Analysis Overview
SHA256
87d5833ba766b841f9b478680e765f78a8db838b37521d31ce0520c0baf7933f
Threat Level: Known bad
The file 87d5833ba766b841f9b478680e765f78a8db838b37521d31ce0520c0baf7933f.gz was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Detects executables packed with SmartAssembly
Detects executables referencing many email and collaboration clients. Observed in information stealers
NirSoft MailPassView
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
NirSoft WebBrowserPassView
Detects executables built or packed with MPress PE compressor
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 01:42
Reported
2024-04-09 01:45
Platform
win7-20240221-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Remcos
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2276 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe |
| PID 2732 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe |
| PID 2732 set thread context of 1832 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe |
| PID 2732 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D7B.tmp"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zkfdxkzjacwz"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bmlwyukdokomhdj"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mgyoznvecsgrrjxlhrb"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mgyoznvecsgrrjxlhrb"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paygateme.net | udp |
| US | 146.70.57.34:2286 | paygateme.net | tcp |
| US | 146.70.57.34:2286 | paygateme.net | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2276-1-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2276-0-0x00000000013D0000-0x00000000014CC000-memory.dmp
memory/2276-2-0x0000000000E20000-0x0000000000E60000-memory.dmp
memory/2276-3-0x0000000000990000-0x00000000009AC000-memory.dmp
memory/2276-4-0x0000000000550000-0x0000000000558000-memory.dmp
memory/2276-5-0x00000000008A0000-0x00000000008AC000-memory.dmp
memory/2276-6-0x000000000A690000-0x000000000A750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5D7B.tmp
| MD5 | 98fbbc106ed5b753371d5873fc862b6e |
| SHA1 | 0778c9f7e33fe87af18339cfa21c6e0c801e68f8 |
| SHA256 | fccce9282083b6273ef28c86448aec4080b54761e5a473e4a3ee4a5d35a8fbe4 |
| SHA512 | 9f0fce9ff51fc6094cd3469b773db829595a98f0a09448a0ed993fb822fabaf25bccb3a5d5c04e03c8ccddd84a8a165770744a7c672618745cfd8cacfcd5f74f |
memory/2732-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2732-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2276-28-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2732-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2648-34-0x000000006E880000-0x000000006EE2B000-memory.dmp
memory/2732-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2648-37-0x000000006E880000-0x000000006EE2B000-memory.dmp
memory/2648-39-0x0000000002C40000-0x0000000002C80000-memory.dmp
memory/2648-38-0x0000000002C40000-0x0000000002C80000-memory.dmp
memory/2648-40-0x0000000002C40000-0x0000000002C80000-memory.dmp
memory/2648-41-0x000000006E880000-0x000000006EE2B000-memory.dmp
memory/2732-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1828-51-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1828-55-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1832-56-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1828-59-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1832-60-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2220-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2220-65-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1832-64-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2220-67-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-68-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-69-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-70-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1828-75-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zkfdxkzjacwz
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1832-78-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2732-79-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2732-82-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2732-83-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2732-84-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2732-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-88-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | a3b0c38c4d888564f565288d5e696b8e |
| SHA1 | 3b506caf0778d7f120b21590b6426dd7a8c9a918 |
| SHA256 | 5f47594cbf43965c3d68f05823882f0a92640b1337f331b658fdcfc36a9d2fab |
| SHA512 | f94635918e92cba37f1aaeaf5c0bce3da0e4944058648ee2b18f28cb2580aceb554132025becaf344df239368c7f9c0b55acc54bbc290521edc61e41a7ad4ed3 |
memory/2732-93-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2732-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-113-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2732-114-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 01:42
Reported
2024-04-09 01:45
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
Remcos
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD820.tmp"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qdgqatvxbiivuconag"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qdgqatvxbiivuconag"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aylbamgypqaaeqcrjrsxp"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aylbamgypqaaeqcrjrsxp"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\daqtbeqsdysfgxzvabfzsfqj"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4532 -ip 4532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 12
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xpmlydldrvwys"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ijsdywvfmdoluern"
C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.NO. S70-23Q-1474-CS-P - ORDER 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\sdxwzogzalgqfsnrubs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paygateme.net | udp |
| US | 146.70.57.34:2286 | paygateme.net | tcp |
| US | 8.8.8.8:53 | 34.57.70.146.in-addr.arpa | udp |
| US | 146.70.57.34:2286 | paygateme.net | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
memory/2492-0-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/2492-1-0x0000000000790000-0x000000000088C000-memory.dmp
memory/2492-2-0x0000000005910000-0x0000000005EB4000-memory.dmp
memory/2492-3-0x0000000005360000-0x00000000053F2000-memory.dmp
memory/2492-4-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/2492-5-0x0000000005430000-0x000000000543A000-memory.dmp
memory/2492-6-0x00000000054E0000-0x000000000557C000-memory.dmp
memory/2492-7-0x00000000054C0000-0x00000000054DC000-memory.dmp
memory/2492-8-0x0000000005580000-0x0000000005588000-memory.dmp
memory/2492-9-0x00000000055E0000-0x00000000055EC000-memory.dmp
memory/2492-10-0x000000000BAA0000-0x000000000BB60000-memory.dmp
memory/3944-15-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/3944-16-0x0000000004B30000-0x0000000004B66000-memory.dmp
memory/2492-18-0x0000000074780000-0x0000000074F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD820.tmp
| MD5 | c7e41995d81bbda7c0f44cbe18db3b25 |
| SHA1 | 3528a2450f6335af3010042038cbc2fd15b45539 |
| SHA256 | 383cec51ecf3f289ad7c5e3efe8a22b7173885eb17b2c0a29a8b0a25f5b710dd |
| SHA512 | 1c717a6844d4bd73c81f3ad432b9ad8a4151320274c4a1bf15f4216b66644064d7ed88e7581fb5854ad91249a63de65220eaf0e494c676ba692118f558ea41c7 |
memory/3944-19-0x0000000004C90000-0x0000000004CA0000-memory.dmp
memory/2492-21-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/3944-20-0x0000000004C90000-0x0000000004CA0000-memory.dmp
memory/3944-22-0x00000000052D0000-0x00000000058F8000-memory.dmp
memory/4980-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3944-25-0x0000000005030000-0x0000000005052000-memory.dmp
memory/3944-27-0x0000000005250000-0x00000000052B6000-memory.dmp
memory/4980-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2492-30-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/3944-29-0x0000000005AB0000-0x0000000005B16000-memory.dmp
memory/4980-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3944-44-0x0000000005B20000-0x0000000005E74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfpar3rb.sli.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3944-47-0x0000000006100000-0x000000000611E000-memory.dmp
memory/3944-50-0x0000000006690000-0x00000000066DC000-memory.dmp
memory/4980-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3944-57-0x0000000004C90000-0x0000000004CA0000-memory.dmp
memory/3944-59-0x000000007F5F0000-0x000000007F600000-memory.dmp
memory/3944-60-0x00000000066E0000-0x0000000006712000-memory.dmp
memory/3944-61-0x0000000070AF0000-0x0000000070B3C000-memory.dmp
memory/3944-71-0x00000000072E0000-0x00000000072FE000-memory.dmp
memory/3944-72-0x0000000007300000-0x00000000073A3000-memory.dmp
memory/3944-73-0x0000000007A60000-0x00000000080DA000-memory.dmp
memory/3944-74-0x0000000007420000-0x000000000743A000-memory.dmp
memory/3944-75-0x0000000007490000-0x000000000749A000-memory.dmp
memory/3944-76-0x00000000076A0000-0x0000000007736000-memory.dmp
memory/3944-77-0x0000000007620000-0x0000000007631000-memory.dmp
memory/4532-78-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1280-79-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3548-80-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1280-83-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3548-84-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1280-86-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3548-88-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1280-89-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3944-90-0x0000000007650000-0x000000000765E000-memory.dmp
memory/3944-91-0x0000000007740000-0x0000000007754000-memory.dmp
memory/3944-92-0x0000000007780000-0x000000000779A000-memory.dmp
memory/3944-93-0x0000000007760000-0x0000000007768000-memory.dmp
memory/3944-96-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/684-101-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1928-103-0x0000000000400000-0x0000000000462000-memory.dmp
memory/684-105-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1928-108-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4852-114-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1928-110-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4852-116-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4852-117-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4532-118-0x00000000003A0000-0x00000000003A0000-memory.dmp
memory/684-120-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xpmlydldrvwys
| MD5 | 794bf931212af3178e85954ea35f687a |
| SHA1 | e78eb5300a58c85256b08135673b991f8dfce664 |
| SHA256 | 49911477803d5cea085304ff6af24310412e31d37b88ac30d5cbd890c98d5619 |
| SHA512 | 4a1d63034421b56d8968da94049b83ed1a78f832d8fb92664e3dd5240531be8a277163a1c4ddefeafb18651e2cf8219adbdb82763d8b5c695e8ed8ce8250d6df |
memory/4980-122-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4980-126-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4980-125-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4980-127-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-128-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4980-129-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3548-132-0x0000000000400000-0x0000000000424000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | b4f9a5da6b9b1edf3c1b51950e9addfb |
| SHA1 | 52fbc54d3f9bac2e0938a28d5c083e07ce3d42a2 |
| SHA256 | 9cfcf118c99f138b51c4e43f24340e2066d65707badb1f81c77ffdfd3328e332 |
| SHA512 | 548abe3522b5d6fddd7ed9a394e95de001fcd8b000f9951bc1b12f2f4cb8efaceed7a6b480df693a7f6f43c002a1f5244753383f96d31068693bc25f34a45c9f |
memory/4980-134-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-135-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-138-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4980-143-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-144-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-152-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-153-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-160-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4980-161-0x0000000000400000-0x0000000000482000-memory.dmp