Malware Analysis Report

2025-08-10 16:48

Sample ID 240213-c5sffsbg7s
Target 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
SHA256 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
Tags
remcos p2-bin collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

Threat Level: Known bad

The file 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe was found to be: Known bad.

Malicious Activity Summary

remcos p2-bin collection rat spyware stealer

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

NirSoft MailPassView

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables built or packed with MPress PE compressor

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:39

Reported

2024-02-13 02:45

Platform

win7-20231215-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2428 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\yvzuqpklixkokuan"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\yvzuqpklixkokuan"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\jxnnrzueefctmiwzycw"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\lrsyssfgsouyxokdpnjupc"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\lrsyssfgsouyxokdpnjupc"

Network

Country Destination Domain Proto
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2428-0-0x0000000000BD0000-0x0000000000CDA000-memory.dmp

memory/2428-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2428-2-0x0000000007160000-0x00000000071A0000-memory.dmp

memory/2428-3-0x00000000004C0000-0x00000000004D4000-memory.dmp

memory/2428-4-0x00000000004F0000-0x00000000004FA000-memory.dmp

memory/2428-5-0x0000000000500000-0x000000000050E000-memory.dmp

memory/2428-6-0x00000000083E0000-0x00000000084A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp

MD5 8232d57a32198dd1f7e4b5c48fd82a66
SHA1 9e4ce3eb703d0d101710e5041ffd83033c6a1d7a
SHA256 6c34bbf2e7bd6c43530959a0bc440b8f4a91c0eb6e8d768ea81daa30d6d71eb6
SHA512 7cb4c56df9f426c02c13f45d0f3f3cf68a4a40453d16a0a6ea644769d48220e52f11bde90a58f656e9d7cf0d9b344e4432fd5f38511a431b4845350ce40d5df2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e564bb764920de9fe93ce9b0e892e320
SHA1 57097b440a86f494b2c99345ad79867ce2c3e310
SHA256 35d8533a3686939d00cae31704f0802dfc5cbfed6520c519967e8a7ccec0cfb4
SHA512 8dc88f75b41e79136069d0908c2eac98fd8ea7360862ca8dcfc8d59ca42af1cf0c46f011a11a31eff12bc7cbf8541b6420f12530ee0cd616a786f93c4dad0b84

memory/2660-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2660-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2428-42-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2824-44-0x000000006F3F0000-0x000000006F99B000-memory.dmp

memory/2740-41-0x000000006F3F0000-0x000000006F99B000-memory.dmp

memory/2660-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2824-47-0x000000006F3F0000-0x000000006F99B000-memory.dmp

memory/2660-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2740-49-0x0000000002490000-0x00000000024D0000-memory.dmp

memory/2824-52-0x000000006F3F0000-0x000000006F99B000-memory.dmp

memory/2660-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2740-50-0x000000006F3F0000-0x000000006F99B000-memory.dmp

memory/2660-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1756-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2660-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1196-67-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1196-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1196-70-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1196-74-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1756-71-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1756-77-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2528-78-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2528-80-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2528-81-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2528-82-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2528-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1756-88-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yvzuqpklixkokuan

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2660-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-94-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-97-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1196-93-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2660-98-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-99-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-105-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a354f25a17731e4d999c05dc237d3153
SHA1 b83edc2ef8d0f5a7382f77460983dc9a3fd47536
SHA256 fd8643558eaaa90029a09aaa3406cb1275ee5b79857216bdb43b1da82c2f20fa
SHA512 75d4571bcfb45c5555b212a5d69a4acaa28de9338a1ea90f15cf1c51c594d5ec8b214b69e44911870883db58be613eaac55af9ee9a3d42fcecad6bd2764a8289

memory/2660-108-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-119-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:39

Reported

2024-02-13 02:45

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3932 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3932 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3932 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C83.tmp"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\fryjxsbwwzzvwjgfzktfgujgobbexyuofu"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\pmltyl"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\zoqmzdwrg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 126.132.38.84.in-addr.arpa udp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/3932-0-0x00000000006B0000-0x00000000007BA000-memory.dmp

memory/3932-1-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/3932-2-0x0000000007C10000-0x00000000081B4000-memory.dmp

memory/3932-3-0x0000000007660000-0x00000000076F2000-memory.dmp

memory/3932-4-0x00000000078D0000-0x00000000078E0000-memory.dmp

memory/3932-5-0x0000000004C30000-0x0000000004C3A000-memory.dmp

memory/3932-6-0x000000000A140000-0x000000000A1DC000-memory.dmp

memory/3932-7-0x000000000A090000-0x000000000A0A4000-memory.dmp

memory/3932-9-0x000000000A490000-0x000000000A49E000-memory.dmp

memory/3932-8-0x000000000A480000-0x000000000A48A000-memory.dmp

memory/3932-10-0x000000000A580000-0x000000000A646000-memory.dmp

memory/1020-15-0x0000000005190000-0x00000000051C6000-memory.dmp

memory/1020-16-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/1020-17-0x0000000005880000-0x0000000005EA8000-memory.dmp

memory/1020-18-0x0000000005240000-0x0000000005250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C83.tmp

MD5 ad81223addb11ebb92c7174a2650c7b9
SHA1 a3e8b2f33583879b22cdf2b73c5156ac08e6145b
SHA256 03454a2d05e1c0dcb44f10acea7101f59f0f177d3adc36b1d7e6d12e42d3863d
SHA512 34a6b7934f924977fed49d6932aceb146c2ab7d8bfd77bc55a49e96e2a4ca4f2d1c853babb344832ce729bfed901d9c2613434a27f58161688a29641af2bdd67

memory/1020-19-0x0000000005690000-0x00000000056B2000-memory.dmp

memory/4668-21-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/4668-23-0x0000000004710000-0x0000000004720000-memory.dmp

memory/4668-22-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/1020-25-0x0000000006120000-0x0000000006186000-memory.dmp

memory/4668-26-0x0000000005640000-0x0000000005994000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghzwiu1c.vyp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1020-24-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4688-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3932-49-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/4688-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4668-55-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

memory/4668-56-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/4668-57-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

memory/1020-59-0x000000007FD50000-0x000000007FD60000-memory.dmp

memory/4668-58-0x00000000061B0000-0x00000000061E2000-memory.dmp

memory/1020-71-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

memory/1020-73-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4668-84-0x0000000004710000-0x0000000004720000-memory.dmp

memory/4688-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4668-91-0x0000000006F00000-0x0000000006F1A000-memory.dmp

memory/4668-90-0x0000000007540000-0x0000000007BBA000-memory.dmp

memory/4688-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4668-92-0x0000000006F70000-0x0000000006F7A000-memory.dmp

memory/1020-83-0x0000000007930000-0x00000000079D3000-memory.dmp

memory/4668-61-0x0000000073510000-0x000000007355C000-memory.dmp

memory/4668-93-0x0000000007180000-0x0000000007216000-memory.dmp

memory/1020-60-0x0000000073510000-0x000000007355C000-memory.dmp

memory/4688-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1020-94-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/4688-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4668-100-0x0000000007140000-0x0000000007154000-memory.dmp

memory/4668-98-0x0000000007130000-0x000000000713E000-memory.dmp

memory/4668-102-0x0000000007220000-0x0000000007228000-memory.dmp

memory/1020-101-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

memory/4668-110-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/1020-109-0x0000000074A40000-0x00000000751F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a93916c9140474d94083883ca0dbaab2
SHA1 3da7e3c2114124214d680302c71be7e753f1c108
SHA256 596ae82910e6c65d7acf59768a51bcabe552e1ef6548a68050d8f3b89ecb7090
SHA512 e88f9530f9f70c10400f2494bae88758c32131c412369e364f456261f6b7c052be76585dd622db9818e64b03e77dfed76a879b9cbed1e5976fb22c5040025b83

memory/4756-111-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3924-113-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2764-116-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4756-120-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3924-118-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4756-115-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2764-122-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3924-126-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3924-129-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2764-130-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2764-128-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4756-132-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4688-140-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4688-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-138-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4688-137-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4688-134-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fryjxsbwwzzvwjgfzktfgujgobbexyuofu

MD5 2cbe8873d9d19e766fd9a1f758da8e74
SHA1 544271b8bf2aa7108e9f0f1cf11de5eb2a389f17
SHA256 b92f48c215f2d309a748e67787283bb2c61bbce1faf7dcb3b917f57be92b28e2
SHA512 4f8842cfc7b97b82e5f105aeb1b838f9f50072d3f9cae7412e09c0f8fb592a40fc6064cd9ef8e67133ec5694590d106d3e3141e2fd0a21c3d32d6340068ca632

memory/4688-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-145-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 9aa4b078265adbb6492b1f982484fa1a
SHA1 8dfc7ceb9bda99c5d8a4a185c50f4edd0c70f5d1
SHA256 8f23ff2f91a0de3386c3c2134741684f91b8695f9f7c9b8cf43a706b8b0798b4
SHA512 5f13c8aec0b59029c7c9d635865b8b70601d142c6c5bae8966a3f5b9f8f6035676f5f52306d9af4839cb35fd4fff2115b776f47e262c421667294adb27584c76

memory/4688-151-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-152-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-167-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-175-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4688-176-0x0000000000400000-0x0000000000482000-memory.dmp