Malware Analysis Report

2025-01-02 03:21

Sample ID 240402-l1cc4sde9v
Target a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.zip
SHA256 324b231b961f203f830af2a9eecfc3015e0e10a340309174392075aa555b2447
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

324b231b961f203f830af2a9eecfc3015e0e10a340309174392075aa555b2447

Threat Level: Known bad

The file a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

Nirsoft

NirSoft MailPassView

NirSoft WebBrowserPassView

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 09:59

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 09:59

Reported

2024-04-02 10:02

Platform

win7-20240221-en

Max time kernel

69s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1704 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2992 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2712 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2712 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2712 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2712 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2420 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2420 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2420 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2420 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2944 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2944 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2944 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2944 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2772 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2772 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2772 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2772 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2144 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2144 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2144 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2144 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2324 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2324 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2324 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2324 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 772 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 772 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 772 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 772 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2264 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2264 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2264 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2264 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3000 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3000 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3000 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3000 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe

"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

Network

N/A

Files

memory/1704-10-0x0000000000160000-0x0000000000164000-memory.dmp

\Users\Admin\AppData\Local\directory\name.exe

MD5 730fd6425490051551536c3b47fb4147
SHA1 99a9202643cc0f1dcc4f34e0bde482817849e32a
SHA256 9df8d0802da3f328ed644ca93781c0b285e3d61d647f83511bfcb2bd56bc6415
SHA512 d0f027672b7f3690b6490e2f71c01d16f825c3db990839e2a7dcc480be95a3f7629e944b9c090e8d99308ee86d9728b512c09580e369c09ceb8755c5a604d553

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 cf30a2c2e202adaa306fa4a47cd4e4c2
SHA1 94a2bdf9d9faf109c28a78775b11437e0e101e6f
SHA256 fd9d4682527e7e3d14cd04e589e6ad26c2c105ea3ca4bd29706dc15073783f46
SHA512 21f6e36ee19ca0190d483d5b709a4d0d1750e85b3232b5fcf1cd244755f1b5d8dc2fb92b5c9166119a6037cd35fa578f449c6d4ea90d46cfbeac46ba7ce1e647

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 b5e4caeeb145930dd17e4c741c2921a1
SHA1 be97202e6bd8b24f626741025b1ac9417ba481a4
SHA256 08eedaec67807440e15962ee57777c7e6a74c123211aaffa05540f565266522d
SHA512 7d3910543360917499ce2a33148c449df4d39a167a4c6be227c785845005398f7e4020e2324960b12eb4192d4611c22b65f8cdbcf0bd28c7a65409dec7ec39d6

C:\Users\Admin\AppData\Local\Temp\translucently

MD5 0f62f30f40f703c2032293d600a39023
SHA1 45e35cf0dfef87762f778af26cd0d6da78ff20f5
SHA256 84d10a4ef939181773c5ac65f779db2df4bc5a314911a10ad661385bbe7019a0
SHA512 e9e6780120688e712f84429f9a14d6b87278e821e21308f26a39750fe7a5acab158e1be13f35701c2c7c9c8748a1a3f6fb2306d787f6dad9911e332404be8e35

C:\Users\Admin\AppData\Local\Temp\orographically

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 d23949ef8b67fe75cc35178f29f085b5
SHA1 3524ef80c9718c1799387858d09c42bfe3ce1dc2
SHA256 eb638067583763a999ab323a66dca1ad4fc71617372ca02dbb103692b319477e
SHA512 bd6cd820ad4772a07bbe6c5034131a2cdd2706c98adf8f29d21e2ca0629c0803bb5c2d4c5146f1caf19173cdd8bd8e651029a6439777d72f3ae7799724abcef5

C:\Users\Admin\AppData\Local\Temp\aut6F37.tmp

MD5 2644676ce90c118f0e67e0878d9ae0be
SHA1 35b4f91ebc96318e758120ce2bc7065b3a06fa8e
SHA256 ffb28a12f62a2ae2553312ce4c90a126466ed7bf61eb61de1b4f32578d46308a
SHA512 8721eb5ac8abb321aa836036adef42f9b210cf07a70aefe9a50d9c9e2534d9936fd6c1781cc330a3b37b1316410262c7533ab57ed7cbd24dfc0a017a2937d5ff

C:\Users\Admin\AppData\Local\Temp\orographically

MD5 06ce9b88a2fc490c23d22c73dbc79600
SHA1 17f0144dab89510931a68ad58686a23255e0f4c8
SHA256 d27a7b27b70ea26b82337c20adf7d7703c551560395e376576fd1f3d0ea124e3
SHA512 9cb137c0b7c65721a50d53cf5068ce101c10634486e54a3efd925024bdb1b4371bc153997b3ce37adf4b6ff3891070e2c4a0d3c0d35797a9fcdb2693e16fbc74

C:\Users\Admin\AppData\Local\Temp\aut6F76.tmp

MD5 a1cd843e7f1a1d118f9a0a8f8558c1cf
SHA1 cf756f78469d624158b76ebdc854c0c44a9e82b0
SHA256 7967c3a8c810b9913992cd2d2178b2755e81a00b8252fba9ec15a149d3426893
SHA512 e6ec694edad780805f8fba079b2cb9c4f4693aa0bf7147f48c046cf6c4b24df8f67459cb04948683e45c347f68e1a25a70c04485cf48ee49988e8773171ccaf3

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 1c6597895cfee9a17e71278c16d41a37
SHA1 abc6fb83e0ea2467fe231ead090135aecf31c7ea
SHA256 4ee00ed260e31e3b4344db838c209d0c0465617774cf331c0a670b3342f51a72
SHA512 01226760a07dce9ca3375378ad42341b69b60d07babbbd45e64ae75211c85897c94b9d5de2910fa004518656ff26185a9c0a6b07f243c6ac457f66bf18e9092a

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 1cf40f2ce458c7d7a5a76e357f844307
SHA1 a0d615ae967203bd029235000880349b4f0f121a
SHA256 7867b9a6af5139ad9161ed2b3f3e319d30e3c14b05a0813c3f9d21be00c17985
SHA512 beb80bfea6ae20c92c2cca27bdbf85b9da9201955f05a060da32152847b12c5b0e814fdd107ab55ea950eb875cd8e42237b33d1e7887c8c95df27ba59248a5cc

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 1ad88c3c736bd4fab5aab28b6424ede5
SHA1 55098bfa6da7a31219b0503a7ec67346b7c01430
SHA256 69483520a8ac36b557dabb04acec1c9fc41f3444ed1ea31947c7267cacae411f
SHA512 1648e5dac86b12c238bd5cad8b3ee656a150914128a753b6a8920887ff33e0d00a75545bfdc090f02c59c8ab17171caff0b5d32e61bd89a73c823a319089f124

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 4d0bf21e69e5a4be7492fba6ded307eb
SHA1 d66bedfea650d0222de7d567483207e9cd04b072
SHA256 6fccb7a65251c4672bc37c86a9d4131ec4a1081b9d5563b5ba18229de8f5c164
SHA512 740cb476837b9411dc2d88099b9ff4c6e4d02503a6294b7dc426678bc516e89e412046428958474cda8dd67eea9f7b2dbce4902c9015843871c9f096da0b198a

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 827f097336db11c79c25e8048c85eca7
SHA1 4dc653c20a3300a93494194eac2f2c842cde4dd0
SHA256 ea696009ec8e26f4c721b5149408a4c63e13ffa17299c252c9684e8a72d4d943
SHA512 53e777bc23f97a02716acc3210eaa8dde2d508cbe153670bfebe5fc805423f0747fc5604e334ca9d5aa8e3e87da4f3c71677bec445635776c82a97f8f849f0fc

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 d6e2932f1152f0ebda187e15ce4b5932
SHA1 446684a1eec4868ac9f318f0438cc863b2084b51
SHA256 0e75d9e44665797d526e20393e3d5da7151113066190490b956c162968d7926b
SHA512 c1c745207467d268ce5a110d242a169a5a5d739e286b341fa700a81a70113f995d5d7c8601c43c28373a367dff42c815494037d10ba57f5b9061c639ccb9d897

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 d26933ace3913bf1aa5176257906f79e
SHA1 b1fe263fdda081e766541418f2e018e9f6ca3d3e
SHA256 2e375aeb4e52f330e8687f41c12fc2bdb7c617167f6c4d95effaaa05f5e265aa
SHA512 7cc4b3efeb6f74aa2025ba10d0a75268cf490d4b749312fa991b53831e2a05733248efab5f8aacfbd9f3113cea5bade89386dbba597d8904d2fb982184af84f2

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 dc279b19ad95d156ce6f1d4cdb173a79
SHA1 0b6bafe3eaeb3f2bc5161d11cc67b07ffd324a37
SHA256 9bf25737da6f30885ebbb79cda8d120ab0d38e281c3d64f3c06f14ee94f270e3
SHA512 eceadc760f16f796d822562f50bc0e26d1371cfa6813af35d3530b262be702b1daf51cc5cbc1006c9d9e934eae2c66399a76e10019d82a183e9c02361af45e5e

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 7f0fc877b795bf193fc41b60d226bf19
SHA1 9dc04b5106cfa68d2451213ff3f15e2395c08f1d
SHA256 ac9d47e5e4261ce813e9f0dc2346b72675e2401a39edd8119c5ad1861269bd13
SHA512 d1d0c9a47699f28e32dbf4001498675b09668ca6e93830c5c04b0c37ed598da6f72df9912d9506578579bd59e546faf36218e176aba1279fff1edfb7cc1ac518

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 0380c3f0c0633d5715fab21227eabbea
SHA1 3d6118b0046e2990d5cf88cfbfbfcf037faad70d
SHA256 1ccd4574539ab7ce541a78e46f7b60903bc12e377d141097dcf94cf96092e1b7
SHA512 4b93aaa1e95d7c84b51487681551ada1c2da2b389ee470adde40e02e6c7a9ebea309796645917a38479bc1da758ae73f77d812cb3f14fb067cea59942cccdf29

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 86224519b71954d204d171775b1c12b2
SHA1 a9c81a66066f7f063d6c218525e0ee520d915241
SHA256 9050da8414f4c0d04477cbb8d708a5662def6d52d702fa2dd686f1934c863b4f
SHA512 92c29ad429e95290ebb9bfe9699e7e2f9e57cb783a0c1df901bd7303773a3496542e0eee9919c0e7c5c637bcc3cd83d3a875d9b9ef7069dabdd625e5fc44846b

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 787b15f927cae393dc56df467b869102
SHA1 71034bfd589dd005f261cf6a90b7bd6188755e32
SHA256 a09e33a8cb8bed72a25a422317e00dd53bea3a2ed7a4088de5d3fb18eac1ba46
SHA512 3b9d7d4bfe4147b1341c909eb42c7a58397ec063ec7c7b4b86a03cb49530da41dd526308729734634995f1e592e950418c021257204fa00ae3cfe0168a69ce8a

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 97cb51d4be2694a169f1557461d29991
SHA1 c2f2bbf323a0c8598d59f913ba0a22fa299164e4
SHA256 9e46370cc25778a545d68d1b8a44cb435bd77b6cc2dbc9444b65bc13f2b5b593
SHA512 2018c8b32df78c69dbd54f63646cdbf83be6847a2b6665a45444d2797940f8d44e42de1004e04d185f77c8ba01a09a42d3c3cfcb2d7d6aae41afa6983ce75ab4

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 218b8f5407f1ad792ecc5133ff6fcc25
SHA1 fe944fc703a0369c15f6216767e1d20e097e781e
SHA256 dc491f5ee8f17469938de8b8e536ddd532288ea432c4530b4087a87940615a01
SHA512 94c60c84e4b0cccfb8200ab1267511b4b0ad5cdc3ae7ddef2f501896eeae6e2b02caa45b2babde7096b6dcabba5abd02a4bd7f2062fa2fcbd7337d8146b2250c

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 414d8b4eb3639474710af3fa10e9eba9
SHA1 b6a19eae634eed8af5eed71edd2d689d961e69e2
SHA256 0c04faa374c5f7d8a4611471275764fc0276c65f8d1eec953cb5bbbd7ea66a5a
SHA512 5566584c66e19b4d8a8e112d23a233a375db47d059337a2aa04b2d7a1ed035d370a22e6c7351b482a94ef05539ce424030722617c9647ed6cd741335db910609

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 cb177d52255dde93a5baf20cf9c35b39
SHA1 6cf2d3a3463477c8e5b64da87bbc1219a9498459
SHA256 8e3ce74fcc0536bb16b3cc0280b1a1ce45d048e92c5582aa7f428c2000111d21
SHA512 c95e8665322d7fcdb2d1ac4b5542602e3a921e95ed05859906b29c2628fb0ea3d4075bd55a26dbf83f0d48f9d5a42c8cdb79905d99b42cfdd95136094cf620a1

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 9ee3cfb705030f8b3798634d8541ad2f
SHA1 e049da4ffa3fa0c1b4842cf19c2d6b86f9f01f62
SHA256 005ea841832ad8bb097a727300189282db1a5d3ac95a0f53e51554b86185edd3
SHA512 58544306878a054f249339226a74367cdc9d7ce57d19c1382af3a80a2a3f0a6f9ee5c6dbfaaf8442bc494fd3c84c388a09d59f73f12364adf2e1d72851952590

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 b385cd55f9b1f70fccac4ff167f714ed
SHA1 04a21629190318723dbc49a1fe8648fdf98cc3d6
SHA256 0310ea6af1231510b878c6aa07e859509fafc94b859e375636b00278d8a9684d
SHA512 893b82f12a17536336b5620194c31a032cfc2e71939d111132224c7b11741b180c09035a91a97ead859fa1d4666ff321a35270a96d6abc21ac3c83459ee98371

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 6b9b307d55c1deec87ca3372ce2c42c6
SHA1 d638c64294fa32aa678ddca18b82f0dc60e5a0e3
SHA256 c008396f061d15511005f26d2b4d83f27713db8fd539a0a3022075594e51e845
SHA512 5e681ac2e156294401aa60d537ad6aa85d9b66014fec011b708b3a24bfee53d1ed67dd4e95e3a1a61e9912f45b38b9d3ba1e68158dc50963218a52e3314275ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 09:59

Reported

2024-04-02 10:02

Platform

win10v2004-20240319-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1948 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1948 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 4524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe

"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\a13294a6154bab3c3b03ad32b9752197ff24c1bf5ddefd4f50e01c2709f26f4a.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctglbicyoxgcpcalzcislyqlpd"

C:\Users\Admin\AppData\Local\directory\name.exe

C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctglbicyoxgcpcalzcislyqlpd"

C:\Users\Admin\AppData\Local\directory\name.exe

C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\nvleuanscfypriopjmvtockcxjjam"

C:\Users\Admin\AppData\Local\directory\name.exe

C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppqxvlxuqnquboktaxqnzpflyyajnupm"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4592 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.34.115.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 139.229.175.107.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
IE 94.245.104.56:443 tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 51.11.108.188:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/1948-10-0x0000000001460000-0x0000000001464000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 b52951030928c184f7bb5af349b9a27d
SHA1 8dcceaa751fe3d06ba019de2e68f1f3a3a0b355f
SHA256 2424099047cf77475eadd43629b2551668585e5a3ff97896776914ee800cb0a4
SHA512 f571d285623b736432afa299c983ad4fefc7f86e0354ada444024d8ccd1289f2fc44232744128aebbd76bf21ac60a17b19d89f0fc6db2cd5f4ccfd53141bdf8f

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 ac87e2d4b76aa20f541d7e6aefc2c20c
SHA1 832b2fddf008336ec74d3ffded852878205bbb21
SHA256 3c287c392f59566e449f799760101b68c34f36c0671c05b11992993131b4cebb
SHA512 c8504253fc839d1031817990821878e032a6fa497829bc83125288c58e6380f32467ef1f2e5caca7751563edb8a3752e212f1d772e794a0ceda5a2b5dcaceb50

C:\Users\Admin\AppData\Local\Temp\orographically

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\translucently

MD5 0f62f30f40f703c2032293d600a39023
SHA1 45e35cf0dfef87762f778af26cd0d6da78ff20f5
SHA256 84d10a4ef939181773c5ac65f779db2df4bc5a314911a10ad661385bbe7019a0
SHA512 e9e6780120688e712f84429f9a14d6b87278e821e21308f26a39750fe7a5acab158e1be13f35701c2c7c9c8748a1a3f6fb2306d787f6dad9911e332404be8e35

memory/4524-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4580-42-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3112-44-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3112-50-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2916-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4580-48-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 8174c9d8f4be278d7c57b4df8d3c5462
SHA1 0a80ef5846da1a71273cefc7a211b8bbd1234df4
SHA256 280823e0faee3e31c3e41256a4aa0b6825c14ec700343214684b07f5228885e4
SHA512 ca5fe3cba87a8e8521021f6d95ad8d25ce1a4d9ce81c676cd2dc600aa654d893b5fe857309d39ce27f6adf19521b5872ad41764af7dcd92caa90b3aeadf013a6

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 93817dbd5d990412136abbeccb2a44d4
SHA1 c0b65133ccc0410a91819dfcb9f7f2803d13d49d
SHA256 b5ffc366eb4b9c880a46dd2470c52e7eca64cb103b54c9397ffaab316d107c77
SHA512 51b7a55c0b3f6d7017e1c98d56b4dba45f21d56cddb7763b6ce366592add9c02747637dfd3c0620adcc148f83e5d4a0e7d554990901ea680fd8046cd303daa67

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 2bb6989d2ed443d35059bbd3dc494a82
SHA1 cd96326bde9fa5019f9ef3c0156bf3d52e111ee7
SHA256 6d06cb56c35a57b042ebd98fefcf260ffabc846980cd2ab47c91765703882645
SHA512 bd2c7e6888a9b081b114f074a91d096bc7a50a325d5d1269834a09264cdf3c5b5693090b490a5bb455ac5fafea26ee470bc491ae30a1631fb47605b0e79fa776

memory/2916-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2916-62-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2916-63-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2916-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3112-60-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4580-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3112-54-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 b1efa6410aa3ec031c46c854e88049eb
SHA1 092094b8e0232a5568203dd6d2bcba68aa13de63
SHA256 eed4c0bf0f88627a548714ab78fdd8172868cc83276d3d87183e4f478aeb6c45
SHA512 8739d3773f26833defc0b3e1d4f91aaab3234e0db07f7f8b1e97f05294383cad62793c295495853dbdd096aadb81d289be063f634a704db8e0d641bf3125a0d6

memory/4580-71-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ctglbicyoxgcpcalzcislyqlpd

MD5 51bdd8d5f186fd32bf22b3988240e19d
SHA1 37a83c9c1f636bd0e5a1b806804fc5323c80791d
SHA256 4dd5d2764bba141c582357273d5d7a869888908b4a1b52423a489d58bba597be
SHA512 a477cb0dd68901641cea43100c952d1c253c32388492204b2387a333ad1d5bed0155f08f430f010ef53fe9592945def73c3d28e77293c58d951b652410e8c6f7

memory/4524-73-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4524-77-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4524-78-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4524-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-79-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3112-85-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4524-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-88-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 25f4c1b2c91893a638a1ba59ef598c53
SHA1 caa6b0b5c14485f46b8f0f35022bb5422b42a789
SHA256 07927dc12f121149bc695ce102b8276b936778ab953e940dd0b1053f1c274570
SHA512 9788b07ef3b7006e1d568ff502f05ef32aa3fe421873b5200a277e33ad096e0cb8acc2599a2dcfb610fa23b6b28ecaa13fd17821b0416421368e1df91467153c

memory/4524-90-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4524-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4524-113-0x0000000000400000-0x0000000000482000-memory.dmp