Malware Analysis Report

2025-01-02 03:22

Sample ID 240723-he714sscrh
Target DHL Shipment Document Waybill .exe
SHA256 589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a
Tags
remcos dollar man collection rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a

Threat Level: Known bad

The file DHL Shipment Document Waybill .exe was found to be: Known bad.

Malicious Activity Summary

remcos dollar man collection rat

Remcos

NirSoft MailPassView

Detected Nirsoft tools

NirSoft WebBrowserPassView

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Runs regedit.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 06:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 06:40

Reported

2024-07-23 06:42

Platform

win7-20240708-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\Windows Mail\wab.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\regedit.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\calc.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 2528 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe

"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\System32\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Windows\System32\calc.exe

"C:\Windows\System32\calc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wywqfevsgsresoprejcctffsexpdykxs"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hacj"

C:\Program Files (x86)\Windows Mail\wab.exe

"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jupthhr"

Network

Country Destination Domain Proto
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.23.190.118:52499 tcp

Files

memory/2528-0-0x000007FEF6663000-0x000007FEF6664000-memory.dmp

memory/2528-1-0x00000000009C0000-0x00000000009E8000-memory.dmp

memory/2528-2-0x000007FEF6660000-0x000007FEF704C000-memory.dmp

memory/2528-3-0x000000001B4B0000-0x000000001B582000-memory.dmp

memory/2056-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2056-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3040-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2528-78-0x000007FEF6660000-0x000007FEF704C000-memory.dmp

memory/3040-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/888-107-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2112-106-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2112-113-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wywqfevsgsresoprejcctffsexpdykxs

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/888-116-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3040-126-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 8acc7bf3bf8986fed8af634437a6808b
SHA1 5369e02b5cab76d204e188f64cde7505a4e17dfa
SHA256 27848fd3f4f16f52d97a054718d84aa6be081b0274f38d626a42066dc286ee53
SHA512 65bb72c6a5522b1914c3674452e3e39beabe267f51ff10c84d50afadfe1c275630d6cf1afe9ac535ab33f2bb9f77333c6a21cc172ed2f296cd213b4ac1003e05

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 06:40

Reported

2024-07-23 06:42

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\cmd.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\notepad.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Windows\System32\svchost.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4164 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 2416 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 2416 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 2416 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 2416 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 4992 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 4992 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 4992 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 4992 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 3232 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 3232 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 3232 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PID 4300 wrote to memory of 3232 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe

"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fwriddtlwcimvrtujlvawlkbze"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqwbevefkkarxxhyavqbhyxkhkpscy"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\asjufophyssehlvckgdvklrbqrhbvjdfk"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 118.190.23.178.in-addr.arpa udp
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4164-0-0x0000019124DE0000-0x0000019124E08000-memory.dmp

memory/4164-1-0x00007FF8CEFE3000-0x00007FF8CEFE5000-memory.dmp

memory/4164-2-0x00007FF8CEFE0000-0x00007FF8CFAA1000-memory.dmp

memory/4164-3-0x000001913F3F0000-0x000001913F4C2000-memory.dmp

memory/4300-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-5-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4164-13-0x00007FF8CEFE0000-0x00007FF8CFAA1000-memory.dmp

memory/4300-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2416-20-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4992-22-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3232-24-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2416-27-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4992-30-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3232-34-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3232-38-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4992-39-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4992-33-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2416-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3232-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2416-29-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3232-28-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4992-26-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2416-41-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fwriddtlwcimvrtujlvawlkbze

MD5 982ebb238759653970e22ee9fad24470
SHA1 15fca6be8cc4a276c9f70a73f28c52c3b0eead15
SHA256 c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea
SHA512 c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b

memory/4300-46-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4300-47-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4300-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-43-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4300-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-55-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 04512e6b2ee2ac7468968beefa67d16d
SHA1 b3a5f5437d3da35ee96ee91431337f202116c42c
SHA256 70079e76d2db0e3f389bbba98fbc9e06fefacb75f2a7041f3779b7cf65eb79ff
SHA512 e9d122d7dde1367652803d7187f3f22a0cbe6e98407dbb68e4173c00f6d6e60bb05fbe2271349209b23ee140a611e620935a4548428985c8afda789cd4e15f25

memory/4300-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4300-87-0x0000000000400000-0x0000000000482000-memory.dmp