Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2025, 3:56 p.m.	Jan. 27, 2025, 4 p.m.

Size	469.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ebf341ab1088ab009a9f9cf06619e616`
SHA256	`7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955`
CRC32	`D1DBD3A7`
ssdeep	`12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSin9:uiLJbpI7I2WhQqZ7i9`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Network_Downloader - File Downloader infoStealer_browser_b_Zero - browser info stealer Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ApiUpdater.exe "C:\Users\test22\AppData\Local\Temp\ApiUpdater.exe"
1372
- cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  1532
  - reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    2108
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
  2156
  - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
    2288
    - $77-Bitdefender.exe C:\ProgramData\Bitdefender\$77-Bitdefender.exe
      2356
      - cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        2400
        
        reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        2572
      - svchost.exe svchost.exe
        2504

Name	Response	Post-Analysis Lookup
else-directors.gl.at.ply.gg	A 147.185.221.23	147.185.221.23

IP Address	Status	Action
147.185.221.23	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 27, 2025, 3:56 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 3:56 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 3:56 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 27, 2025, 3:56 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2025, 3:56 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74811000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2025, 3:56 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74041000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

$77-Bitdefender.exe tried to sleep 235 seconds, actually delayed analysis time by 235 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (2 events)

cmdline	svchost.exe
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ApiUpdater.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 1156 thread_handle: 0x0000011c process_identifier: 1532 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000118	1	1
ShellExecuteExW Jan. 27, 2025, 3:56 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1
ShellExecuteExW Jan. 27, 2025, 3:56 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe" filepath: cmd	1	1
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2404 thread_handle: 0x0000011c process_identifier: 2400 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000118	1	1

Yara rule detected in process memory (22 events)

description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Jan. 27, 2025, 3:56 p.m.	status_code: 0x00000000 process_identifier: 2436 process_handle: 0x00000120		0	0
NtTerminateProcess Jan. 27, 2025, 3:56 p.m.	status_code: 0x00000000 process_identifier: 2436 process_handle: 0x00000120	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmdline	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Attempts to identify installed AV products by installation directory (1 event)

file	C:\ProgramData\Bitdefender\$77-Bitdefender.exe

Installs itself for autorun at Windows startup (50 out of 120 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer	reg_value	"C:\ProgramData\Bitdefender\$77-Bitdefender.exe"

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 27, 2025, 3:56 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x0000017c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2356 called NtSetContextThread to modify thread in remote process 2504
NtSetContextThread Jan. 27, 2025, 3:56 p.m.	registers.eip: 2005598660 registers.esp: 1964816 registers.edi: 0 registers.eax: 993188 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000174 process_identifier: 2504	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
parent_process	wscript.exe				martian_process	cmd /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2356 resumed a thread in remote process 2504
NtResumeThread Jan. 27, 2025, 3:56 p.m.	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 2504	1	0	0

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

147.185.221.23:56448

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 1156 thread_handle: 0x0000011c process_identifier: 1532 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000118	1	1
NtResumeThread Jan. 27, 2025, 3:56 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 1372	1	0
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2160 thread_handle: 0x000002c4 process_identifier: 2156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2112 thread_handle: 0x0000012c process_identifier: 2108 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2292 thread_handle: 0x00000310 process_identifier: 2288 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000318	1	1
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2360 thread_handle: 0x0000012c process_identifier: 2356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Bitdefender\$77-Bitdefender.exe track: 1 command_line: C:\ProgramData\Bitdefender\$77-Bitdefender.exe filepath_r: C:\ProgramData\Bitdefender\$77-Bitdefender.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2404 thread_handle: 0x0000011c process_identifier: 2400 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000118	1	1
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2440 thread_handle: 0x00000124 process_identifier: 2436 current_directory: filepath: track: 1 command_line: c:\program files (x86)\google\chrome\application\chrome.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000120	1	1
NtGetContextThread Jan. 27, 2025, 3:56 p.m.	thread_handle: 0x00000124		3221225485
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files(x86)\Internet Explorer\ieinstal.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files(x86)\Internet Explorer\ielowutil.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2508 thread_handle: 0x00000174 process_identifier: 2504 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000017c	1	1
NtGetContextThread Jan. 27, 2025, 3:56 p.m.	thread_handle: 0x00000174	1	0
NtMapViewOfSection Jan. 27, 2025, 3:56 p.m.	section_handle: 0x000001bc process_identifier: 2504 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x000c0000 allocation_type: 0 () section_offset: 0 view_size: 520192 process_handle: 0x0000017c	1	0
WriteProcessMemory Jan. 27, 2025, 3:56 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x0000017c	1	1
NtSetContextThread Jan. 27, 2025, 3:56 p.m.	registers.eip: 2005598660 registers.esp: 1964816 registers.edi: 0 registers.eax: 993188 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000174 process_identifier: 2504	1	0
NtResumeThread Jan. 27, 2025, 3:56 p.m.	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 2504	1	0
CreateProcessInternalW Jan. 27, 2025, 3:56 p.m.	thread_identifier: 2576 thread_handle: 0x0000012c process_identifier: 2572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f filepath_r: C:\Windows\System32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Lionic	Trojan.Win32.Remcos.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.RemcosRI.S28628436
Skyhigh	BehavesLike.Win32.Remcos.gh
ALYac	Generic.Dacic.A9349469.A.4CF1ED0D
Cylance	Unsafe
VIPRE	Generic.Dacic.A9349469.A.4CF1ED0D
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.Dacic.A9349469.A.4CF1ED0D
K7GW	Trojan ( 0053ac2c1 )
K7AntiVirus	Trojan ( 0053ac2c1 )
Arcabit	Generic.Dacic.A9349469.A.4CF1ED0D
Baidu	Win32.Trojan.Kryptik.awm
VirIT	Trojan.Win32.Genus.LRH
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Remcos
ESET-NOD32	a variant of Win32/Rescoms.B
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.Remcos-9841897-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:Win32/Remcos.17193423
NANO-Antivirus	Trojan.Win32.Rescoms.jrvcmj
SUPERAntiSpyware	Trojan.Agent/Gen-Kryptik
MicroWorld-eScan	Generic.Dacic.A9349469.A.4CF1ED0D
Rising	Backdoor.Remcos!1.BAC7 (CLASSIC)
Emsisoft	Generic.Dacic.A9349469.A.4CF1ED0D (B)
F-Secure	Backdoor.BDS/Backdoor.Gen
DrWeb	Trojan.Siggen18.37973
Zillya	Trojan.Rescoms.Win32.1014
McAfeeD	Real Protect-LS!EBF341AB1088
CTX	exe.trojan.remcos
Sophos	Troj/Remcos-DI
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.ebf341ab1088ab00
Jiangmin	Trojan.Generic.hlqfz
Webroot	W32.Trojan.Gen
Google	Detected
Avira	BDS/Backdoor.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Rescoms.b
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Remcos.tr
Microsoft	Trojan:Win32/Remcos!pz
ViRobot	Trojan.Win.Z.Rescoms.480768.IH
GData	Win32.Malware.Bucaspys.B
Varist	W32/Trojan.JUMH-7419
AhnLab-V3	Trojan/Win.RemcosRAT.R507877
McAfee	Remcos-FDQO!EBF341AB1088

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

ApiUpdater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All