Malware Analysis Report

2025-01-02 03:31

Sample ID 240722-sdlftsvakj
Target MalwareBazaar.0
SHA256 d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230
Tags
remcos dollar man collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230

Threat Level: Known bad

The file MalwareBazaar.0 was found to be: Known bad.

Malicious Activity Summary

remcos dollar man collection rat

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Detected Nirsoft tools

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 15:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 15:00

Reported

2024-07-22 15:03

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2568 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 592 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe /stext "C:\Users\Admin\AppData\Local\Temp\oiekwzowkvnsofygpgtgvwyjsk"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe /stext "C:\Users\Admin\AppData\Local\Temp\qkrcxszyydfxqlukzrghgjsatrnae"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe /stext "C:\Users\Admin\AppData\Local\Temp\bewnyksrmlxcaaioibsjjwnrbywjxtes"

Network

Country Destination Domain Proto
NL 178.23.190.118:52499 tcp
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 udp

Files

memory/592-0-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-2-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-3-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2864-21-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2764-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2864-26-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2864-33-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2764-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2856-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2764-25-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2864-24-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2764-22-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2764-18-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2856-34-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2856-35-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2764-40-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oiekwzowkvnsofygpgtgvwyjsk

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2864-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/592-44-0x0000000010000000-0x0000000010019000-memory.dmp

memory/592-48-0x0000000010000000-0x0000000010019000-memory.dmp

memory/592-47-0x0000000010000000-0x0000000010019000-memory.dmp

memory/592-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-54-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 90ee62198320ce4a9e655536714fbb4c
SHA1 8aeaf62de4a9bae1730e846fda07b8677ae7b1c3
SHA256 1ab837bed631f2dc2ddc5dbfd355e8959c9edbfc0d9c4c93de73b82792269551
SHA512 afb79d6039d767a35ffb801879da70d20319df78f05e0d121b27ac6ce37d8880457d91becf03d2c4adf850fbb5d1bc1349435bc98af47ecb604786fc8f0810b9

memory/592-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/592-84-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 15:00

Reported

2024-07-22 15:03

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2444 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1728 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe

"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /stext "C:\Users\Admin\AppData\Local\Temp\klhpyddhswuerc"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /stext "C:\Users\Admin\AppData\Local\Temp\unuhzvoifemjbiccd"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ehaaaoyctneoepyomxhq"

Network

Country Destination Domain Proto
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 118.190.23.178.in-addr.arpa udp
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/1728-1-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-0-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-2-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-3-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3752-15-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1332-19-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2964-26-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3752-25-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1332-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1332-34-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2964-33-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2964-32-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3752-27-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2964-24-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1332-23-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1332-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3752-18-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2964-17-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3752-36-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\klhpyddhswuerc

MD5 f5c7d652e408753fba07ef2069ab8a13
SHA1 9815cd1ae93306cdacabf573ad54f1ef970b3913
SHA256 6734744077bca26577abb89d0b811bef713c2a97e7fcc70888d4990d500fa67a
SHA512 43570265f839d5e435c83052501c24ed182bda5a3a9db0f6eb519c251af85dafa10825a3995c66e1e88a7bcbcf9c7dcbbd2f24d661c05b7f20f5aa35f536bc80

memory/1728-42-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1728-41-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1728-38-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1728-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-50-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 78f2b4075a415144ee24a18ddf75087e
SHA1 ff0b4c39aa26cbea27ad0cb8d896bb8c1a2e1ad5
SHA256 7cd6f3b6cc69c47b41627c2c929ca466fead92747aa5c297f0d1bd5196fa44dd
SHA512 8472282a1afa58c90a93cc46b325d62a0f157d2f5b11c6bbe349fa27a2a5838db77c93bfc8d37f940606bf7527c919d921b193cb660bb2c456db054b667a1822

memory/1728-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1728-81-0x0000000000400000-0x0000000000482000-memory.dmp