Malware Analysis Report

2025-01-02 03:40

Sample ID 240509-m2pkhagf68
Target 3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772
SHA256 3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772
Tags
remcos sthost execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772

Threat Level: Known bad

The file 3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772 was found to be: Known bad.

Malicious Activity Summary

remcos sthost execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 10:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 10:57

Reported

2024-05-09 11:00

Platform

win7-20240221-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 1084 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\siRiSxOKgeg.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\siRiSxOKgeg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF21.tmp"

C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

Network

Country Destination Domain Proto
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp

Files

memory/1084-0-0x000000007470E000-0x000000007470F000-memory.dmp

memory/1084-1-0x00000000002A0000-0x00000000003A6000-memory.dmp

memory/1084-2-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/1084-3-0x0000000001E20000-0x0000000001E40000-memory.dmp

memory/1084-4-0x0000000001E50000-0x0000000001E64000-memory.dmp

memory/1084-5-0x0000000005D60000-0x0000000005E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCF21.tmp

MD5 40da0e35842f475f5a5ab277fcbb7e2a
SHA1 2fdc04b65599e8ac6fd28ed40c389b03c138ffc8
SHA256 d24c9a2d5f89912cadd98be67b37b52b13de4f27a1da62a58a20c21cc03904e4
SHA512 b4b91c9359f90db5d572e05f4907b1ec74acc6297c15548326ce5f1089390908362b7b0fc4d336fae57dd7e206b53e4bf9217087a76e4d829b9d497119f193f1

memory/2588-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2588-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1084-36-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2588-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-43-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7faee86bcca70c8e12b73b08ecefa626
SHA1 d05b76f8240eff36bdc647b6d1f4a42baf92e9f8
SHA256 9b7e8b790123c1c0915c7ea0506a9d1acc46250f7c10ec28a75f991cb9c9b1e0
SHA512 6374a8a7fe7046f81bb710fe4b37249f5c595507649491160693b8adc2639d279b7b4bb3f4162016f13851aa0b9f5abb8138ac745ddcffde6f315bcf56c12332

memory/2588-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2588-75-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 10:57

Reported

2024-05-09 11:00

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Windows\SysWOW64\schtasks.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe
PID 4848 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\siRiSxOKgeg.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\siRiSxOKgeg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B91.tmp"

C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe

"C:\Users\Admin\AppData\Local\Temp\3dbe769bb2675de3bada40f257ce820b7356c2acb79bb3d4509d145fc9150772.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 89.249.73.162:2479 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
BE 89.249.73.162:2479 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4848-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

memory/4848-1-0x0000000000B40000-0x0000000000C46000-memory.dmp

memory/4848-2-0x0000000005C00000-0x00000000061A4000-memory.dmp

memory/4848-3-0x0000000005650000-0x00000000056E2000-memory.dmp

memory/4848-4-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4848-5-0x0000000005700000-0x000000000570A000-memory.dmp

memory/4848-6-0x0000000006EA0000-0x0000000006EC0000-memory.dmp

memory/4848-7-0x0000000006FC0000-0x0000000006FD4000-memory.dmp

memory/4848-8-0x0000000009A10000-0x0000000009AD0000-memory.dmp

memory/4848-9-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

memory/4848-10-0x0000000008290000-0x000000000832C000-memory.dmp

memory/4848-14-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4628-16-0x0000000004A00000-0x0000000004A36000-memory.dmp

memory/4628-17-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4628-18-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4628-19-0x0000000074C10000-0x00000000753C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B91.tmp

MD5 37487cb02e325024c1b37a1aee05e457
SHA1 d9ce40abd54ab958ba2b48e22e6228d8f77e95e8
SHA256 2f33599469bdf5108b4d66ddb516120791168c19f5902198205bc4f25afedad4
SHA512 16252b4c98c47fedcbd71321a9b3a18f7e147b182fedb9ea5f1f4c36f070e7c9ff088da6e2b035d980ae13dc73c3edf31e8f79e7e38b49b9e90f7e7801b73cec

memory/4116-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4628-21-0x0000000005070000-0x0000000005698000-memory.dmp

memory/4116-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4848-32-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4628-33-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

memory/4628-34-0x0000000005890000-0x00000000058F6000-memory.dmp

memory/4628-35-0x0000000005900000-0x0000000005966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ss2nqkfx.prz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4628-45-0x0000000005970000-0x0000000005CC4000-memory.dmp

memory/4628-46-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/4628-47-0x0000000006520000-0x000000000656C000-memory.dmp

memory/4628-49-0x0000000006570000-0x00000000065A2000-memory.dmp

memory/4628-50-0x0000000071500000-0x000000007154C000-memory.dmp

memory/4628-60-0x0000000006500000-0x000000000651E000-memory.dmp

memory/4628-61-0x0000000007160000-0x0000000007203000-memory.dmp

memory/4628-62-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/4628-63-0x0000000007290000-0x00000000072AA000-memory.dmp

memory/4628-64-0x0000000007300000-0x000000000730A000-memory.dmp

memory/4628-65-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/4628-66-0x00000000074B0000-0x00000000074C1000-memory.dmp

memory/4628-68-0x00000000074E0000-0x00000000074EE000-memory.dmp

memory/4628-69-0x0000000007590000-0x00000000075A4000-memory.dmp

memory/4628-70-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/4628-71-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/4628-74-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4116-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-79-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 9eaeba20bb3fb5d53a5a08eff553016f
SHA1 cd3f18a2ca20e5ea0362b0162a7a0b9515232fbf
SHA256 b576db0009085c605def34cebbbdf012ee521e50bfa0cfb4495c769e1392cb5a
SHA512 495ab743fafe2caaf6e985dc22720274df164d9fdffcc508f15cde7d4af6ac68e714d41f1e24179871d2e64ffbf546912a9dd4c721042eb7f46b97dddce551e3

memory/4116-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4116-103-0x0000000000400000-0x0000000000482000-memory.dmp