remcos | 7507bdd2d90113ba83c84b5efe0687f0e28b3909c7ef2d5ff94d2aeb4e3b78be

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MRP00108 & SDA00687.exe
Size

710KB
MD5

9fc11ee03f60a10e4a2f26edbf8fcdaf
SHA1

7ed74a2e69bd49aadc4716a420dcacea97e220d7
SHA256

30d74b831f98532075daed442b93067c7ce8846d7cbd557f43a13922840b698a
SHA512

ee2d8b55b9b2b2d3e5cf867688236299a5585be3a7516dc8027e9965b2ac7354f1bf84fcf9f998af7ed185f8b36bbfd1b1a0e6d5a41b65a6d4ed06f722382adf
SSDEEP

12288:X6qSGX12mgYtQvCOgMAwhsuiB/IhyrWQIUbMZHBeGoOO+XKCR6i0EYuCn0a:HJX1YBvCHMquiBJaQ/eBeGoOOKKCR655

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

157.230.51.65:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-R66R8R
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	4140	msiexec.exe
31	4140	msiexec.exe
35	4140	msiexec.exe
36	4140	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4140	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3176	powershell.exe
4140	msiexec.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 2840	4140	msiexec.exe	94
PID 4140 set thread context of 1636	4140	msiexec.exe	95
PID 4140 set thread context of 960	4140	msiexec.exe	96
PID 4140 set thread context of 1340	4140	msiexec.exe	104
PID 4140 set thread context of 4824	4140	msiexec.exe	105
PID 4140 set thread context of 4404	4140	msiexec.exe	107
PID 4140 set thread context of 3308	4140	msiexec.exe	113
PID 4140 set thread context of 1180	4140	msiexec.exe	114
PID 4140 set thread context of 4556	4140	msiexec.exe	116
PID 4140 set thread context of 3116	4140	msiexec.exe	122
PID 4140 set thread context of 1532	4140	msiexec.exe	123
PID 4140 set thread context of 3304	4140	msiexec.exe	125
PID 4140 set thread context of 1508	4140	msiexec.exe	131
PID 4140 set thread context of 704	4140	msiexec.exe	132
PID 4140 set thread context of 1440	4140	msiexec.exe	134
PID 4140 set thread context of 2936	4140	msiexec.exe	140
PID 4140 set thread context of 1100	4140	msiexec.exe	141
PID 4140 set thread context of 5056	4140	msiexec.exe	143
PID 4140 set thread context of 404	4140	msiexec.exe	149
PID 4140 set thread context of 3336	4140	msiexec.exe	150
PID 4140 set thread context of 3720	4140	msiexec.exe	152
PID 4140 set thread context of 1280	4140	msiexec.exe	158
PID 4140 set thread context of 4952	4140	msiexec.exe	159
PID 4140 set thread context of 2592	4140	msiexec.exe	161
PID 4140 set thread context of 3244	4140	msiexec.exe	167
PID 4140 set thread context of 3804	4140	msiexec.exe	168
PID 4140 set thread context of 224	4140	msiexec.exe	170
PID 4140 set thread context of 4824	4140	msiexec.exe	176
PID 4140 set thread context of 2052	4140	msiexec.exe	177
PID 4140 set thread context of 1076	4140	msiexec.exe	179

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dommedagsbasuner\planes.pap	MRP00108 & SDA00687.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\oneupmanship.pri	MRP00108 & SDA00687.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3176	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3472	960	WerFault.exe	96
3000	1636	WerFault.exe	95
5044	2840	WerFault.exe	94
1972	1340	WerFault.exe	104
4360	4824	WerFault.exe	105
1644	4404	WerFault.exe	107
3940	3308	WerFault.exe	113
2088	1180	WerFault.exe	114
2992	4556	WerFault.exe	116
760	1532	WerFault.exe	123
4948	3304	WerFault.exe	125
4536	3116	WerFault.exe	122
4652	1440	WerFault.exe	134
4172	704	WerFault.exe	132
1912	1508	WerFault.exe	131
4992	2936	WerFault.exe	140
808	5056	WerFault.exe	143
2676	1100	WerFault.exe	141
3968	404	WerFault.exe	149
212	3336	WerFault.exe	150
4832	3720	WerFault.exe	152
1212	4952	WerFault.exe	159
1680	2592	WerFault.exe	161
1552	1280	WerFault.exe	158
4868	3804	WerFault.exe	168
1480	3244	WerFault.exe	167
3056	224	WerFault.exe	170
5004	2052	WerFault.exe	177
3080	1076	WerFault.exe	179
4864	4824	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MRP00108 & SDA00687.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe

Suspicious behavior: MapViewOfSection 31 IoCs

pid	Process
3176	powershell.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeIncreaseQuotaPrivilege	3176	powershell.exe
Token: SeSecurityPrivilege	3176	powershell.exe
Token: SeTakeOwnershipPrivilege	3176	powershell.exe
Token: SeLoadDriverPrivilege	3176	powershell.exe
Token: SeSystemProfilePrivilege	3176	powershell.exe
Token: SeSystemtimePrivilege	3176	powershell.exe
Token: SeProfSingleProcessPrivilege	3176	powershell.exe
Token: SeIncBasePriorityPrivilege	3176	powershell.exe
Token: SeCreatePagefilePrivilege	3176	powershell.exe
Token: SeBackupPrivilege	3176	powershell.exe
Token: SeRestorePrivilege	3176	powershell.exe
Token: SeShutdownPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeSystemEnvironmentPrivilege	3176	powershell.exe
Token: SeRemoteShutdownPrivilege	3176	powershell.exe
Token: SeUndockPrivilege	3176	powershell.exe
Token: SeManageVolumePrivilege	3176	powershell.exe
Token: 33	3176	powershell.exe
Token: 34	3176	powershell.exe
Token: 35	3176	powershell.exe
Token: 36	3176	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3176	4892	MRP00108 & SDA00687.exe	82
PID 4892 wrote to memory of 3176	4892	MRP00108 & SDA00687.exe	82
PID 4892 wrote to memory of 3176	4892	MRP00108 & SDA00687.exe	82
PID 3176 wrote to memory of 4140	3176	powershell.exe	89
PID 3176 wrote to memory of 4140	3176	powershell.exe	89
PID 3176 wrote to memory of 4140	3176	powershell.exe	89
PID 3176 wrote to memory of 4140	3176	powershell.exe	89
PID 4140 wrote to memory of 2840	4140	msiexec.exe	94
PID 4140 wrote to memory of 2840	4140	msiexec.exe	94
PID 4140 wrote to memory of 2840	4140	msiexec.exe	94
PID 4140 wrote to memory of 2840	4140	msiexec.exe	94
PID 4140 wrote to memory of 1636	4140	msiexec.exe	95
PID 4140 wrote to memory of 1636	4140	msiexec.exe	95
PID 4140 wrote to memory of 1636	4140	msiexec.exe	95
PID 4140 wrote to memory of 1636	4140	msiexec.exe	95
PID 4140 wrote to memory of 960	4140	msiexec.exe	96
PID 4140 wrote to memory of 960	4140	msiexec.exe	96
PID 4140 wrote to memory of 960	4140	msiexec.exe	96
PID 4140 wrote to memory of 960	4140	msiexec.exe	96
PID 4140 wrote to memory of 1340	4140	msiexec.exe	104
PID 4140 wrote to memory of 1340	4140	msiexec.exe	104
PID 4140 wrote to memory of 1340	4140	msiexec.exe	104
PID 4140 wrote to memory of 1340	4140	msiexec.exe	104
PID 4140 wrote to memory of 4824	4140	msiexec.exe	105
PID 4140 wrote to memory of 4824	4140	msiexec.exe	105
PID 4140 wrote to memory of 4824	4140	msiexec.exe	105
PID 4140 wrote to memory of 4824	4140	msiexec.exe	105
PID 4140 wrote to memory of 4404	4140	msiexec.exe	107
PID 4140 wrote to memory of 4404	4140	msiexec.exe	107
PID 4140 wrote to memory of 4404	4140	msiexec.exe	107
PID 4140 wrote to memory of 4404	4140	msiexec.exe	107
PID 4140 wrote to memory of 3308	4140	msiexec.exe	113
PID 4140 wrote to memory of 3308	4140	msiexec.exe	113
PID 4140 wrote to memory of 3308	4140	msiexec.exe	113
PID 4140 wrote to memory of 3308	4140	msiexec.exe	113
PID 4140 wrote to memory of 1180	4140	msiexec.exe	114
PID 4140 wrote to memory of 1180	4140	msiexec.exe	114
PID 4140 wrote to memory of 1180	4140	msiexec.exe	114
PID 4140 wrote to memory of 1180	4140	msiexec.exe	114
PID 4140 wrote to memory of 4556	4140	msiexec.exe	116
PID 4140 wrote to memory of 4556	4140	msiexec.exe	116
PID 4140 wrote to memory of 4556	4140	msiexec.exe	116
PID 4140 wrote to memory of 4556	4140	msiexec.exe	116
PID 4140 wrote to memory of 3116	4140	msiexec.exe	122
PID 4140 wrote to memory of 3116	4140	msiexec.exe	122
PID 4140 wrote to memory of 3116	4140	msiexec.exe	122
PID 4140 wrote to memory of 3116	4140	msiexec.exe	122
PID 4140 wrote to memory of 1532	4140	msiexec.exe	123
PID 4140 wrote to memory of 1532	4140	msiexec.exe	123
PID 4140 wrote to memory of 1532	4140	msiexec.exe	123
PID 4140 wrote to memory of 1532	4140	msiexec.exe	123
PID 4140 wrote to memory of 3304	4140	msiexec.exe	125
PID 4140 wrote to memory of 3304	4140	msiexec.exe	125
PID 4140 wrote to memory of 3304	4140	msiexec.exe	125
PID 4140 wrote to memory of 3304	4140	msiexec.exe	125
PID 4140 wrote to memory of 1508	4140	msiexec.exe	131
PID 4140 wrote to memory of 1508	4140	msiexec.exe	131
PID 4140 wrote to memory of 1508	4140	msiexec.exe	131
PID 4140 wrote to memory of 1508	4140	msiexec.exe	131
PID 4140 wrote to memory of 704	4140	msiexec.exe	132
PID 4140 wrote to memory of 704	4140	msiexec.exe	132
PID 4140 wrote to memory of 704	4140	msiexec.exe	132
PID 4140 wrote to memory of 704	4140	msiexec.exe	132
PID 4140 wrote to memory of 1440	4140	msiexec.exe	134

C:\Users\Admin\AppData\Local\Temp\MRP00108 & SDA00687.exe
"C:\Users\Admin\AppData\Local\Temp\MRP00108 & SDA00687.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle minimized "$Uforenelige=gc -Raw 'C:\Users\Admin\AppData\Local\Country216\Filterintegration.Eks';$indefencibly=$Uforenelige.SubString(2896,3);.$indefencibly($Uforenelige)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qiviysawtkojp"
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 12
        5⤵
        Program crash
        
        PID:5044
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\tkatyklqhsgwzftw"
      4⤵
      PID:1636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 12
        5⤵
        Program crash
        
        PID:3000
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\denlzdwsdaybcthafjl"
      4⤵
      PID:960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 12
        5⤵
        Program crash
        
        PID:3472
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\inpvwubxefu"
      4⤵
      PID:1340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 12
        5⤵
        Program crash
        
        PID:1972
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\squoxmmysnmeah"
      4⤵
      PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 12
        5⤵
        Program crash
        
        PID:4360
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vkzzyfwsgverlvkaqc"
      4⤵
      PID:4404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 12
        5⤵
        Program crash
        
        PID:1644
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\pzvqud"
      4⤵
      PID:3308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 12
        5⤵
        Program crash
        
        PID:3940
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ztajvwbfpa"
      4⤵
      PID:1180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 12
        5⤵
        Program crash
        
        PID:2088
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kvgbwomzdituj"
      4⤵
      PID:4556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 12
        5⤵
        Program crash
        
        PID:2992
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ekctsvykrexnvjdulouppetemnrjrvua"
      4⤵
      PID:3116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 12
        5⤵
        Program crash
        
        PID:4536
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\hehdt"
      4⤵
      PID:1532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 12
        5⤵
        Program crash
        
        PID:760
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\rgmwtycf"
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 12
        5⤵
        Program crash
        
        PID:4948
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wqngqxzsczedwlguwyufdjhupsooein"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 12
        5⤵
        Program crash
        
        PID:1912
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykbyrpkmqhwqgrcynjhggoblqhxxftmwyz"
      4⤵
      PID:704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 12
        5⤵
        Program crash
        
        PID:4172
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jmgjsa"
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 12
        5⤵
        Program crash
        
        PID:4652
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\dtuaohpzsmsovgviyghthchcjr"
      4⤵
      PID:2936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 12
        5⤵
        Program crash
        
        PID:4992
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ovhtpzztguktfmjmhrcukpulsfdsa"
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 12
        5⤵
        Program crash
        
        PID:2676
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qpnlqskucccghsfyybpwvtpctmvbtffxo"
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 12
        5⤵
        Program crash
        
        PID:808
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\keadmqfgpzgrttkesgdpk"
      4⤵
      PID:404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 12
        5⤵
        Program crash
        
        PID:3968
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vhovnjpzdhyeehyijqqivhvt"
      4⤵
      PID:3336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 12
        5⤵
        Program crash
        
        PID:212
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\fbtgobabrpqjgoumsbckymhcvkaf"
      4⤵
      PID:3720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 12
        5⤵
        Program crash
        
        PID:4832
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\aqpykamnflvcspys"
      4⤵
      PID:1280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 12
        5⤵
        Program crash
        
        PID:1552
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ckuqlsxgttnhcvmwdyde"
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 12
        5⤵
        Program crash
        
        PID:1212
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nmajlliipbfufjbiujqycni"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 12
        5⤵
        Program crash
        
        PID:1680
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\rvbtjknnqgbsbqb"
      4⤵
      PID:3244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 12
        5⤵
        Program crash
        
        PID:1480
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\cqgdjuyoeotxdwpwoj"
      4⤵
      PID:3804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 12
        5⤵
        Program crash
        
        PID:4868
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\estwkniiswlkoclaxtynq"
      4⤵
      PID:224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 12
        5⤵
        Program crash
        
        PID:3056
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zzhngudugt"
      4⤵
      PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 12
        5⤵
        Program crash
        
        PID:4864
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jbnghmnvcbiic"
      4⤵
      PID:2052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 12
        5⤵
        Program crash
        
        PID:5004
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\tvaqieyppjanmysw"
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 12
        5⤵
        Program crash
        
        PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2840 -ip 2840
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1636 -ip 1636
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 960 -ip 960
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1340 -ip 1340
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4824 -ip 4824
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4404 -ip 4404
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3308 -ip 3308
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1180 -ip 1180
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4556 -ip 4556
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3116 -ip 3116
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1532 -ip 1532
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3304 -ip 3304
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1508 -ip 1508
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 704 -ip 704
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1440 -ip 1440
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2936 -ip 2936
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1100 -ip 1100
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5056 -ip 5056
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 404 -ip 404
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3336 -ip 3336
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3720 -ip 3720
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1280 -ip 1280
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4952 -ip 4952
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2592 -ip 2592
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3244 -ip 3244
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3804 -ip 3804
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 224 -ip 224
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2052 -ip 2052
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1076 -ip 1076
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6dbddf504cc3c593245fcb2fc6a759a5

SHA1
278bbe2212886445145e7149aec9d2f7a23d132e

SHA256
d3fc14316bf8f5f0f331da23d2c0d74ffd8e5bc35dc7bc4d835dd996b36a0dc4

SHA512
e7dabe5f42420e625be321a28fb20652397729ea2789320b5ae3b497431f0c2894c18f625c950d43f7c976fbdb28f9d0225c882b610461b2bd4ea74fd0ae4721

Download Submit
C:\Users\Admin\AppData\Local\Country216\Filterintegration.Eks

Filesize
52KB

MD5
b2675a19c8907bdb1caac87a463036ab

SHA1
ce3eb4761dd92a88834851e404952edebac92ff3

SHA256
e55feb751d85c738f96c802c9df5af30ef0722a0af003bdc65826f31c2d0b9cd

SHA512
5d0707af18e5e0790c48c33ab62869cdbba3662de10850368b8a0ad1511896a29ce6f7b1d1daaa45876ce83873d8cef1df592092c07615e7a72dd5d3620a95b4

Download Submit
C:\Users\Admin\AppData\Local\Country216\Marmalades.Pas

Filesize
338KB

MD5
eee1c80e83b995bdcb5f27b31e64cdf6

SHA1
d5e6eaf73c07d24efe44f443a0fc83fe92c51055

SHA256
0515372b843282de9ff41a9c6a88a641dfd658d98674676fd83e79a871f8d681

SHA512
b0d4beed14e69b58c74617d612daf248b7b6e2535cded360156f38b42ae545700d852ccb60c9186903cd97b5b7ba3985261d95eb29cf700db91856a87dab9a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udl0tpaf.znv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/960-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2840-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3176-54-0x0000000007920000-0x0000000007944000-memory.dmp

Filesize
144KB

Download
memory/3176-26-0x00000000060B0000-0x00000000060CA000-memory.dmp

Filesize
104KB

Download
memory/3176-22-0x0000000005520000-0x0000000005874000-memory.dmp

Filesize
3.3MB

Download
memory/3176-23-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

Filesize
120KB

Download
memory/3176-24-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/3176-25-0x0000000006B60000-0x0000000006BF6000-memory.dmp

Filesize
600KB

Download
memory/3176-58-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-27-0x0000000006100000-0x0000000006122000-memory.dmp

Filesize
136KB

Download
memory/3176-28-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/3176-11-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/3176-30-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/3176-33-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-32-0x000000006FC80000-0x000000006FCCC000-memory.dmp

Filesize
304KB

Download
memory/3176-43-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

Filesize
120KB

Download
memory/3176-31-0x0000000006FA0000-0x0000000006FD2000-memory.dmp

Filesize
200KB

Download
memory/3176-44-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/3176-45-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-46-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/3176-47-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-10-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/3176-49-0x0000000007190000-0x000000000719E000-memory.dmp

Filesize
56KB

Download
memory/3176-50-0x00000000071A0000-0x00000000071B4000-memory.dmp

Filesize
80KB

Download
memory/3176-51-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/3176-52-0x00000000071D0000-0x00000000071D8000-memory.dmp

Filesize
32KB

Download
memory/3176-53-0x00000000078F0000-0x000000000791A000-memory.dmp

Filesize
168KB

Download
memory/3176-5-0x000000007380E000-0x000000007380F000-memory.dmp

Filesize
4KB

Download
memory/3176-55-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-57-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-56-0x000000007380E000-0x000000007380F000-memory.dmp

Filesize
4KB

Download
memory/3176-12-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/3176-48-0x0000000007150000-0x0000000007161000-memory.dmp

Filesize
68KB

Download
memory/3176-60-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-61-0x00000000084A0000-0x000000000C302000-memory.dmp

Filesize
62.4MB

Download
memory/3176-62-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-63-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-64-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-65-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-66-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-68-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-69-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-6-0x0000000002510000-0x0000000002546000-memory.dmp

Filesize
216KB

Download
memory/3176-8-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-9-0x0000000073800000-0x0000000073FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3176-7-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/4140-111-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-84-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-93-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-71-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-102-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-74-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-120-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-124-0x00000000061A0000-0x00000000061B9000-memory.dmp

Filesize
100KB

Download
memory/4140-125-0x00000000061A0000-0x00000000061B9000-memory.dmp

Filesize
100KB

Download
memory/4140-121-0x00000000061A0000-0x00000000061B9000-memory.dmp

Filesize
100KB

Download
memory/4140-128-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-131-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4140-134-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download