Malware Analysis Report

2024-12-07 22:16

Sample ID 240807-rdvh3asgnc
Target 07082024_1405_07082024_SC0782024CI3T6.ISO
SHA256 1c1feccd5b1218fa16072ffe996dda639d6d4279f9ccf2cabfeb1c7aedeabba6
Tags
remcos remotehost discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c1feccd5b1218fa16072ffe996dda639d6d4279f9ccf2cabfeb1c7aedeabba6

Threat Level: Known bad

The file 07082024_1405_07082024_SC0782024CI3T6.ISO was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 14:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 14:05

Reported

2024-08-07 14:07

Platform

win7-20240705-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3064 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 3064 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uxlByx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uxlByx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp"

C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dave7754.duckdns.org udp
US 64.188.12.151:6908 dave7754.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/3064-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

memory/3064-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/3064-2-0x00000000743C0000-0x0000000074AAE000-memory.dmp

memory/3064-3-0x00000000004C0000-0x00000000004DA000-memory.dmp

memory/3064-4-0x00000000004A0000-0x00000000004AE000-memory.dmp

memory/3064-5-0x0000000000750000-0x0000000000766000-memory.dmp

memory/3064-6-0x0000000005070000-0x0000000005130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp

MD5 13c0c27a72dac2b73add7dc5aadfdb21
SHA1 8f86bdd311fcf4c53fc6444445261487c201acd4
SHA256 a9da9ddd5a895747ac1fcd961f2b8f44c6cf0166d704fa214731349f47200b4a
SHA512 8c3ae1636bb6a7eabf28f9f831df6d5da03723b86455132bdc06f9e7765348887c5a66d3d26240372060cb13e497411c669cff752f7414d2f1488eae9678694a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d0fcb78dc1b8acc308a9761c1a653f03
SHA1 eb4b4e8fd8629e48f949ca52f46871504e408fba
SHA256 ef24e5afacebdc455a6dd9b7270864283fe04d65dc9455ffad35fe6517e2b55a
SHA512 00f1ee3c741e64226e10e8e1910b643aee71776fe16aa4ab1e238e44f149b025ddabe41e37e87f436c936fce79a26cefdd8c24f41e4a0337b5506bf7372acd62

memory/2164-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2164-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3064-38-0x00000000743C0000-0x0000000074AAE000-memory.dmp

memory/2164-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-52-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 9028b6ad00f0120eaf8ca06b92325631
SHA1 c6668e0283f40c1de68763e901e3ec1b760dcb5f
SHA256 0552bbd67c7e488df86c0803bdc5e6718c40299fe6fd64129e724d9e77256f09
SHA512 00c6767b119b577d9a57b708bbf1c364078fa49bcf5eae3f1d71ee286a46494d0bc88b6a5f7acbc3f456bbc1d61ce5759fe9b4b3caff07acfe1b937347cfac75

memory/2164-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-84-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 14:05

Reported

2024-08-07 14:07

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4904 set thread context of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4904 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4904 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4904 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe
PID 4904 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uxlByx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uxlByx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp"

C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe

"C:\Users\Admin\AppData\Local\Temp\SC0782024CI3T6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 dave7754.duckdns.org udp
US 64.188.12.151:6908 dave7754.duckdns.org tcp
US 8.8.8.8:53 151.12.188.64.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4904-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

memory/4904-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

memory/4904-2-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/4904-3-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/4904-4-0x0000000005850000-0x000000000585A000-memory.dmp

memory/4904-5-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4904-6-0x0000000005950000-0x00000000059EC000-memory.dmp

memory/4904-7-0x0000000008340000-0x000000000835A000-memory.dmp

memory/4904-8-0x0000000006AB0000-0x0000000006ABE000-memory.dmp

memory/4904-9-0x0000000006AC0000-0x0000000006AD6000-memory.dmp

memory/4904-10-0x000000000A950000-0x000000000AA10000-memory.dmp

memory/4352-15-0x0000000004CF0000-0x0000000004D26000-memory.dmp

memory/4904-16-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

memory/4352-18-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4352-17-0x0000000005360000-0x0000000005988000-memory.dmp

memory/4352-19-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4352-20-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4856-21-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4856-23-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/4856-25-0x0000000005600000-0x0000000005666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp

MD5 d2b0b49aee9da54b1ba05549481438ef
SHA1 a47f1c103307c59b8ecc5a281de15d80796870eb
SHA256 a3dff08eff2f4c51560cc2fffefe5bd6736dfdc7f77218ca03b00be6f7b84286
SHA512 ecf2bfafe2e11e98ecf9e33bb083f50d24b917b51479ca13b627a818a082bd82451f0503df9bb54b292c51d5b6aa00c49f12aa03c47efcfa8cfe50a7e4b6c5ed

memory/4856-26-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4856-22-0x00000000052C0000-0x00000000052E2000-memory.dmp

memory/4904-42-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4856-47-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4312-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4856-41-0x0000000005DB0000-0x0000000006104000-memory.dmp

memory/4904-51-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4856-52-0x00000000063A0000-0x00000000063BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fkm4ebwc.n4z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4856-53-0x0000000006700000-0x000000000674C000-memory.dmp

memory/4312-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4856-60-0x0000000006960000-0x0000000006992000-memory.dmp

memory/4856-71-0x0000000007560000-0x000000000757E000-memory.dmp

memory/4856-72-0x0000000007580000-0x0000000007623000-memory.dmp

memory/4856-61-0x000000006F860000-0x000000006F8AC000-memory.dmp

memory/4856-74-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/4856-73-0x0000000007D00000-0x000000000837A000-memory.dmp

memory/4856-75-0x0000000007730000-0x000000000773A000-memory.dmp

memory/4856-76-0x0000000007940000-0x00000000079D6000-memory.dmp

memory/4856-77-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/4312-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4856-83-0x00000000078F0000-0x00000000078FE000-memory.dmp

memory/4856-84-0x0000000007900000-0x0000000007914000-memory.dmp

memory/4856-85-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/4856-96-0x00000000079E0000-0x00000000079E8000-memory.dmp

memory/4352-86-0x000000006F860000-0x000000006F8AC000-memory.dmp

memory/4856-99-0x0000000074E70000-0x0000000075620000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 175d856692d41722f57cdf45ef4a3821
SHA1 8125d71e8cbb891460b28b0ac07ab6535ddf5d30
SHA256 693cf533a86789d6addba49022a01402809242199a261bc814d3183700c4c8e0
SHA512 a144e4df16d836d11e4d58d54fe847941ba0faea762fa105e5e0c345b732780803bc38d02415b6e0118ccde0ddae73f90e4aa4d3513d34c02c1bb464ea9e8bd4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4352-103-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/4312-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-106-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 2d0b59db38359ff7bf20ece5df741adb
SHA1 c924464f57e446f1dc951cf646ee00186ec41a50
SHA256 0fa7f80d47f6a094ed598bb960d845eeebeda821029e6f6244d60859a79c454e
SHA512 7c2dc98e8049967f072ff0d7a7301616da9d4881632633f585530af91126cf17148f8fc04226c0386c6ca91518aab7116e8ad421f54da092ab170316b0e78f0f

memory/4312-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-138-0x0000000000400000-0x0000000000482000-memory.dmp