Malware Analysis Report

2024-12-07 22:34

Sample ID 240417-p2vgvshd3w
Target 8c77cb258fad2852c387cecdf4f1bb79ae376d79b3ee2fee96de8bf1c00e8c8d
SHA256 8c77cb258fad2852c387cecdf4f1bb79ae376d79b3ee2fee96de8bf1c00e8c8d
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c77cb258fad2852c387cecdf4f1bb79ae376d79b3ee2fee96de8bf1c00e8c8d

Threat Level: Known bad

The file 8c77cb258fad2852c387cecdf4f1bb79ae376d79b3ee2fee96de8bf1c00e8c8d was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 12:49

Reported

2024-04-17 12:53

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 1908 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mmznklFQRO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mmznklFQRO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D9F.tmp"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\crdlutrajwfwwhuzrbdvcarvepkmg"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\muievmbbxexjgvqdamyxfmlemvcvhdveo"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\powww"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\powww"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\powww"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1908-0-0x00000000008C0000-0x00000000009A6000-memory.dmp

memory/1908-1-0x0000000074100000-0x00000000747EE000-memory.dmp

memory/1908-2-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/1908-3-0x0000000000620000-0x0000000000630000-memory.dmp

memory/1908-4-0x0000000000640000-0x000000000064C000-memory.dmp

memory/1908-5-0x0000000005D70000-0x0000000005E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D9F.tmp

MD5 26cc36113e8dda9ebc172c67de31534c
SHA1 09de63e6e9cf868825ed390524b71c5c5caf72eb
SHA256 31135b0951caafc5de1faf6207ea61c773cf4f46c5d4d19e31053a1929a12d15
SHA512 a1335dad6e7ed41801c4fd658686c8a176deee796c27e697f37a93c742f29633b2ef467ae390eb992cee6bdc05d3e52dffad6729b5ed14084f8575425ea7b778

memory/2708-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2708-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1908-33-0x0000000074100000-0x00000000747EE000-memory.dmp

memory/2708-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-39-0x000000006E590000-0x000000006EB3B000-memory.dmp

memory/2696-40-0x000000006E590000-0x000000006EB3B000-memory.dmp

memory/2708-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-42-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/2696-43-0x00000000025A0000-0x00000000025E0000-memory.dmp

memory/2708-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-46-0x000000006E590000-0x000000006EB3B000-memory.dmp

memory/2708-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/796-57-0x0000000000400000-0x0000000000478000-memory.dmp

memory/796-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1532-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/796-63-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1532-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/608-69-0x0000000000400000-0x0000000000462000-memory.dmp

memory/608-62-0x0000000000400000-0x0000000000462000-memory.dmp

memory/608-72-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1532-70-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1532-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1532-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/796-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\crdlutrajwfwwhuzrbdvcarvepkmg

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2708-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-86-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2708-89-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2708-92-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2708-91-0x0000000010000000-0x0000000010019000-memory.dmp

memory/608-93-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2708-94-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 35813db4bd20154047fe961a6d68eaf1
SHA1 499a5b6d4ac82fa1737aa9c7286afe975f2f2523
SHA256 39de77732e5f1634e2ad2adede0019625c83a6de2353184f3257e827c75a24fb
SHA512 beb1a2730afb3f3877543b9ffa2d2cf0cc94cfba58afd650ce97bd6622132199cfb42b5fa1f881415510a25a36f8fa5aa528ad8b048d08ce3e726a33d47eebdb

memory/2708-99-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2708-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2708-120-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 12:49

Reported

2024-04-17 12:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4352 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4352 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 4352 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 760 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mmznklFQRO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mmznklFQRO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp761A.tmp"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\xtwsbeb"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\xtwsbeb"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\xtwsbeb"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\xtwsbeb"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\zwklcplzin"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jqpwchwbwvtvq"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4352-0-0x0000000000950000-0x0000000000A36000-memory.dmp

memory/4352-1-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4352-3-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/4352-2-0x00000000058C0000-0x0000000005E64000-memory.dmp

memory/4352-4-0x0000000005630000-0x0000000005640000-memory.dmp

memory/4352-5-0x00000000054D0000-0x00000000054DA000-memory.dmp

memory/4352-6-0x00000000065F0000-0x0000000006600000-memory.dmp

memory/4352-7-0x0000000006710000-0x000000000671C000-memory.dmp

memory/4352-8-0x0000000007E90000-0x0000000007F50000-memory.dmp

memory/4352-9-0x000000000A660000-0x000000000A6FC000-memory.dmp

memory/2988-14-0x0000000002C70000-0x0000000002CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp761A.tmp

MD5 c83929aa45e40ee3dff1b0a0381695ba
SHA1 8cb5c84aef72a7af88d460954c48a75de25d7679
SHA256 449c301f1100fd51a60f5545df88aa6c5f5986be1555dca4eed88451c43d3425
SHA512 91223f9bb60837efe77d0dbb88bbff1e674d59812a24743307a555cd0e1ad511c442646752089bc025e0d0f9015f08643f90a93f7c8cfc6d580a90bcfcf36146

memory/2988-16-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2988-19-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/760-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4352-25-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2988-27-0x00000000056C0000-0x00000000056E2000-memory.dmp

memory/760-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2988-30-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/2988-32-0x0000000005F60000-0x0000000005FC6000-memory.dmp

memory/760-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2988-18-0x0000000002C20000-0x0000000002C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaynq5jx.qml.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2988-17-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/2988-44-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/2988-45-0x0000000006570000-0x000000000658E000-memory.dmp

memory/2988-46-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/2988-48-0x0000000006B30000-0x0000000006B62000-memory.dmp

memory/2988-49-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/2988-62-0x0000000007550000-0x00000000075F3000-memory.dmp

memory/2988-61-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/2988-60-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/2988-64-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/2988-63-0x0000000007FB0000-0x000000000862A000-memory.dmp

memory/2988-65-0x0000000007700000-0x000000000770A000-memory.dmp

memory/2988-59-0x0000000006B70000-0x0000000006B8E000-memory.dmp

memory/2988-66-0x0000000007B20000-0x0000000007BB6000-memory.dmp

memory/2988-47-0x000000007EEA0000-0x000000007EEB0000-memory.dmp

memory/2988-67-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

memory/2988-70-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/2988-71-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

memory/2988-69-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

memory/2988-68-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

memory/2988-74-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/760-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4004-84-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2948-85-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4196-87-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2948-92-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4004-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4196-98-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4196-100-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2948-99-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2948-102-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4196-101-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4004-93-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4004-104-0x0000000000400000-0x0000000000478000-memory.dmp

memory/760-110-0x0000000010000000-0x0000000010019000-memory.dmp

memory/760-112-0x0000000010000000-0x0000000010019000-memory.dmp

memory/760-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-109-0x0000000010000000-0x0000000010019000-memory.dmp

memory/760-106-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xtwsbeb

MD5 6566db55a623d93ea0838e3d13cf99d2
SHA1 c39fe9aef3ea6483ea4210e2989da84ddfb403e2
SHA256 6c73d4e220894399c0a8b9e901e9e1183f86658e05e59118112418b53805f995
SHA512 bd2cb72fbc109d2e60a82f1df0425c17fabbc9235eff698393dc22ad34fdc71a2abd8137994904ca28316d49f8d77f49142464d11f07e5fd7d46a7208e279a27

memory/760-114-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 5f5c44658f92dabbe87cfe0ba259ed3f
SHA1 1c4d0c0613775fb828f27e6224b03b06f67470fa
SHA256 bebc8a0109ff060ca2a32e81f72d7c0c68e784354d7ff0047bdfd2d65a13b467
SHA512 1a1cf4a31a3d513a6eb5b79d0ecfd6ab38dc713f172b00de5890a02f8e3d89d68685ea3d1f54a2608a3846fcdc5aca60ad9a274b81696e841c2b85d2131dc300

memory/760-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/760-147-0x0000000000400000-0x0000000000482000-memory.dmp