Malware Analysis Report

2025-06-16 01:20

Sample ID 240410-lg8bfaaf65
Target 0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799
SHA256 0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799
Tags
remcos harry persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799

Threat Level: Known bad

The file 0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799 was found to be: Known bad.

Malicious Activity Summary

remcos harry persistence rat

Remcos

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 09:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 09:31

Reported

2024-04-10 09:34

Platform

win7-20240319-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2228 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2240 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2240 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2240 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2872 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe

"C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe"

C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe

"C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 newremc22.ddns.net udp

Files

memory/2228-0-0x0000000000870000-0x0000000000922000-memory.dmp

memory/2228-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/2228-2-0x00000000049B0000-0x00000000049F0000-memory.dmp

memory/2228-3-0x0000000000850000-0x0000000000860000-memory.dmp

memory/2228-4-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/2228-5-0x00000000049B0000-0x00000000049F0000-memory.dmp

memory/2228-6-0x0000000005480000-0x000000000551C000-memory.dmp

memory/2228-7-0x0000000004150000-0x000000000416E000-memory.dmp

memory/2484-8-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-9-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-10-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-11-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-12-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2484-15-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2228-18-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/2484-17-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2484-19-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 76c1687d97dfdbcea62ef1490bec5001
SHA1 5f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA256 79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512 da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

memory/2484-29-0x0000000000400000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 51da9d817874e8eb7020e708e263f79a
SHA1 2f175ccb80f9103865bf89c0c9ea7754a6d99ba3
SHA256 0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799
SHA512 366875c7f4af27f74c7603fed936bbb9ecb0f6bf2e37b2ff9f00643ab1df2753930721c41ac09cce882ca577e98ad369adb7658759f34070bc165c3aeb8de82b

memory/2872-35-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2872-34-0x0000000000CE0000-0x0000000000D92000-memory.dmp

memory/2872-36-0x0000000002220000-0x0000000002260000-memory.dmp

memory/2872-37-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2872-38-0x0000000002220000-0x0000000002260000-memory.dmp

memory/2620-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2620-54-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2872-55-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2620-57-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2620-59-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2620-61-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 09:31

Reported

2024-04-10 09:34

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bin = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 3264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe
PID 2732 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3432 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3432 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3432 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3432 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3432 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 956 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe

"C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe"

C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe

"C:\Users\Admin\AppData\Local\Temp\0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 newremc22.ddns.net udp
US 8.8.8.8:53 newremc22.ddns.net udp

Files

memory/3264-1-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/3264-0-0x0000000000EB0000-0x0000000000F62000-memory.dmp

memory/3264-2-0x0000000005FA0000-0x0000000006544000-memory.dmp

memory/3264-3-0x00000000059F0000-0x0000000005A82000-memory.dmp

memory/3264-4-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

memory/3264-5-0x0000000005970000-0x000000000597A000-memory.dmp

memory/3264-6-0x0000000005F90000-0x0000000005FA0000-memory.dmp

memory/3264-7-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/3264-8-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

memory/3264-9-0x0000000007300000-0x000000000739C000-memory.dmp

memory/3264-10-0x00000000074B0000-0x000000000754C000-memory.dmp

memory/3264-11-0x0000000007570000-0x000000000758E000-memory.dmp

memory/2732-12-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2732-15-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3264-16-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/2732-17-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2732-22-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 76c1687d97dfdbcea62ef1490bec5001
SHA1 5f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA256 79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512 da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 51da9d817874e8eb7020e708e263f79a
SHA1 2f175ccb80f9103865bf89c0c9ea7754a6d99ba3
SHA256 0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799
SHA512 366875c7f4af27f74c7603fed936bbb9ecb0f6bf2e37b2ff9f00643ab1df2753930721c41ac09cce882ca577e98ad369adb7658759f34070bc165c3aeb8de82b

memory/956-27-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/956-28-0x0000000005480000-0x0000000005490000-memory.dmp

memory/956-29-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/956-30-0x0000000005480000-0x0000000005490000-memory.dmp

memory/4780-35-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4780-37-0x0000000000400000-0x0000000000417000-memory.dmp

memory/956-38-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/4780-40-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4780-42-0x0000000000400000-0x0000000000417000-memory.dmp