Malware Analysis Report

2025-06-16 01:16

Sample ID 231208-lcf2dsac35
Target SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe
SHA256 dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea
Tags
remcos remotehost collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea

Threat Level: Known bad

The file SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat

Remcos

NirSoft WebBrowserPassView

NirSoft MailPassView

Nirsoft

Drops startup file

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 09:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 09:23

Reported

2023-12-08 09:25

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1488 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1488 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1488 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 4588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4816 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\btjvbvxkuawcrwhknvxyzrueqrovt"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\btjvbvxkuawcrwhknvxyzrueqrovt"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvofcnimiiohckewegkscepvyxgeuduf"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\wquy"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\wquy"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 34.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 139.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1488-0-0x00000000009F0000-0x0000000000AB4000-memory.dmp

memory/1488-1-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/1488-2-0x0000000005500000-0x00000000055AE000-memory.dmp

memory/1488-3-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/1488-4-0x0000000005B60000-0x0000000006104000-memory.dmp

memory/1488-5-0x0000000005650000-0x00000000056E2000-memory.dmp

memory/1488-6-0x00000000056F0000-0x000000000578C000-memory.dmp

memory/4856-7-0x00000000050D0000-0x0000000005106000-memory.dmp

memory/4856-8-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4856-9-0x0000000005210000-0x0000000005220000-memory.dmp

memory/4856-10-0x0000000005210000-0x0000000005220000-memory.dmp

memory/4856-11-0x0000000005850000-0x0000000005E78000-memory.dmp

memory/4856-12-0x00000000057E0000-0x0000000005802000-memory.dmp

memory/4856-13-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/4856-14-0x0000000006020000-0x0000000006086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpy2n3eb.ysf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1488-24-0x00000000054A0000-0x00000000054A8000-memory.dmp

memory/4856-25-0x0000000006260000-0x00000000065B4000-memory.dmp

memory/4816-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1488-29-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4816-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4856-34-0x00000000053B0000-0x00000000053CE000-memory.dmp

memory/4856-37-0x0000000006750000-0x000000000679C000-memory.dmp

memory/4816-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4856-42-0x00000000078E0000-0x0000000007976000-memory.dmp

memory/4856-43-0x0000000006C00000-0x0000000006C1A000-memory.dmp

memory/4856-44-0x0000000006CB0000-0x0000000006CD2000-memory.dmp

memory/4816-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4856-50-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4980-51-0x0000000000400000-0x0000000000400000-memory.dmp

memory/1804-52-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-60-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1804-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4976-61-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4976-69-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4816-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2528-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2528-65-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4816-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4976-57-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1804-56-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4976-54-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1804-77-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\btjvbvxkuawcrwhknvxyzrueqrovt

MD5 f38f9e66e6018fe17658be974254cad4
SHA1 597063c515fc90a5cef2d3f4a64d5c8f5e7ed47c
SHA256 448eb8deec9960c9a2b6a27daeaea4cbab7d8469ed8b52b6d5916df458b07bb6
SHA512 a6b2f498fbd5fe598430371d57182b73779e66af1f2a85b4f6bde919e17c0f8611b226d96ff8134098904c42edaf0c0ef78328f2ccbe9fb16a4f66dd1d5c57a5

memory/4816-80-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4816-84-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4816-83-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4816-85-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4816-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-86-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4816-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-93-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 fa1db6aea687cd80456174dd65075b23
SHA1 85f9fb1e2b1883cc42a5091f94e5b9695ab04123
SHA256 b1d434d0f76e561373599b43bfb2e3ce8ae991a14a098d997440e6f20b4c3a60
SHA512 9efbed7d7739e75ef32035e60fe5b4ab14c854ace5b9e368ccc64daf03eeb2a12c36f1376000ea38c324c8867be588b24f9056c6f4100c174a78dde12a05ba0a

memory/4816-95-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4816-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-132-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4816-137-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 09:23

Reported

2023-12-08 09:25

Platform

win7-20231020-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 844 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2660 wrote to memory of 1252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\htcfcicix"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\svhydbnjtnoj"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\cpnjdtxdhwgnprp"

Network

Country Destination Domain Proto
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/844-0-0x0000000000F90000-0x0000000001054000-memory.dmp

memory/844-1-0x0000000074D60000-0x000000007544E000-memory.dmp

memory/844-3-0x0000000004730000-0x00000000047DE000-memory.dmp

memory/844-2-0x0000000004A70000-0x0000000004AB0000-memory.dmp

memory/2088-6-0x0000000070440000-0x00000000709EB000-memory.dmp

memory/2088-7-0x0000000070440000-0x00000000709EB000-memory.dmp

memory/2088-8-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/844-9-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2088-10-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2660-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2660-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/844-22-0x0000000074D60000-0x000000007544E000-memory.dmp

memory/2660-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2088-35-0x0000000070440000-0x00000000709EB000-memory.dmp

memory/2660-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1044-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1044-40-0x0000000000400000-0x0000000000478000-memory.dmp

memory/672-45-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1044-44-0x0000000000400000-0x0000000000478000-memory.dmp

memory/672-51-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1044-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1044-48-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1252-53-0x0000000000400000-0x0000000000424000-memory.dmp

memory/672-54-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1044-60-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\htcfcicix

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2660-65-0x0000000010000000-0x0000000010019000-memory.dmp

memory/672-64-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1252-63-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1252-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-75-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-71-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1252-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-68-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-79-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 0a52517ec4b1073b9e77c9be751d5314
SHA1 af881a778d2c2b2b587f1702754867b049908a52
SHA256 bb3f8d536491ddc4030d97c0e9c094d5c5a6012cfaa17164a2e5cd84f30d453f
SHA512 86d19f07e842dee7c7f7abe7812f4ad5df3efd64b351295f24509dd7bcecd2d9cde828cc6411c4072b500072900f5f685ba78f96969e60fc8539c8136dbb5b78

memory/2660-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-109-0x0000000000400000-0x0000000000482000-memory.dmp