Malware Analysis Report

2024-12-07 22:28

Sample ID 240408-p4lyhach7x
Target 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe
SHA256 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85
Tags
remcos remotehost collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85

Threat Level: Known bad

The file 45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Drops startup file

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 12:53

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 12:53

Reported

2024-04-08 12:55

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2760 set thread context of 2548 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 set thread context of 2096 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 set thread context of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 set thread context of 1916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 2760 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2760 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2760 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2760 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2760 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2096 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2096 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2096 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2096 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2096 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1916 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vnjqtcrpyhamqqbyiymszocxezsqbqbosr"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\yhoitv"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ijutunvkz"

Network

Country Destination Domain Proto
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2988-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

\Users\Admin\AppData\Local\reindulgence\brawlis.exe

MD5 4bd1e9aa4eba7ad93aed314fb7737dab
SHA1 320e34d1030a4faaf91833a6595fd334ce8dc318
SHA256 98f529e5a73f29a93813731c24a9180227be92265e01a41c633a3468990432b4
SHA512 05a616a7c549c9979121783a8773c04058c358b9d6ecb3b122823398acdfe5a4ab8e0caa868071ac9fe11b4133425b00194fb390c94e5082f2891d7dfa4241f5

C:\Users\Admin\AppData\Local\Temp\vitraillist

MD5 7e652071f4c1e8a16bbcc9fe126774f0
SHA1 e6eed67590573d8427f648e2952e88005fba1efd
SHA256 132f9d86d77df4cc036a745abc0a419412a35b9977005bb0a19258d8a629bbf2
SHA512 469fd55d6f2ffe4f2d2117db33e68f879878013958677d72f27eeaf953611e504bfb8ff89a44558308c10f3f2e204157f5cb50fb78c94b674e410bf84c741ddb

C:\Users\Admin\AppData\Local\Temp\orographically

MD5 17db3ee54b8207f5415603d856255c9d
SHA1 a480c3d3f948e61b258b18732b99732f62fe93e5
SHA256 e138b8344f3c0b7d400d452da5662e5625365f71ca955034f8b6ddf05b4a3c37
SHA512 7a4fc990c68c73f9729e2b56d337a8888094bad6766ad9c9f0cc3faaa89fa289189660bed466adca97039431f9d4ff179227b9f8e1dce2ea6b42b1ea09d50cef

memory/2548-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2096-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2096-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2096-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2488-53-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2488-57-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1916-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-60-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2096-61-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1916-62-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2488-63-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1916-65-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1916-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1916-68-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2096-73-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vnjqtcrpyhamqqbyiymszocxezsqbqbosr

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2488-76-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2548-77-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2548-81-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2548-82-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2548-80-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2548-83-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2548-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-87-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 138a0a484367cbfe5638ab2861bc61bf
SHA1 84c3b5015d2c392d0a46cdbe35b9717b4c0e26d3
SHA256 754f5cb74546df7e3aca4f7a9023cdc4d831bf44493b7dde9e6417076c233ef5
SHA512 3ec845d82c9bde2685d12f06c4472137ce0d58fe430c660ad461290ab88c206325f74572daee155f3754da0193ebeaaf12bcfb67f9260485cbbc3a362123476c

memory/2548-90-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2548-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-117-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 12:53

Reported

2024-04-08 12:55

Platform

win10v2004-20240319-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brawlis.vbs C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4524 set thread context of 2932 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 set thread context of 4516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 set thread context of 1076 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 set thread context of 2652 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 600 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 600 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 600 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe
PID 4524 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 4524 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 4524 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 4524 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 4516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 4516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 4516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 4516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 1076 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 1076 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 1076 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 1076 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 2652 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 2652 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 2652 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2932 wrote to memory of 2652 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\45a09f316758fd79aafe72e9005096989484761a36063d05b7b20f214d3c0b85.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctmfkdvjkqiicttlvc"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\evzylwgdyyanmahxeniekd"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppeimoqemgssogdbwpcfvidjc"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4784 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 139.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 51.11.108.188:443 tcp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 235.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/600-10-0x0000000001110000-0x0000000001114000-memory.dmp

C:\Users\Admin\AppData\Local\reindulgence\brawlis.exe

MD5 da856854ee5c7a8242dc6ad403c6cc77
SHA1 7323e48b6d85f8888914ee7bc14fb2571063595e
SHA256 55b380de6427d52da2b1bd08a46493e9c015920ac810140ee3b2773878e2d3b6
SHA512 1d0f974cc5dfafd5e350844141c9575d1008981e2c474cc1320ca511bd867f604834077ce2b2cdaf8ec0655b19c3255f0726072febfeec7c6717066a2d4d45f1

C:\Users\Admin\AppData\Local\Temp\orographically

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\vitraillist

MD5 7e652071f4c1e8a16bbcc9fe126774f0
SHA1 e6eed67590573d8427f648e2952e88005fba1efd
SHA256 132f9d86d77df4cc036a745abc0a419412a35b9977005bb0a19258d8a629bbf2
SHA512 469fd55d6f2ffe4f2d2117db33e68f879878013958677d72f27eeaf953611e504bfb8ff89a44558308c10f3f2e204157f5cb50fb78c94b674e410bf84c741ddb

memory/2932-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4516-42-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1076-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4516-47-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4516-50-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1076-51-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2652-46-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2652-52-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2652-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2652-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1076-60-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2652-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1076-54-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4516-69-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ctmfkdvjkqiicttlvc

MD5 51bdd8d5f186fd32bf22b3988240e19d
SHA1 37a83c9c1f636bd0e5a1b806804fc5323c80791d
SHA256 4dd5d2764bba141c582357273d5d7a869888908b4a1b52423a489d58bba597be
SHA512 a477cb0dd68901641cea43100c952d1c253c32388492204b2387a333ad1d5bed0155f08f430f010ef53fe9592945def73c3d28e77293c58d951b652410e8c6f7

memory/2932-71-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2932-74-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2932-76-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2932-77-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2932-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-86-0x0000000010000000-0x0000000010019000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7625af3e5f13ab3794c28861bfd82670
SHA1 02a4d88d1471e53ebea4cec15bf47ecdfb7e8480
SHA256 c3227f9633f47aa829fc3e01c4289261ac4c320f78aab48de0066b868bb4139a
SHA512 08dfc3ab595a55c6a67b8abc32d7e2ef3d29d4642380b70fa7dc6ba506e80957e5c33ea1f966f2cd75d0e90da02400798163abf1281a70cd895bce7035b9abf2

memory/2932-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2932-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1320-98-0x0000025C1E940000-0x0000025C1E950000-memory.dmp

memory/1320-114-0x0000025C1EA40000-0x0000025C1EA50000-memory.dmp