Malware Analysis Report

2024-12-07 22:26

Sample ID 240408-mr8wdsae6s
Target RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.gz
SHA256 87d5833ba766b841f9b478680e765f78a8db838b37521d31ce0520c0baf7933f
Tags
remcos rat remotehost collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87d5833ba766b841f9b478680e765f78a8db838b37521d31ce0520c0baf7933f

Threat Level: Known bad

The file RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.gz was found to be: Known bad.

Malicious Activity Summary

remcos rat remotehost collection spyware stealer

Remcos

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 10:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 10:43

Reported

2024-04-08 10:45

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"

Signatures

Remcos

rat remcos

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2304 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp600A.tmp"

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"

Network

N/A

Files

memory/2304-1-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2304-0-0x0000000000C50000-0x0000000000D4C000-memory.dmp

memory/2304-2-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/2304-3-0x0000000000280000-0x000000000029C000-memory.dmp

memory/2304-4-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2304-5-0x00000000002A0000-0x00000000002AC000-memory.dmp

memory/2304-6-0x000000000A7B0000-0x000000000A870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp600A.tmp

MD5 98fbbc106ed5b753371d5873fc862b6e
SHA1 0778c9f7e33fe87af18339cfa21c6e0c801e68f8
SHA256 fccce9282083b6273ef28c86448aec4080b54761e5a473e4a3ee4a5d35a8fbe4
SHA512 9f0fce9ff51fc6094cd3469b773db829595a98f0a09448a0ed993fb822fabaf25bccb3a5d5c04e03c8ccddd84a8a165770744a7c672618745cfd8cacfcd5f74f

memory/2500-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2500-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2500-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1972-17-0x000000006E450000-0x000000006E9FB000-memory.dmp

memory/1972-19-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/1972-21-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/1972-23-0x000000006E450000-0x000000006E9FB000-memory.dmp

memory/1972-24-0x00000000029C0000-0x0000000002A00000-memory.dmp

memory/2500-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2500-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1972-26-0x000000006E450000-0x000000006E9FB000-memory.dmp

memory/2304-27-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2304-28-0x0000000004F10000-0x0000000004F50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 10:43

Reported

2024-04-08 10:45

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 2964 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
PID 1572 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CB2.tmp"

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\irvtajmpkrxjb"

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tuamacxjyapomrqu"

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vogwbuilmihtoxmyvng"

C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vogwbuilmihtoxmyvng"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2964-0-0x0000000000B60000-0x0000000000C5C000-memory.dmp

memory/2964-1-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2964-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/2964-3-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/2964-4-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/2964-5-0x00000000057F0000-0x00000000057FA000-memory.dmp

memory/2964-6-0x00000000058D0000-0x000000000596C000-memory.dmp

memory/2964-8-0x00000000058A0000-0x00000000058A8000-memory.dmp

memory/2964-7-0x0000000005880000-0x000000000589C000-memory.dmp

memory/2964-9-0x0000000005000000-0x000000000500C000-memory.dmp

memory/2964-10-0x00000000065A0000-0x0000000006660000-memory.dmp

memory/3736-15-0x00000000023C0000-0x00000000023F6000-memory.dmp

memory/3736-16-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3736-17-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/3736-19-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/3736-18-0x00000000050A0000-0x00000000056C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7CB2.tmp

MD5 46a02365795d9ee608a34fcc1f98f450
SHA1 4d52900dabb11633685802a621481d35191543ff
SHA256 11f8b273c207e4c600428ca8e37169d50d60a1c79a91aa4ec1803475b12040cf
SHA512 efaa47be9ad017eba7efbf9b4c99800a98d73cb6fcb39927585c11eb73cdf2a3040e619663ef12435707054c4092bc83ade730d279e2a1b4d9ee606c0979fc25

memory/3736-21-0x0000000004D10000-0x0000000004D32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eplg5qez.iyx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3736-28-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/1572-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-22-0x0000000004FB0000-0x0000000005016000-memory.dmp

memory/1572-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-36-0x0000000005840000-0x0000000005B94000-memory.dmp

memory/1572-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2964-38-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1572-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-42-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/1572-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-45-0x0000000005D10000-0x0000000005D5C000-memory.dmp

memory/1572-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-48-0x000000007F420000-0x000000007F430000-memory.dmp

memory/3736-49-0x0000000006C70000-0x0000000006CA2000-memory.dmp

memory/3736-50-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/3736-60-0x0000000006260000-0x000000000627E000-memory.dmp

memory/3736-62-0x0000000006CB0000-0x0000000006D53000-memory.dmp

memory/3736-61-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/3736-63-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/3736-64-0x0000000007080000-0x000000000709A000-memory.dmp

memory/3736-65-0x00000000070F0000-0x00000000070FA000-memory.dmp

memory/3736-66-0x0000000007300000-0x0000000007396000-memory.dmp

memory/3736-67-0x0000000007280000-0x0000000007291000-memory.dmp

memory/1572-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-70-0x00000000072B0000-0x00000000072BE000-memory.dmp

memory/3736-71-0x00000000072C0000-0x00000000072D4000-memory.dmp

memory/3736-72-0x00000000073C0000-0x00000000073DA000-memory.dmp

memory/3736-73-0x00000000073A0000-0x00000000073A8000-memory.dmp

memory/1572-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3736-78-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1572-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5072-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4132-83-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5072-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5072-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4132-91-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4132-87-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4884-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4884-98-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4132-97-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4884-99-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4884-96-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4884-100-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5072-102-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\irvtajmpkrxjb

MD5 ec0cf9ff722f9a9259c3338972c40886
SHA1 31bad5285affb58c5ebe0569bbdb9bd1deab245c
SHA256 30190665467845aed54732c31c7e385368c10acb595cffdd7ca9523fff051a19
SHA512 bdfaf9576db431d3c4d14e0ea5deafce661fceda6d5123a6f4b84d50a576dd1ccf4202091dc0b55bed665dd45b4e30d2a797bda6015b06f5771064f9bab32d1a

memory/1572-104-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1572-108-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1572-107-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1572-109-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1572-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-111-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1572-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-115-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 c9ca13d4cf9a9ba26c02e4684ae1074d
SHA1 96d37dbd0dfed84e362f7f1624adde72d5584c86
SHA256 990fb3aae42078ddc63f2d9f14e122f57a0b97602f36f633d87924e816db83d8
SHA512 96929a03e4c42bacca87af39a375b359ee14369365b35aae302d148630e62407c09e7d9a4a522f171f77de5fe6033a1b81d3f04cc16f587f4dc7fe57cc0c41f9

memory/1572-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-147-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1572-148-0x0000000000400000-0x0000000000482000-memory.dmp