Malware Analysis Report

2025-08-10 16:48

Sample ID 240213-cw6aysae7t
Target 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
SHA256 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
Tags
remcos p2-bin collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

Threat Level: Known bad

The file 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe was found to be: Known bad.

Malicious Activity Summary

remcos p2-bin collection rat spyware stealer

Remcos

NirSoft MailPassView

Detects executables built or packed with MPress PE compressor

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Nirsoft

NirSoft WebBrowserPassView

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-13 02:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 02:26

Reported

2024-02-13 02:38

Platform

win7-20231215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2220 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 2664 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4A8.tmp"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\vdvtgixvtdoriwzinkvefkibeoynoqipho"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\qzgwhlsqvt"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\qzgwhlsqvt"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ffbdgti"

Network

Country Destination Domain Proto
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2220-0-0x0000000001300000-0x000000000140A000-memory.dmp

memory/2220-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2220-2-0x00000000071C0000-0x0000000007200000-memory.dmp

memory/2220-3-0x00000000009E0000-0x00000000009F4000-memory.dmp

memory/2220-4-0x0000000000A10000-0x0000000000A1A000-memory.dmp

memory/2220-5-0x0000000000A20000-0x0000000000A2E000-memory.dmp

memory/2220-6-0x0000000007200000-0x00000000072C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA4A8.tmp

MD5 34f577ba603d0f7aaaaa466639a07062
SHA1 1de580c95370e08f23d5fae216f3abf4d19fae58
SHA256 5a57e1256539693891aea24d930b229d59b2a8af73e382158213818d298c88ca
SHA512 460042470c0eb76b019aa6b8c0bd9be88e74afdca23456646d50769e29a5a9bd338cb1290690a5d5430be3ee9be98011c7da0775a9a6b07e24c870a155d3eb90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8c3d78a8472c5c4ae81d94a5e1427855
SHA1 4615126e60bfb670eabb79ae284f26f6a124c1a7
SHA256 1e5542b2ed2aef299f629a23e04775d284cfc817b2ad0fb53a8fe779d4eb96c8
SHA512 79c20f0a10342fb4d7c7e46cc8a98caaca724f52504783b3a3fcd2b112bcb13fcac39d71e7a3d005a31104a8b707ea64b2d7b93cee0fabc21eee6fbde49e1625

memory/2664-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2220-35-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2664-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3012-39-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/3012-41-0x00000000025C0000-0x0000000002600000-memory.dmp

memory/2844-40-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/2844-42-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/3012-43-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/2844-44-0x0000000001DC0000-0x0000000001E00000-memory.dmp

memory/2664-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3012-48-0x00000000025C0000-0x0000000002600000-memory.dmp

memory/2664-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2844-50-0x0000000001DC0000-0x0000000001E00000-memory.dmp

memory/2844-46-0x0000000001DC0000-0x0000000001E00000-memory.dmp

memory/2664-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/932-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/932-64-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1664-66-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2664-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/932-61-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1664-69-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1664-72-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2880-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2880-79-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2844-80-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/3012-78-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/2880-77-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2880-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/932-86-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vdvtgixvtdoriwzinkvefkibeoynoqipho

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1664-89-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2664-88-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2664-92-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2664-93-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2664-94-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2664-95-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2664-96-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 eaeb48c3a8cb766cb146d01b56b3bfcc
SHA1 001bd5a939da2d9c10cb3fdb1ab30b72306c0bac
SHA256 b3d6bed9864c6d092a09cdea7d8a2488cb489301d9179faedbafc10fb5b69eeb
SHA512 202b671c50f0d4b421731f948305d457c761cf0408270e15198cb1b7c206ae0c2ee2370bc34873ef9cf7c7980fe55d71f9ea9c845f0042e8522b433657f84618

memory/2664-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-103-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2664-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-127-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 02:26

Reported

2024-02-13 02:38

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3412 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3412 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 3412 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
PID 4716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8405.tmp"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\zmvdjxpmjqffcjwezowrglrfu"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\koiwkqaoxyxkepsiqyjlrymodlla"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\mjnplikhlgpxpdguajwmudyflzdjrww"

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\mjnplikhlgpxpdguajwmudyflzdjrww"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 126.132.38.84.in-addr.arpa udp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
LV 84.38.132.126:61445 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3412-0-0x00000000008C0000-0x00000000009CA000-memory.dmp

memory/3412-1-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/3412-2-0x0000000007DA0000-0x0000000008344000-memory.dmp

memory/3412-3-0x0000000007890000-0x0000000007922000-memory.dmp

memory/3412-4-0x0000000007A80000-0x0000000007A90000-memory.dmp

memory/3412-5-0x0000000004E40000-0x0000000004E4A000-memory.dmp

memory/3412-6-0x000000000A350000-0x000000000A3EC000-memory.dmp

memory/3412-7-0x0000000007C40000-0x0000000007C54000-memory.dmp

memory/3412-8-0x000000000A690000-0x000000000A69A000-memory.dmp

memory/3412-9-0x000000000A6A0000-0x000000000A6AE000-memory.dmp

memory/3412-10-0x000000000A790000-0x000000000A856000-memory.dmp

memory/452-15-0x0000000004A00000-0x0000000004A36000-memory.dmp

memory/452-16-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/452-18-0x0000000005070000-0x0000000005698000-memory.dmp

memory/452-17-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/3412-19-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/3412-22-0x0000000007A80000-0x0000000007A90000-memory.dmp

memory/4004-21-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/4004-20-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/452-23-0x00000000056D0000-0x00000000056F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8405.tmp

MD5 7c80bcb6895d24aaa625a39ce99b769e
SHA1 41a615ae2b4f7c2d33c4f177e1b2ae79b5fed5fd
SHA256 657c33187ff4076b7bde2a6ceffd3c4828705b46911c0b4157a271b173ea4b99
SHA512 11e76a84a9a617227e1d4436c975c39e0de438dee42cc3bc78445cff4a7b2356e21eb1d5e816e0a5bea61ad75a694cb2dac285ad93fa895e2555c224a486652f

memory/452-24-0x00000000057F0000-0x0000000005856000-memory.dmp

memory/4004-26-0x00000000060E0000-0x0000000006146000-memory.dmp

memory/452-41-0x0000000005980000-0x0000000005CD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohla4b30.0nz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4716-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3412-50-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4716-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4004-54-0x0000000006730000-0x000000000674E000-memory.dmp

memory/4004-56-0x0000000006760000-0x00000000067AC000-memory.dmp

memory/4716-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4004-59-0x0000000007720000-0x0000000007752000-memory.dmp

memory/4004-61-0x00000000758A0000-0x00000000758EC000-memory.dmp

memory/4004-60-0x000000007F320000-0x000000007F330000-memory.dmp

memory/4004-71-0x0000000006D20000-0x0000000006D3E000-memory.dmp

memory/4004-72-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/4004-73-0x0000000007960000-0x0000000007A03000-memory.dmp

memory/4716-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/452-77-0x00000000758A0000-0x00000000758EC000-memory.dmp

memory/4004-88-0x00000000080C0000-0x000000000873A000-memory.dmp

memory/4716-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/452-89-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/452-92-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/4716-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4004-90-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/4004-94-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/452-95-0x0000000007510000-0x00000000075A6000-memory.dmp

memory/4004-96-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/4716-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/452-101-0x00000000074C0000-0x00000000074CE000-memory.dmp

memory/4004-102-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

memory/4004-104-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

memory/452-103-0x00000000075D0000-0x00000000075EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 600ba4d7fb617532dc740a3d8c39745e
SHA1 8c1a1937024652426a6f92709bcf55fac888b2dd
SHA256 5163af4ee07587e914db171c4da79b60d7aabf6f460ee9936722728e5668b1fc
SHA512 6a4b496a0a06d5664de7090702cc5d512c9d46c3d8bccfa91c012324f0a03120c7a48982c9fc4ea53767a505aceb03dc3bb40a4f638bdf3760525ea423018143

memory/4004-112-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/452-111-0x0000000074FF0000-0x00000000757A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1320-114-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5032-115-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1320-118-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5032-119-0x0000000000400000-0x0000000000457000-memory.dmp

memory/5032-125-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1320-122-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1536-121-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1536-126-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5032-131-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1536-130-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1536-132-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1320-134-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4716-136-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zmvdjxpmjqffcjwezowrglrfu

MD5 636c8230de66506aa2bdb3deee259503
SHA1 244299ce9ed66e9bed0c458c28fa3c417eeabdee
SHA256 98e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4
SHA512 fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e

memory/4716-139-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4716-141-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4716-144-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4716-143-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-147-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 48e7aeabe7b011655eee398cb40ef676
SHA1 91abb0b29be437d72b2ca21f98047cb2b50b453e
SHA256 06011eb7563f579ef1d5b370f4f67c69484b5979a34e4ecb94bde9e625bb49ab
SHA512 3e0f963f59b53ccccae312d356d5785458f95dc7a8aa86691710d14ee5bd01f90443bde4048c2e6ab13709938e5db15d62cc90377c2bced514f5ec240bd50ed2

memory/4716-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-162-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-170-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-171-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-178-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4716-179-0x0000000000400000-0x0000000000482000-memory.dmp