Malware Analysis Report

2025-01-02 03:19

Sample ID 240327-drccraed8y
Target 9a942028f55f59560c38677923c7ce6a.bin
SHA256 3562405dc55d1be005e2f595808893a8a683bd8a85727be6c0f6b2eab2f92f04
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3562405dc55d1be005e2f595808893a8a683bd8a85727be6c0f6b2eab2f92f04

Threat Level: Known bad

The file 9a942028f55f59560c38677923c7ce6a.bin was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-27 03:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-27 03:14

Reported

2024-03-27 03:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Signatures

Remcos

rat remcos

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 2932 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C4C.tmp"

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Network

Country Destination Domain Proto
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp

Files

memory/2932-0-0x00000000013A0000-0x00000000014A0000-memory.dmp

memory/2932-1-0x0000000074030000-0x000000007471E000-memory.dmp

memory/2932-2-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/2932-3-0x0000000000320000-0x0000000000332000-memory.dmp

memory/2932-4-0x0000000000340000-0x000000000034C000-memory.dmp

memory/2932-5-0x00000000053D0000-0x0000000005490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C4C.tmp

MD5 d0a7da08184f0947765e4c26ba1ed753
SHA1 3bf5b5dba5ea845ae8c94390762a37ecb14f7a55
SHA256 f6b6bb9747f19b492dfe046f8dc5d90d6683c29ec157f76939cd4be02bd89e1b
SHA512 96d292b9f35cb9e18b165452cc950e25a278e11fdb1e9431e7254b670796bbab4533f7e5cfa908fa193117a031b59b7ba7352c9874affb312221df2f7b02143b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c1f4951e91a624b2995afd3263bbee01
SHA1 4df480c50390530e74b75b996fa0a9c3de9ffda3
SHA256 3c678fba1369240db8c9be7cfaa285ac40cfdbc4b926bf57be4c57fcb3423821
SHA512 06f5e23d2fdc6cd7805071cc65dd47e2d4bde9b03e0e16b31db2737b3024f51ab1389bc43061054a745f05eb9b3f7b8eda8f2641e64596a706b03ca6767377d9

memory/2384-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2748-35-0x000000006EBD0000-0x000000006F17B000-memory.dmp

memory/2488-37-0x000000006EBD0000-0x000000006F17B000-memory.dmp

memory/2748-39-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/2384-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2488-40-0x0000000002A00000-0x0000000002A40000-memory.dmp

memory/2932-42-0x0000000074030000-0x000000007471E000-memory.dmp

memory/2488-43-0x000000006EBD0000-0x000000006F17B000-memory.dmp

memory/2488-45-0x0000000002A00000-0x0000000002A40000-memory.dmp

memory/2748-46-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/2384-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2748-41-0x000000006EBD0000-0x000000006F17B000-memory.dmp

memory/2488-48-0x0000000002A00000-0x0000000002A40000-memory.dmp

memory/2384-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2748-50-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/2384-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2748-54-0x000000006EBD0000-0x000000006F17B000-memory.dmp

memory/2488-55-0x000000006EBD0000-0x000000006F17B000-memory.dmp

memory/2384-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-73-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 1c97e8356bb3f321842ddebf11a510a6
SHA1 7263e5e8c61c49e4eca7e68ddcac5afd9ba99353
SHA256 ebea6181f8033730a83acbb4eeabbe6bbb1168a2423364ce2b333afef8599d38
SHA512 0abc971c05027e62e67b0b32558e8dc86bc19a47e0f1138592519ee9bc194765c8ee1d7c6b71170cda057ccf2e85115d507b25939ec3ca113e22d0c1c10b3922

memory/2384-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2384-117-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-27 03:14

Reported

2024-03-27 03:16

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 4952 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 4952 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4952 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EAA.tmp"

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
GB 96.17.178.176:80 tcp

Files

memory/4952-0-0x0000000000B60000-0x0000000000C60000-memory.dmp

memory/4952-1-0x0000000074850000-0x0000000075000000-memory.dmp

memory/4952-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

memory/4952-3-0x0000000005640000-0x00000000056D2000-memory.dmp

memory/4952-4-0x00000000057F0000-0x0000000005800000-memory.dmp

memory/4952-5-0x0000000005700000-0x000000000570A000-memory.dmp

memory/4952-6-0x00000000057E0000-0x00000000057F2000-memory.dmp

memory/4952-7-0x0000000005A00000-0x0000000005A0C000-memory.dmp

memory/4952-8-0x0000000007170000-0x0000000007230000-memory.dmp

memory/4952-9-0x0000000009840000-0x00000000098DC000-memory.dmp

memory/3840-14-0x0000000002900000-0x0000000002936000-memory.dmp

memory/3840-15-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3840-16-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3840-18-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3840-17-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/4676-19-0x0000000074850000-0x0000000075000000-memory.dmp

memory/4676-20-0x0000000005060000-0x0000000005070000-memory.dmp

memory/3840-21-0x0000000005330000-0x0000000005352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5EAA.tmp

MD5 20b7cea3861996e11496924c8e136475
SHA1 74498fc7e252587a4e2f58a091c91e67ab3b8a2d
SHA256 ac47b4e2cd894b2f4f3c68442ddc9998ce533b176f0ae329a3688f7ae9f4549a
SHA512 eca8db1fe24a5dc793907452006a8e4fcfa29d9d953adb49bb626d0b22bd7700fb8c2b9df42c3c78ad4b995d827c5e702f88030d1b9d316484ecf96a962bbca6

memory/4676-23-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/4676-24-0x0000000005EB0000-0x0000000005F16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3ujfzh1.svy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3692-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4676-44-0x0000000005F20000-0x0000000006274000-memory.dmp

memory/3692-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4952-48-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3692-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3840-52-0x00000000061D0000-0x00000000061EE000-memory.dmp

memory/3840-54-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/3692-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3840-58-0x00000000750B0000-0x00000000750FC000-memory.dmp

memory/4676-56-0x00000000076A0000-0x00000000076D2000-memory.dmp

memory/4676-57-0x000000007F690000-0x000000007F6A0000-memory.dmp

memory/4676-59-0x00000000750B0000-0x00000000750FC000-memory.dmp

memory/3840-60-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/4676-80-0x0000000005060000-0x0000000005070000-memory.dmp

memory/4676-82-0x00000000076F0000-0x0000000007793000-memory.dmp

memory/4676-83-0x0000000005060000-0x0000000005070000-memory.dmp

memory/3840-79-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3840-70-0x00000000071B0000-0x00000000071CE000-memory.dmp

memory/4676-85-0x0000000007830000-0x000000000784A000-memory.dmp

memory/3840-84-0x0000000007B60000-0x00000000081DA000-memory.dmp

memory/4676-86-0x00000000078A0000-0x00000000078AA000-memory.dmp

memory/4676-87-0x0000000007AB0000-0x0000000007B46000-memory.dmp

memory/3840-88-0x0000000007720000-0x0000000007731000-memory.dmp

memory/4676-89-0x0000000007A60000-0x0000000007A6E000-memory.dmp

memory/3840-90-0x0000000007760000-0x0000000007774000-memory.dmp

memory/3840-91-0x0000000007860000-0x000000000787A000-memory.dmp

memory/3840-92-0x0000000007840000-0x0000000007848000-memory.dmp

memory/4676-95-0x0000000074850000-0x0000000075000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 905e29e49b1e92caedfe833b022d4683
SHA1 7b000a26c29a0944f2d4e71337c8f65b63874a0f
SHA256 6656364c5dfcd95d3c51221e39ed4d74afd9a35491b17604be9dac5bf83610b6
SHA512 ca67fca281d8aab878318647d9822ff1a20d0ccb7ccff323adcf2ebca2eca0dc52f18500dd7ec52c622814c03dc4573faf39ebe55ba21448d215c0ab7084ab1d

memory/3840-99-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3692-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-106-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7f165b58ce922537291bd572c35b4ddd
SHA1 23e344a274d18f52fc55d62c6afbf45df5baeb8f
SHA256 6555796fe3070b8db9f3b36e8d9669bdd07f7fc1951e7459a53323e4d4b9a7b0
SHA512 cdd789ec52831956ae86f0f3005ff79624700f9ed26075da192a5716eb62bf5bbc95fa54b7ba73d310470f53c045ea2ea0ea81ec8ef49a6e81f9310c1e5b2119

memory/3692-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-132-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-133-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-140-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-145-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-149-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-150-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-156-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-157-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3692-160-0x0000000000400000-0x0000000000482000-memory.dmp