Malware Analysis Report

2025-08-10 16:48

Sample ID 240213-c5t92sdb48
Target 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
SHA256 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
Tags
remcos p2-bin collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

Threat Level: Known bad

The file 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe was found to be: Known bad.

Malicious Activity Summary

remcos p2-bin collection rat spyware stealer

Remcos

Detects executables built or packed with MPress PE compressor

Nirsoft

NirSoft MailPassView

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:40

Reported

2024-02-13 02:43

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1632 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3524 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybcwyooena"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybcwyooena"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\bvhhzyzybizuo"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\lxvzarjzpqrzrakw"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 126.132.38.84.in-addr.arpa udp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

memory/1632-0-0x0000000000230000-0x000000000033A000-memory.dmp

memory/1632-1-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/1632-2-0x0000000007560000-0x0000000007B04000-memory.dmp

memory/1632-3-0x00000000070A0000-0x0000000007132000-memory.dmp

memory/1632-4-0x0000000007260000-0x0000000007270000-memory.dmp

memory/1632-5-0x00000000073A0000-0x00000000073AA000-memory.dmp

memory/1632-6-0x0000000009D60000-0x0000000009DFC000-memory.dmp

memory/1632-7-0x0000000004610000-0x0000000004624000-memory.dmp

memory/1632-8-0x0000000004650000-0x000000000465A000-memory.dmp

memory/1632-9-0x0000000004660000-0x000000000466E000-memory.dmp

memory/1632-10-0x000000000A460000-0x000000000A526000-memory.dmp

memory/3888-15-0x0000000002A50000-0x0000000002A86000-memory.dmp

memory/3888-17-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3888-16-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/3692-19-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/3692-18-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/3692-20-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/3692-22-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/3888-21-0x0000000005000000-0x0000000005010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp

MD5 1cb84544cf53d901f985e9f6205a7c58
SHA1 bda0b92e19283f1f8bec9125f23b6f37b6e3ac4c
SHA256 78ce5d59f628a9cd3f230eb3a52fcce04eaf943a4bf2427a3338f8def096c1e4
SHA512 c3b27ea8fb9883b372741a52e76fafd6e99b88be427249b9731b72737f1ce9c2e25056e33516fbe8f3283ec37ceaa118539a3d978d7c3cfd72a82c709e1f8d4f

memory/3692-25-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/3692-23-0x0000000005B90000-0x0000000005BB2000-memory.dmp

memory/3888-26-0x0000000005D60000-0x0000000005DC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45i2ghrp.1pk.ps1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3524-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-46-0x0000000005F40000-0x0000000006294000-memory.dmp

memory/3524-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1632-52-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/3524-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3888-56-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/3888-57-0x00000000063E0000-0x000000000642C000-memory.dmp

memory/3524-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-66-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/3888-64-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3524-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-70-0x0000000007600000-0x0000000007632000-memory.dmp

memory/3888-71-0x00000000753E0000-0x000000007542C000-memory.dmp

memory/3888-83-0x0000000006940000-0x000000000695E000-memory.dmp

memory/3888-72-0x000000007FC20000-0x000000007FC30000-memory.dmp

memory/3692-84-0x000000007F940000-0x000000007F950000-memory.dmp

memory/3692-73-0x00000000753E0000-0x000000007542C000-memory.dmp

memory/3888-94-0x0000000007580000-0x0000000007623000-memory.dmp

memory/4652-96-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3888-97-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/3692-95-0x0000000007D90000-0x000000000840A000-memory.dmp

memory/3076-100-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4652-99-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4652-103-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3200-105-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3076-104-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3200-113-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3692-115-0x00000000077C0000-0x00000000077CA000-memory.dmp

memory/3200-116-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3200-112-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3692-117-0x00000000079F0000-0x0000000007A86000-memory.dmp

memory/3692-118-0x0000000007970000-0x0000000007981000-memory.dmp

memory/4652-120-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3524-122-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3524-125-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3888-128-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3524-130-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3524-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3888-127-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/3524-126-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3692-131-0x0000000074B80000-0x0000000075330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ybcwyooena

MD5 0cb17253d14f1f732dfbc3ef9b580d1e
SHA1 85d726cf68f14dd34090de9f4d160c0387249b68
SHA256 e09a0aed9bbc43da3b7a85d30a9a10b54d11c096aa6cef81c23364bc9c4dfcc9
SHA512 f651e62d58e83f9d5e21f3ac8cc516290bfff66c1981dc14cc3a7a900db70d6e7e15c99bb717a18c036b96a6c2f794c2351df7aa39b69531f2112860a51a86ee

memory/3692-132-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/3692-133-0x00000000079A0000-0x00000000079AE000-memory.dmp

memory/3888-134-0x00000000078E0000-0x00000000078F4000-memory.dmp

memory/3692-135-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

memory/3888-136-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/3692-144-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/3888-143-0x0000000074B80000-0x0000000075330000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7f0c8309fc59107b92bef1f40caf2a89
SHA1 8c3af4986aaf807d8029929b80d6e6c0644fcae6
SHA256 129479c781c7199949f114557332f754b377a171ac40e8fd8f074151cb09ba05
SHA512 2c56c1df483e6d4272c4e3ad37d4e993b90375c52eead22cc658c0fc6fc5680f7b57349ed8a7688e555411ba519f1ec72987ab2c68123021f35073e4f4b41614

memory/3524-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-145-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-147-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 16e709c02499825a3ac02831c2ca5002
SHA1 6a5472c946c9af0224f4bf5c10af826a9b57a3df
SHA256 20ebb342556fd65808c40fbb6e84ece09b15635cd7820684db41e529676cd1ff
SHA512 bc0244ecbd1b9019c34be3b651aba1577a077b3e13f582c43b0651fe0424871722c9595466daad46a4b2fe3ba305152e4e1ee36fdf20415b27a82c0b71b6eebd

memory/3524-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-162-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-170-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-171-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-178-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3524-179-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:40

Reported

2024-02-13 02:44

Platform

win7-20231215-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1236 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 1236 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2636 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\duzopabmglegcbumxgqhdlcjt"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\gxegqsuoutwlepqqhrdagywaufpic"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\qrjrrlfhiboqovfuycqcrdjjdmhrvpra"

Network

Country Destination Domain Proto
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1236-0-0x00000000010C0000-0x00000000011CA000-memory.dmp

memory/1236-1-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/1236-2-0x0000000000D30000-0x0000000000D70000-memory.dmp

memory/1236-3-0x0000000000480000-0x0000000000494000-memory.dmp

memory/1236-4-0x0000000000680000-0x000000000068A000-memory.dmp

memory/1236-5-0x0000000000690000-0x000000000069E000-memory.dmp

memory/1236-6-0x00000000075E0000-0x00000000076A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp

MD5 6b3a22c6ef6bb30074e7e34c9703753d
SHA1 75e1f437d4dc2bcae9e1a7856d9436e2ac2b13d6
SHA256 5b52a128b8e24f54468a2784e64f4111b1a7cdd84aa5bb3b26b32a465beb9832
SHA512 6e0ca476e19ec30f091ed0e76f080ab8ae5f042d2fd6b027618d3f7aa464475049a8034cca8111b81db0f748a76b561270521c6efcbae26009dd00019c34cad7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N3Z8H7P8J8LNIYSTVC3M.temp

MD5 30aab212b03d03018a89c2ccd71cb3ef
SHA1 0f5ecd45183a3c697c583108667d66ef49db63cb
SHA256 dcba42f1ed27a6d2f3c80867ab0d977e0b8174f624154fdc9c843eeef0816290
SHA512 b53531767d70e672b53249942d9496e9633795e39b6e69a5977f8128db0c94064730ac3d0a3d5aca9b03efda68b31024e55129c7656e1d9a535e9d3bb51b7813

memory/2832-20-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/2636-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2936-23-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/2936-25-0x0000000002920000-0x0000000002960000-memory.dmp

memory/2832-27-0x0000000001D90000-0x0000000001DD0000-memory.dmp

memory/2936-29-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/2832-31-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/2832-32-0x0000000001D90000-0x0000000001DD0000-memory.dmp

memory/2636-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2832-36-0x0000000001D90000-0x0000000001DD0000-memory.dmp

memory/2636-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2936-38-0x0000000002920000-0x0000000002960000-memory.dmp

memory/2936-34-0x0000000002920000-0x0000000002960000-memory.dmp

memory/2636-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2636-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2832-55-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/2936-54-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/2636-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1236-49-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/2636-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/328-68-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1032-73-0x0000000000400000-0x0000000000457000-memory.dmp

memory/328-76-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1032-78-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2236-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2236-87-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2236-86-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2236-85-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1032-81-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2236-82-0x0000000000400000-0x0000000000424000-memory.dmp

memory/328-92-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1032-80-0x0000000000400000-0x0000000000457000-memory.dmp

memory/328-72-0x0000000000400000-0x0000000000478000-memory.dmp

memory/328-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\duzopabmglegcbumxgqhdlcjt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1032-95-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2636-100-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2636-101-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2636-99-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2636-96-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2636-102-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 f185b942e2b36cce42dbcd5dc39f52f5
SHA1 13864f31287efe09d4b8a7ca22532e922e0ea0e1
SHA256 cb322d920e5bf2a13e4247c41b7da8f2c84bbce9733e99025e4cd2188f9d2c7b
SHA512 f4b7adc31a3c3fd45c2a35369921810379c0f45bd740fe305e963b28d6314440ef94a623543527cd27d7a01691a6e7e7fb268ce7caa1448a33ba029c1faec93c

memory/2636-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-110-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2636-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-132-0x0000000000400000-0x0000000000482000-memory.dmp