Malware Analysis Report

2024-08-06 17:38

Sample ID 231103-qcgedaag5z
Target NEAS.00023eb2bebba3dfe0bf9497a742b890.exe
SHA256 9b5ef79976dbfedbc2c85f57a905bdc408956be8e51cb04a76a4e5d353b575a2
Tags
remcos xpertrat hard collection evasion persistence rat trojan flex upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b5ef79976dbfedbc2c85f57a905bdc408956be8e51cb04a76a4e5d353b575a2

Threat Level: Known bad

The file NEAS.00023eb2bebba3dfe0bf9497a742b890.exe was found to be: Known bad.

Malicious Activity Summary

remcos xpertrat hard collection evasion persistence rat trojan flex upx

Remcos

Windows security bypass

UAC bypass

XpertRAT Core payload

XpertRAT

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Adds policy Run key to start application

Windows security modification

UPX packed file

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-11-03 13:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-03 13:06

Reported

2023-11-03 13:09

Platform

win7-20231020-en

Max time kernel

168s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

XpertRAT

rat xpertrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 set thread context of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 set thread context of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 set thread context of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 1160 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 set thread context of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2800 set thread context of 1296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 set thread context of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 set thread context of 2836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 1160 set thread context of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 set thread context of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2800 set thread context of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 set thread context of 896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3004 set thread context of 2084 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3004 set thread context of 1084 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3004 set thread context of 2064 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3004 set thread context of 1964 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3004 set thread context of 704 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2580 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2800 wrote to memory of 1160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1160 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2800 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2800 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fxyhaxemsvxagfoejah"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\pzeabqxogdpfjtkitltopc"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\surkuiihclhktzymkwgishxfyt"

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

"C:\Users\Admin\AppData\Local\Temp\Iserver.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xdkuzzfudqeihhrwu"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfynssporywvsnnievbwe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzdfskapfgoaubbmvgoyhnlv"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzdfskapfgoaubbmvgoyhnlv"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eozxxrvbtcstg"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eozxxrvbtcstg"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\oieixjfvplkyqicv"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp0.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp1.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp2.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp3.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp4.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloudhost.myfirewall.org udp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
BG 94.156.68.180:5344 sandshoe.myfirewall.org tcp
BG 94.156.68.180:5344 sandshoe.myfirewall.org tcp
BG 94.156.68.180:5344 sandshoe.myfirewall.org tcp

Files

memory/2580-0-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2580-1-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2580-2-0x0000000004F60000-0x0000000005108000-memory.dmp

memory/2580-3-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2580-4-0x0000000004DB0000-0x0000000004F58000-memory.dmp

memory/2580-5-0x0000000000710000-0x000000000071A000-memory.dmp

memory/2580-6-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2800-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2800-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2580-29-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2800-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2800-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2732-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2732-45-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2384-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2384-49-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2628-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-52-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2384-55-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2384-59-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2384-65-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2800-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-63-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2800-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-68-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/2628-60-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-62-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/2800-72-0x0000000000400000-0x0000000000482000-memory.dmp

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/2800-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2204-98-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2732-100-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-105-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2384-104-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2204-106-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2384-107-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2980-122-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2732-127-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2980-129-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\bhvCABE.tmp

MD5 1f0135e15f39fe41d67cd58b8ec67478
SHA1 f28cce6ede6d44778eb8893a10decd9363917c90
SHA256 30b9aa5f69674a6be9911fb95ca6a222cb9bdcc15f033523db77f815e3474334
SHA512 e7ee9502350901590b702ce9b51c82a257f48a2938c43eb2b8e09d9f4d4c48293a5cdf05fbeac45e92248b13a82218cc524e49dce304270aac1b8b7bd8b57bd7

memory/1296-141-0x0000000000400000-0x0000000000478000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 02293db605124308de7b7a60590147ac
SHA1 18480cab4bc362b9d2e35149823249e10e16894e
SHA256 cc19e12e6436f6a85416b0e576923cc1453a09fd6edb92b0a58c605dba4956f4
SHA512 1c096993ae7acfe3ad31aa448b5d4cd50356835f1a3994d9d2092dc460048891cefa6962f3997759ce0258cb023af38340479666a446ee7d47bdc943406422dd

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp2.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp4.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp4.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-03 13:06

Reported

2023-11-03 13:09

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3812 set thread context of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 set thread context of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 set thread context of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 set thread context of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 464 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 set thread context of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 set thread context of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 set thread context of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 set thread context of 3000 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 set thread context of 3568 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 556 wrote to memory of 464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 556 wrote to memory of 464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 556 wrote to memory of 464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 1320 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 3488 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5028 wrote to memory of 2548 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\tpnrxcnd"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ejtkxvyxdpu"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\omycynjyrxmejsn"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\omycynjyrxmejsn"

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

"C:\Users\Admin\AppData\Local\Temp\Iserver.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf0.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf1.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf2.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf3.txt"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf4.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 180.68.156.94.in-addr.arpa udp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
BG 94.156.68.180:9302 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
BG 94.156.68.180:5344 sandshoe.myfirewall.org tcp
BG 94.156.68.180:5344 sandshoe.myfirewall.org tcp
BG 94.156.68.180:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3812-1-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/3812-0-0x00000000051C0000-0x0000000005368000-memory.dmp

memory/3812-2-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/3812-3-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/3812-4-0x0000000005370000-0x0000000005914000-memory.dmp

memory/3812-5-0x0000000005010000-0x00000000051B8000-memory.dmp

memory/3812-6-0x00000000029C0000-0x00000000029CA000-memory.dmp

memory/3812-7-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/556-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3812-14-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/556-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3528-27-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4944-28-0x0000000000400000-0x0000000000457000-memory.dmp

memory/556-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3528-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4944-34-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4352-35-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3528-38-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4944-40-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4352-44-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4944-37-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4944-45-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4352-47-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/4352-55-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/556-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3528-63-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5028-64-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tpnrxcnd

MD5 4e47b05f918b05300967092e35ea3e41
SHA1 d991ab1abbe6432d3d94521380284d40385ca4a7
SHA256 82c6514447aba6eeb8c8a8d62b5dc12eb3f52d401e4f838ada64a797bd0c8ec9
SHA512 e26c5b7ce20152b91be463c832d40492db3dfaa68ccc3224c6ec25079ed3566e25d616cd86e20b2e3a730bc437b0f16c782b2ad7461708dcb9de2f8027f0bd35

memory/556-66-0x0000000010000000-0x0000000010019000-memory.dmp

memory/556-69-0x0000000010000000-0x0000000010019000-memory.dmp

memory/556-71-0x0000000010000000-0x0000000010019000-memory.dmp

memory/556-70-0x0000000010000000-0x0000000010019000-memory.dmp

memory/556-72-0x0000000010000000-0x0000000010019000-memory.dmp

memory/556-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1320-85-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3488-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2548-87-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf2.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/3000-93-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3568-94-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\vhbnmppaf4.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/556-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-99-0x0000000010000000-0x0000000010019000-memory.dmp

memory/556-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-103-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 88e2f5efd16832ff5caf775587f4f245
SHA1 0d7f6945835372878b0f506ec79bd31ee783ae8f
SHA256 ad5aef6c5a392ce71eaa6b6ca4db07a758a6e978acd407408e88996a1f9fe438
SHA512 6084396a012f5dd040a04f0e2192acead5d5bc4b08fd3fc856eb04c0ba3b0265748b258e5be8fe0c241f9a5d384f2ebc6f528a1fc3fef8a6c01c3986f773fed8

memory/556-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-134-0x0000000000400000-0x0000000000482000-memory.dmp

memory/556-135-0x0000000000400000-0x0000000000482000-memory.dmp