rdataÜyzv@@.dataT]ð@À.tls pþ@À.gfids0@@.rsrcKL@@.relocÈ;à<P@B base_address: 0x00400000 process_identifier: 2692 process_handle: 0x000003e8	1	1	0
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. ${¸-HÖ~HÖ~HÖ~ü'~[Ö~ü%~ïÖ~ü$~VÖ~AbR~IÖ~Öº~JÖ~åDÕRÖ~åDÓrÖ~åDÒjÖ~AbE~QÖ~H×~vÖ~ÿDß,Ö~ÿD)~IÖ~ÿDÔIÖ~RichHÖ~PEL±ÀgàrJ@ ¸îKàÈ;PÓ8äÓÓ@.textõqr `.rdataÜyzv@@.dataT]ð@À.tls pþ@À.gfids0@@.rsrcKL@@.relocÈ;à<P@B base_address: 0x00400000 process_identifier: 2032 process_handle: 0x000003ec	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 called NtSetContextThread to modify thread in remote process 2692
Process injection	Process 2820 called NtSetContextThread to modify thread in remote process 2032
Process injection	Process 2032 called NtSetContextThread to modify thread in remote process 2724
Process injection	Process 2032 called NtSetContextThread to modify thread in remote process 2132
Process injection	Process 2032 called NtSetContextThread to modify thread in remote process 2404
NtSetContextThread Nov. 11, 2024, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4409984 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c8 process_identifier: 2692	1	0	0
NtSetContextThread Nov. 11, 2024, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4409984 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b8 process_identifier: 2032	1	0	0
NtSetContextThread Nov. 11, 2024, 9:40 a.m.	registers.eip: 2005598660 registers.esp: 1833648 registers.edi: 0 registers.eax: 3559914 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000130 process_identifier: 2724	1	0	0
NtSetContextThread Nov. 11, 2024, 9:41 a.m.	registers.eip: 2005598660 registers.esp: 2882760 registers.edi: 0 registers.eax: 3953130 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000138 process_identifier: 2132	1	0	0
NtSetContextThread Nov. 11, 2024, 9:41 a.m.	registers.eip: 2005598660 registers.esp: 2359272 registers.edi: 0 registers.eax: 3428842 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000144 process_identifier: 2404	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 resumed a thread in remote process 2692
Process injection	Process 2820 resumed a thread in remote process 2032
Process injection	Process 2032 resumed a thread in remote process 2724
Process injection	Process 2032 resumed a thread in remote process 2132
Process injection	Process 2032 resumed a thread in remote process 2404
Process injection	Process 2660 resumed a thread in remote process 2800
Process injection	Process 2660 resumed a thread in remote process 2980
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 2692	1	0	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2032	1	0	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2724	1	0	0
NtResumeThread Nov. 11, 2024, 9:41 a.m.	thread_handle: 0x00000138 suspend_count: 1 process_identifier: 2132	1	0	0
NtResumeThread Nov. 11, 2024, 9:41 a.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2404	1	0	0
NtResumeThread Nov. 11, 2024, 9:41 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2800	1	0	0
NtResumeThread Nov. 11, 2024, 9:41 a.m.	thread_handle: 0x000006fc suspend_count: 1 process_identifier: 2980	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

66.63.162.79:2404

Executed a process and injected code into it, probably while unpacking (50 out of 105 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 1460	1	0
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2440 thread_handle: 0x000003bc process_identifier: 2436 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2500 thread_handle: 0x0000037c process_identifier: 2496 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2560 thread_handle: 0x000003c4 process_identifier: 2556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmpF69F.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2696 thread_handle: 0x000003c8 process_identifier: 2692 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\xKtzvdEoDAjLmvN.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003e8	1	1
NtGetContextThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000003c8	1	0
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2692 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e8	1	0
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. ${¸-HÖ~HÖ~HÖ~ü'~[Ö~ü%~ïÖ~ü$~VÖ~AbR~IÖ~Öº~JÖ~åDÕRÖ~åDÓrÖ~åDÒjÖ~AbE~QÖ~H×~vÖ~ÿDß,Ö~ÿD)~IÖ~ÿDÔIÖ~RichHÖ~PEL±ÀgàrJ@ ¸îKàÈ;PÓ8äÓÓ@.textõqr `.rdataÜyzv@@.dataT]ð@À.tls pþ@À.gfids0@@.rsrcKL@@.relocÈ;à<P@B base_address: 0x00400000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x00401000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x00459000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ÌÕEÐØEÊÕE..G\&G\&G\&G\&G\&G\&G\&G\&G\&GG`&G`&G`&G`&G`&G`&G`&GGÿÿÿÿÐØE¨G¨G¨G¨G¨GGPÛEÐÜEëEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3@ÆFEIALÆFëKAXÆF IAÔE.?AVtype_info@@ÔE.?AVbad_alloc@std@@ÔE.?AVbad_array_new_length@std@@ÔE.?AVlogic_error@std@@ÔE.?AVlength_error@std@@ÔE.?AVout_of_range@std@@ÔE.?AV_Facet_base@std@@ÔE.?AV_Locimp@locale@std@@ÔE.?AVfacet@locale@std@@ÔE.?AU_Crt_new_delete@std@@ÔE.?AVcodecvt_base@std@@ÔE.?AUctype_base@std@@ÔE.?AV?$ctype@D@std@@ÔE.?AV?$codecvt@DDU_Mbstatet@@@std@@ÔE.?AVbad_exception@std@@ÔE.HÔE.?AVfailure@ios_base@std@@ÔE.?AVruntime_error@std@@ÔE.?AVsystem_error@std@@ÔE.?AVbad_cast@std@@ÔE.?AV_System_error@std@@ÔE.?AVexception@std@@ base_address: 0x00471000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x00477000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: &<<§>@@§>è@§>Ùð§>ó\|&Êß@ÞûÍû YÈX§>§>Ð#¢@n@^¥ ×];;>@ÁÂQçÂFöC!#'µÑÅA¤c¼k b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00478000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x00479000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: base_address: 0x0047e000 process_identifier: 2692 process_handle: 0x000003e8	1	1
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2692 process_handle: 0x000003e8	1	1
NtSetContextThread Nov. 11, 2024, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4409984 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c8 process_identifier: 2692	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 2692	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2496	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2496	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2496	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 2496	1	0
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2824 thread_handle: 0x000003b0 process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Remcos\remcos.exe track: 1 command_line: "C:\ProgramData\Remcos\remcos.exe" filepath_r: C:\ProgramData\Remcos\remcos.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b8	1	1
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2820	1	0
NtGetContextThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2820	1	0
NtGetContextThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2820	1	0
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2996 thread_handle: 0x000003c4 process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 3044 thread_handle: 0x00000380 process_identifier: 3040 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\uXVGwksuXiVBy.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b8	1	1
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 2084 thread_handle: 0x000003c4 process_identifier: 2104 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uXVGwksuXiVBy" /XML "C:\Users\test22\AppData\Local\Temp\tmp34C2.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d8	1	1
CreateProcessInternalW Nov. 11, 2024, 9:40 a.m.	thread_identifier: 1552 thread_handle: 0x000003b8 process_identifier: 2032 current_directory: filepath: C:\ProgramData\Remcos\remcos.exe track: 1 command_line: filepath_r: C:\ProgramData\Remcos\remcos.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003ec	1	1
NtGetContextThread Nov. 11, 2024, 9:40 a.m.	thread_handle: 0x000003b8	1	0
NtAllocateVirtualMemory Nov. 11, 2024, 9:40 a.m.	process_identifier: 2032 region_size: 532480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	1	0
WriteProcessMemory Nov. 11, 2024, 9:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. ${¸-HÖ~HÖ~HÖ~ü'~[Ö~ü%~ïÖ~ü$~VÖ~AbR~IÖ~Öº~JÖ~åDÕRÖ~åDÓrÖ~åDÒjÖ~AbE~QÖ~H×~vÖ~ÿDß,Ö~ÿD)~IÖ~ÿDÔIÖ~RichHÖ~PEL±ÀgàrJ@ ¸îKàÈ;PÓ8äÓÓ@.textõqr `.rdataÜyzv@@.dataT]ð@À.tls pþ@À.gfids0@@.rsrcKL@@.relocÈ;à<P@B base_address: 0x00400000 process_identifier: 2032 process_handle: 0x000003ec	1	1

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Taskun.4!c
CAT-QuickHeal	Trojan.MSIL
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.Generic.36939444
Cylance	Unsafe
VIPRE	Trojan.Generic.36939444
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.Generic.36939444
K7GW	Trojan ( 005b44a91 )
K7AntiVirus	Trojan ( 005b44a91 )
Arcabit	Trojan.Generic.D233A6B4
VirIT	Trojan.Win32.GenusT.ECTL
Symantec	Scr.Malcode!gdn34
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AMPS
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Taskun.gen
Alibaba	Trojan:MSIL/Formbook.86691afa
NANO-Antivirus	Trojan.Win32.Taskun.ktgued
MicroWorld-eScan	Trojan.Generic.36939444
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:TMU51YxV0HAvcXnsEeWLHw)
Emsisoft	Trojan.Generic.36939444 (B)
F-Secure	Trojan.TR/Kryptik.yewxd
McAfeeD	ti!E791665F9DF5
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.9d246f5e01f060fe
Google	Detected
Avira	TR/Kryptik.yewxd
Antiy-AVL	Trojan/MSIL.Taskun
Kingsoft	MSIL.Trojan.Taskun.gen
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	Malware@#prtwplthv45u
Microsoft	Trojan:MSIL/Formbook.PNYH!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.Generic.36939444
Varist	W32/MSIL_Kryptik.KQK.gen!Eldorado
AhnLab-V3	Trojan/Win.FormBook.C5690737
McAfee	Artemis!9D246F5E01F0
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.PNG.Generic
Ikarus	Trojan-Spy.Agent
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.142021a8
huorong	HEUR:TrojanSpy/MSIL.AgentTesla.sl
MaxSecure	Trojan.Malware.74644571.susgen
Fortinet	MSIL/GenKryptik.GWRN!tr

xKtzvdEoDAjLmvN.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All