Malware Analysis Report

2024-12-07 22:33

Sample ID 240412-bwzmqsee8s
Target b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
SHA256 b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da

Threat Level: Known bad

The file b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables packed with SmartAssembly

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 01:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 01:30

Reported

2024-04-12 01:33

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 4312 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B84.tmp"

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 bignight.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 146.70.57.34:3363 bignight.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 146.70.57.34:3363 bignight.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 146.70.57.34:3363 bignight.net tcp
US 146.70.57.34:3363 bignight.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 146.70.57.34:3363 bignight.net tcp
US 146.70.57.34:3363 bignight.net tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4312-0-0x0000000000810000-0x00000000008FA000-memory.dmp

memory/4312-1-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4312-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

memory/4312-3-0x00000000052E0000-0x0000000005372000-memory.dmp

memory/4312-4-0x0000000005540000-0x0000000005550000-memory.dmp

memory/4312-5-0x00000000053A0000-0x00000000053AA000-memory.dmp

memory/4312-6-0x00000000055A0000-0x00000000055B8000-memory.dmp

memory/4312-7-0x0000000005580000-0x0000000005588000-memory.dmp

memory/4312-8-0x000000000C350000-0x000000000C35C000-memory.dmp

memory/4312-9-0x000000000C830000-0x000000000C8F0000-memory.dmp

memory/4312-10-0x000000000FF40000-0x000000000FFDC000-memory.dmp

memory/1340-15-0x0000000002820000-0x0000000002856000-memory.dmp

memory/1340-18-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/1340-17-0x0000000005450000-0x0000000005A78000-memory.dmp

memory/1340-16-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4288-20-0x0000000002440000-0x0000000002450000-memory.dmp

memory/1340-19-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/4288-21-0x0000000002440000-0x0000000002450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9B84.tmp

MD5 4261dfbd8420edb2cbe56ccb96f8c5b1
SHA1 18763e8e73f07110292fce297c0109bc28f08515
SHA256 edff98cccbcc6cb4cc6a7aeef7f26531a63c1407734223e4a34724cb1022f01d
SHA512 35277635da186b5faaec8d9599eff9e0abc6271bd1a4b359d3e56c49c4d74a63c5a1dcc6d3c04fa615ba763d88b7e7b87586e6df1f8e4c46b89161ccdff1436d

memory/4288-23-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/4288-24-0x0000000004C40000-0x0000000004C62000-memory.dmp

memory/1340-31-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/4288-25-0x0000000005440000-0x00000000054A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2dw2thr.pti.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1528-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1340-43-0x0000000005C80000-0x0000000005FD4000-memory.dmp

memory/1528-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-50-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1528-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1340-56-0x0000000004EC0000-0x0000000004EDE000-memory.dmp

memory/1528-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1340-58-0x0000000006690000-0x00000000066DC000-memory.dmp

memory/4288-59-0x0000000002440000-0x0000000002450000-memory.dmp

memory/1340-61-0x000000007F530000-0x000000007F540000-memory.dmp

memory/1340-63-0x00000000710C0000-0x000000007110C000-memory.dmp

memory/1340-74-0x0000000006710000-0x000000000672E000-memory.dmp

memory/4288-62-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

memory/1340-60-0x0000000007310000-0x0000000007342000-memory.dmp

memory/4288-64-0x00000000710C0000-0x000000007110C000-memory.dmp

memory/1340-84-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/4288-85-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/1340-86-0x0000000006120000-0x000000000613A000-memory.dmp

memory/4288-87-0x00000000070E0000-0x00000000070EA000-memory.dmp

memory/1340-89-0x0000000007710000-0x00000000077A6000-memory.dmp

memory/4288-90-0x0000000007070000-0x0000000007081000-memory.dmp

memory/1340-91-0x00000000076C0000-0x00000000076CE000-memory.dmp

memory/4288-92-0x00000000072B0000-0x00000000072C4000-memory.dmp

memory/1340-93-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/1340-94-0x00000000077B0000-0x00000000077B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14140dcf30200324419f32b2da3a6e14
SHA1 5991540bd79b2f93dbac2a4eed99e4f7b281ecdd
SHA256 a6bd150d9a3194f7ebf3b7aa14f191e8213ad77b2e6f10e5f156b579d9187088
SHA512 0b22a272a049df7e0f2592dee9ca570e867a10948dfb6bf3a86ca71082ca957d1649066e87b0bfd5e1777cc8fc761a913d8f3c1a6f550dc25ff924c7d651b4f2

memory/4288-101-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1340-100-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1528-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-107-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 83b186ad7ed3c4dfe70dfc529ebe5e3b
SHA1 21a85e3c7fe7d37a7e5e69aa901c0cbf543a9355
SHA256 a9e1d1c5c5adf82ec0a4c4688dd228d4357b4222c434c5371b9bc50d4e259937
SHA512 e28c763fb4f6d07e02a04e7eeb70bb067821d62514362420f3477480ba66fcc32be3db3fb5295e822890d4cabfd943cb06c0661fa5c0996900b7bc9a4aa1a4d0

memory/1528-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1528-133-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 01:30

Reported

2024-04-12 01:32

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe
PID 2992 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp"

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe

"C:\Users\Admin\AppData\Local\Temp\b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bignight.net udp
US 146.70.57.34:3363 bignight.net tcp
US 146.70.57.34:3363 bignight.net tcp
US 146.70.57.34:3363 bignight.net tcp

Files

memory/2992-0-0x0000000000120000-0x000000000020A000-memory.dmp

memory/2992-1-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2992-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2992-3-0x0000000000530000-0x0000000000548000-memory.dmp

memory/2992-4-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/2992-5-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2992-6-0x0000000005CA0000-0x0000000005D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp

MD5 a55185ed181a78a7821404b0e9b2d93a
SHA1 2e7dc9063fffec7022b6124e2e95f6c21532ad09
SHA256 fe8bfc9154aa5f70c06411e08099ea3a02ed087a89a24fe5c161324c25bfd5a3
SHA512 02db066ecd5202db04a1e0fb50c59dcf92f724e6707afb87e37a7bf9cd90ea6fafcb4b6ab6153587866d2036ecf370834fd912a00a99a6a749e2f20f5eadbee9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P1D9SOW0H1N2D0LFN1ZU.temp

MD5 d2cf0baa8a9c287b747c0d458b782ce2
SHA1 b656af9699bd80bc6b850ddc10a9835a4ca3f3e8
SHA256 1ec1b146b60dd91070cd0ef2f0d0a9dc23dd68ea6319993abbc10143e2cafb1d
SHA512 fcf0bb35bc4d97cb23e8f7fb1ec1a66be85d6c3307786a6b4c87bd55e954e9e5cfd28abb9056de9704f12fff948a8c5493a5f1cf6d64e3af4ab25b95c2700fea

memory/2552-19-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2864-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-22-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2628-20-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2628-23-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/2864-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-25-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2864-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-27-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/2552-29-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2864-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-31-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/2864-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-35-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2864-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-33-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2864-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-39-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2552-40-0x000000006F640000-0x000000006FBEB000-memory.dmp

memory/2992-41-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2992-42-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2864-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2992-47-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2864-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-58-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 cb68646e469e4f0e883005dc750e338f
SHA1 f40359c370e449791dc578906cb0b2e02740975f
SHA256 93dfa8b65d9ea046049eb6213c50ee5afa2c0c741a4eb6cec3dfe271fca806f8
SHA512 c514f4eacf883ab2864c1115c38ef77e3133ecfbfdfac577914d34850786cbe4ef62c33d492b2271e3856bd580ac9fff94ab9215f0e6a584fc81cc2762743f9c

memory/2864-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-64-0x0000000000400000-0x0000000000482000-memory.dmp