Malware Analysis Report

2024-09-22 11:34

Sample ID 230919-ztm3xsea96
Target remcos_abuild.exe
SHA256 bcf7c9948beae0bd279a7314ba7911269832bd8613ddc7ddc0f85b1287040743
Tags
remotehostbuild remcos hawkeye collection evasion keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcf7c9948beae0bd279a7314ba7911269832bd8613ddc7ddc0f85b1287040743

Threat Level: Known bad

The file remcos_abuild.exe was found to be: Known bad.

Malicious Activity Summary

remotehostbuild remcos hawkeye collection evasion keylogger persistence rat spyware stealer trojan

Remcos family

Remcos

UAC bypass

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-09-19 21:00

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-19 21:00

Reported

2023-09-19 21:02

Platform

win10v2004-20230915-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\svchost\HostSv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" C:\ProgramData\svchost\HostSv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\svchost\HostSv.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" C:\ProgramData\svchost\HostSv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" C:\ProgramData\svchost\HostSv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\svchost\\HostSv.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{C462BFC9-0A25-436D-904D-6BE6D6A3C828} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{50644157-CDBE-4DF2-A8C9-BAD7D237CE40} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1100 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1100 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4032 wrote to memory of 4216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4216 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\svchost\HostSv.exe
PID 4216 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\svchost\HostSv.exe
PID 4216 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\svchost\HostSv.exe
PID 728 wrote to memory of 4244 N/A C:\ProgramData\svchost\HostSv.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 4244 N/A C:\ProgramData\svchost\HostSv.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 4244 N/A C:\ProgramData\svchost\HostSv.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 4504 N/A C:\ProgramData\svchost\HostSv.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 728 wrote to memory of 4504 N/A C:\ProgramData\svchost\HostSv.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 728 wrote to memory of 4504 N/A C:\ProgramData\svchost\HostSv.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 728 wrote to memory of 4504 N/A C:\ProgramData\svchost\HostSv.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 2012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4800 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4504 wrote to memory of 4800 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4504 wrote to memory of 4800 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4504 wrote to memory of 4800 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2012 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4468 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4504 wrote to memory of 4468 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4504 wrote to memory of 4468 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4504 wrote to memory of 4816 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4816 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4816 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4248 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4248 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4248 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4248 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 2460 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 2460 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 2460 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4808 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4808 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4808 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4808 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4360 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4360 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4360 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4504 wrote to memory of 4360 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_abuild.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\svchost\HostSv.exe"

C:\ProgramData\svchost\HostSv.exe

C:\ProgramData\svchost\HostSv.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wmwqpqxfwdfoeuuks"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wmwqpqxfwdfoeuuks"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hgbiqiqhklxboiiwbjch"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rihbrbbaytpgqoeakupikaey"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hgbiqiqhklxboiiwbjch"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 soon-lp.at.ply.gg udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 6558a7fac77341cfc1cc37fe38878d55
SHA1 79864af0115c8b29736519dde3223c6cd38b93e6
SHA256 b2863ecf79904fc60ed92359906f5b36a53bfe67f25d52e17a4930a7e3a7ed33
SHA512 a656b6d118515706c432705ef7406e68352871b9e8939c073a7c4afd80aff8fff00ac6dbdc8aed6a9cf1add00da6b0990f32ebd7f3e0f47834032f69b0e3d64a

C:\ProgramData\svchost\HostSv.exe

MD5 5090370364492fd0bf68278a6d70bf92
SHA1 49cfa076f528b7502eb5802ecb9dda07444261bc
SHA256 bcf7c9948beae0bd279a7314ba7911269832bd8613ddc7ddc0f85b1287040743
SHA512 5ef3fbe4a3bdd1bd5d94db9665b355c8dac0400d2b1e167952f8080bdd11c70e3c1d8c17e119bd2b526a4808dd5249fa1047b608a36ca3775e569d246804528e

C:\ProgramData\svchost\HostSv.exe

MD5 5090370364492fd0bf68278a6d70bf92
SHA1 49cfa076f528b7502eb5802ecb9dda07444261bc
SHA256 bcf7c9948beae0bd279a7314ba7911269832bd8613ddc7ddc0f85b1287040743
SHA512 5ef3fbe4a3bdd1bd5d94db9665b355c8dac0400d2b1e167952f8080bdd11c70e3c1d8c17e119bd2b526a4808dd5249fa1047b608a36ca3775e569d246804528e

memory/4504-9-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-10-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-13-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-15-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-12-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-11-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4800-16-0x0000000001200000-0x000000000127F000-memory.dmp

memory/4800-17-0x0000000001200000-0x000000000127F000-memory.dmp

memory/4800-18-0x0000000001200000-0x000000000127F000-memory.dmp

memory/4504-19-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4800-20-0x0000000001200000-0x000000000127F000-memory.dmp

memory/4504-21-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-23-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-25-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-26-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-27-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-28-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-30-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-31-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4468-33-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-34-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-35-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-39-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-41-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-42-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-40-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-43-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-44-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4468-45-0x0000000002A10000-0x0000000002A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 73e121ef7ee28e3a51e5861cc0a0d327
SHA1 4ef33ecf1a51e0b554c83635d5732668d7e9f0b6
SHA256 7d10a9d647af367d48c6d4760ab98fb5a9239c5f6b8a638828e2d08eb122db2e
SHA512 bd49fa68710353394b561e6b83cb3b0d26cb99a889e810e957aabd9b3532e27a5963a89c0aa92799ea51df85aa1f003c443f22fc2d283a0ea540a44403878b91

memory/4504-61-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-62-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-63-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-64-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-65-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-67-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-68-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-69-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-70-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4248-71-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-72-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4248-75-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-77-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4360-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4360-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4808-84-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4360-86-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4248-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4248-81-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4808-80-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4360-90-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4248-92-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmwqpqxfwdfoeuuks

MD5 67ebc7f72150d8441093939d8f56109d
SHA1 7c242f32e89cbc9b3925abffc02a812657eed188
SHA256 2877bf02e12dbebfe8504ba84085c2ccb3d3f5b938090cd1a1f7702c1966cef5
SHA512 791253cb1900a79508f144e75569e9855e71958602d532eae31a7c3a8360951fd5e39fec7120ec52e4d5369ce574485122dd6d58705dafa8400843df9d54e258

memory/4504-94-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-95-0x0000000000580000-0x00000000005FF000-memory.dmp

memory/4504-99-0x0000000010000000-0x0000000010006000-memory.dmp

memory/4504-102-0x0000000010000000-0x0000000010006000-memory.dmp

memory/4504-103-0x0000000010000000-0x0000000010006000-memory.dmp