Malware Analysis Report

2025-01-02 03:19

Sample ID 240402-lz664ade8y
Target 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.zip
SHA256 c82b6fc08bcfa1d30118384b13965df8a3136f5143680a25f7c49abefd260f24
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c82b6fc08bcfa1d30118384b13965df8a3136f5143680a25f7c49abefd260f24

Threat Level: Known bad

The file 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 09:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 09:59

Reported

2024-04-02 10:02

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Signatures

Remcos

rat remcos

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 1368 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39B6.tmp"

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Network

Country Destination Domain Proto
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp

Files

memory/1368-0-0x0000000000D10000-0x0000000000E10000-memory.dmp

memory/1368-1-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1368-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

memory/1368-3-0x0000000000550000-0x0000000000562000-memory.dmp

memory/1368-4-0x00000000005B0000-0x00000000005BC000-memory.dmp

memory/1368-5-0x0000000005250000-0x0000000005310000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 28ffd7314f9b701d23a819af28b05ddb
SHA1 b16bb502f5c27697a870b112a5818ca85d1a6932
SHA256 3823e3352f00fdd922d8158c7997b0dbec6fbd25471356e8c3d9959da079962f
SHA512 2b4122a0f417375c93412ea3a08b7d96b63d737a686c88bcfdf4e1dffbd77866401b3042b5524af2485a8b6fd9065e6b050ca1291b39342e46079d7ffa48a3d8

C:\Users\Admin\AppData\Local\Temp\tmp39B6.tmp

MD5 b4a83abaf40c073fdf0f953a7e795b33
SHA1 bfa918a3923b0d221898e173905e7d8584940006
SHA256 03c049b5c573060c9f440a6760fca696ad0bc9a2b7042baeb355c692e89a82a7
SHA512 db8358b4de4cf877ce201c7912924af0e70cc160a2fe2757d4e7a184021d2369b400fca534d80b3ff57794a14568b101e0c3c9eb89441f5b1afdba968f160e0e

memory/2624-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3008-22-0x000000006EE00000-0x000000006F3AB000-memory.dmp

memory/1428-24-0x000000006EE00000-0x000000006F3AB000-memory.dmp

memory/3008-26-0x0000000002CC0000-0x0000000002D00000-memory.dmp

memory/1428-27-0x0000000002900000-0x0000000002940000-memory.dmp

memory/1428-30-0x000000006EE00000-0x000000006F3AB000-memory.dmp

memory/3008-32-0x000000006EE00000-0x000000006F3AB000-memory.dmp

memory/2624-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3008-35-0x0000000002CC0000-0x0000000002D00000-memory.dmp

memory/2624-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3008-37-0x0000000002CC0000-0x0000000002D00000-memory.dmp

memory/1428-33-0x0000000002900000-0x0000000002940000-memory.dmp

memory/2624-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2624-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1368-46-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/2624-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1428-53-0x000000006EE00000-0x000000006F3AB000-memory.dmp

memory/3008-52-0x000000006EE00000-0x000000006F3AB000-memory.dmp

memory/2624-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-78-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 67c9d9610dfcb3f8d52c7f2869bb105f
SHA1 a4d39e028f39536a317e8c90f43e31b8f1a92e80
SHA256 46502c569edfd0fded9ca6979da9a8bb728e873670b98559d0b8f497aa7e46e1
SHA512 26458447f6432d524ebea0cd426335fb70560c3c7de4eca77bcfc7db04cd752da79b96442ab96b5da8a11d778e98a343422c8392ee12e40df1fbecc1342a7779

memory/2624-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2624-102-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 09:59

Reported

2024-04-02 10:02

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
PID 4424 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80A9.tmp"

C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp
UA 194.147.140.180:1987 tcp

Files

memory/4424-0-0x0000000000330000-0x0000000000430000-memory.dmp

memory/4424-1-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/4424-2-0x00000000054B0000-0x0000000005A54000-memory.dmp

memory/4424-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/4424-4-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/4424-5-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

memory/4424-6-0x0000000004F80000-0x0000000004F92000-memory.dmp

memory/4424-7-0x0000000005070000-0x000000000507C000-memory.dmp

memory/4424-8-0x0000000006910000-0x00000000069D0000-memory.dmp

memory/4424-9-0x0000000008FE0000-0x000000000907C000-memory.dmp

memory/1084-14-0x00000000023D0000-0x0000000002406000-memory.dmp

memory/1084-15-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/1084-16-0x0000000002420000-0x0000000002430000-memory.dmp

memory/1084-17-0x0000000002420000-0x0000000002430000-memory.dmp

memory/1084-18-0x0000000004E40000-0x0000000005468000-memory.dmp

memory/3144-19-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/3144-20-0x0000000074FA0000-0x0000000075750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp80A9.tmp

MD5 12fe68183b8fd9717cd220a67fc025ee
SHA1 6eb421b0149b06bc672de0ef19fda824057c016b
SHA256 2fb381ecc0096aeed3d459ce26497d1c1b6107a610f4707b39ceaaeb2052620e
SHA512 7be77b12d7cd25a05539c5a73d5ea7c669439de28de5112152bcc46c8fbd776d4f5101a143cac77aacea7a33c81287be7db7f4ad5eb86fc62e7ed413229e43ca

memory/3144-22-0x00000000053B0000-0x00000000053D2000-memory.dmp

memory/1084-23-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/3144-24-0x0000000005E50000-0x0000000005EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yspywh3u.qm4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1084-34-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/2836-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4424-48-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/2836-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3144-55-0x0000000006460000-0x000000000647E000-memory.dmp

memory/3144-56-0x0000000006540000-0x000000000658C000-memory.dmp

memory/1084-58-0x0000000075800000-0x000000007584C000-memory.dmp

memory/3144-57-0x00000000073D0000-0x0000000007402000-memory.dmp

memory/3144-70-0x0000000075800000-0x000000007584C000-memory.dmp

memory/1084-69-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

memory/3144-59-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

memory/1084-71-0x000000007F560000-0x000000007F570000-memory.dmp

memory/1084-72-0x0000000006EF0000-0x0000000006F93000-memory.dmp

memory/1084-82-0x0000000002420000-0x0000000002430000-memory.dmp

memory/3144-83-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/1084-85-0x0000000007030000-0x000000000704A000-memory.dmp

memory/3144-84-0x0000000007DC0000-0x000000000843A000-memory.dmp

memory/3144-86-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/1084-87-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/3144-88-0x0000000007980000-0x0000000007991000-memory.dmp

memory/3144-89-0x00000000079B0000-0x00000000079BE000-memory.dmp

memory/3144-90-0x00000000079C0000-0x00000000079D4000-memory.dmp

memory/3144-91-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/1084-92-0x0000000007350000-0x0000000007358000-memory.dmp

memory/1084-98-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/3144-99-0x0000000074FA0000-0x0000000075750000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 52c537cd2eca799368b1b6aca0a7644c
SHA1 b5c72fd4709d3fee1f615924c3adc1cc73cc61b8
SHA256 4868e090801c2445e70b99ba64f1a04bfb1fcf9ba78bd17b444e51f9f0bab8c9
SHA512 e559bf11b0c45781843825823c9a1bab1288e124b903eccb2f95bac01f950a957f87961fd9d07d85af6ffce4024581da0b8b932104a7330098f33fd4fd906f8b

memory/2836-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-118-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 f368a674efd898261ad2bfad148f99a4
SHA1 04ef0ec773a4962b5d434557eed387a6b6e84f46
SHA256 de1f00553c86932dd2cb3134a0c36da4ea48a9f4802205e4cc48f15f40b3bee5
SHA512 5ecf765499286c413e466d36c60203ebf39cc8c808580b807bc12952c91e8b5066c5b10235dcf14e82f4350ec892feaa8cafc35787f44f15139b9f2ff8f69a45

memory/2836-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-132-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-133-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-134-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-136-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-140-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-145-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-147-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-148-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-149-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-151-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-152-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-156-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-157-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-163-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-164-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-166-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-167-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-169-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-171-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-172-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-175-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-176-0x0000000000400000-0x0000000000482000-memory.dmp