Malware Analysis Report

2025-01-02 03:29

Sample ID 240723-wtcemsvdqd
Target d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe
SHA256 d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230
Tags
remcos dollar man collection credential_access discovery rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230

Threat Level: Known bad

The file d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe was found to be: Known bad.

Malicious Activity Summary

remcos dollar man collection credential_access discovery rat stealer

Remcos

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Credentials from Password Stores: Credentials from Web Browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 18:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 18:12

Reported

2024-07-23 18:14

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1484 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2360 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe

"C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\rgmrufoypneogtkiokeqpczlrkuz"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\barjvphrlwwtizgmxurraouuaqeztwkm"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\mdwu"

Network

Country Destination Domain Proto
NL 178.23.190.118:52499 tcp
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2360-0-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-2-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-3-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-20-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2784-26-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2784-35-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2852-34-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2732-33-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-32-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2732-29-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2852-25-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2852-23-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2784-17-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2784-24-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2784-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-40-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rgmrufoypneogtkiokeqpczlrkuz

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2360-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2852-45-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2360-46-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2360-50-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2360-49-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2360-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-55-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7af9d62c9372c2b106eb81c8dd5375ea
SHA1 1e8c29df6d62621fd0bfba1783c6e2a76e16ca23
SHA256 309bdf56c375d2dfa18b56cc903f3183efbf6ecea90515eb859fd014bfc69997
SHA512 86fd57e0b5beb08f88f8c8901d11ec1c80de7c07c0e6290d0e91301d8cffda04fcf3ff881d3b56d7b5ea42922f4ad7c9a51d60ab798cd31a9502ce5d5f4e0296

memory/2360-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2360-84-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 18:12

Reported

2024-07-23 18:14

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2820 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5052 wrote to memory of 3320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe

"C:\Users\Admin\AppData\Local\Temp\d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\jqlmgcthzgbu"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\jqlmgcthzgbu"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\lkqfhvebnouzywn"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe /stext "C:\Users\Admin\AppData\Local\Temp\vmwqinpcjwmmilbkrnb"

Network

Country Destination Domain Proto
NL 178.23.190.118:52499 tcp
NL 178.23.190.118:52499 tcp
US 8.8.8.8:53 geoplugin.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 118.190.23.178.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/5052-0-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-1-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-2-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-3-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-4-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-7-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3580-13-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-14-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3320-24-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3320-31-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2448-27-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2448-26-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3580-23-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3580-22-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3320-21-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3320-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2448-25-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3320-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3580-18-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5052-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3580-35-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jqlmgcthzgbu

MD5 1d22632ab7786a15873206bd9aeaaf47
SHA1 f982816e813cfdd43ad3339fa6ca7bf2425651e7
SHA256 c26d371c3209dea4e8cb298ab279746f0209643a1ef95ff627e2cfe193be838b
SHA512 456ee2bf5faefb56b5c9864ecb340293412c0ab50d47ff8ead5b0db88f3e61e74278a46063d4b816e1143020344add8bfd8f6baac142d984693e0d7be72e4ae0

memory/5052-37-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5052-41-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5052-40-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5052-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-49-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7af9d62c9372c2b106eb81c8dd5375ea
SHA1 1e8c29df6d62621fd0bfba1783c6e2a76e16ca23
SHA256 309bdf56c375d2dfa18b56cc903f3183efbf6ecea90515eb859fd014bfc69997
SHA512 86fd57e0b5beb08f88f8c8901d11ec1c80de7c07c0e6290d0e91301d8cffda04fcf3ff881d3b56d7b5ea42922f4ad7c9a51d60ab798cd31a9502ce5d5f4e0296

memory/5052-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-78-0x0000000000400000-0x0000000000482000-memory.dmp