Analysis Overview
SHA256
1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
Threat Level: Known bad
The file 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe was found to be: Known bad.
Malicious Activity Summary
Guloader family
Remcos
Remcos family
Guloader,Cloudeye
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook accounts
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-17 02:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-17 02:11
Reported
2024-12-17 02:13
Platform
win7-20240729-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-17 02:11
Reported
2024-12-17 02:13
Platform
win10v2004-20241007-en
Max time kernel
97s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1172 wrote to memory of 3272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1172 wrote to memory of 3272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1172 wrote to memory of 3272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3272 -ip 3272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-17 02:11
Reported
2024-12-17 02:13
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\yedbjfft"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzitkxqnclu"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbomlqboytmtxg"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 162.251.122.87:2404 | tcp | |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsjBC60.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nstBD8A.tmp
| MD5 | 5b2357aa9ee8d93ebc8fea2a7da01fda |
| SHA1 | 3a5bb5ceeeb26ee649ce9c8fa1c47e45d8c8f00a |
| SHA256 | f2b723416cc41c59b870a8fbbe8ecab3cd0cf2298902649a50668b1b88e6e835 |
| SHA512 | 03d9cbca3d09de197530779f90b8864da4a34aa50a7dc87fdd964ac53a5a6a73f543fe5727fc2df29b9cf5b3646b1ffc60b90883148c1989fdbcee5658582fe2 |
C:\Users\Admin\AppData\Local\Temp\nsyBC70.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nsoBE08.tmp
| MD5 | 24c65563d17054b07c6135e87a53cffd |
| SHA1 | 4765777312bf6c4c7272e61b4dbbce3202bb2d68 |
| SHA256 | e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce |
| SHA512 | f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f |
C:\Users\Admin\AppData\Local\Temp\nstBD8A.tmp
| MD5 | 33714fd37d9159cf4911fe47896b9e69 |
| SHA1 | 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611 |
| SHA256 | 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2 |
| SHA512 | e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a |
C:\Users\Admin\AppData\Local\Temp\nsdBE18.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/2108-577-0x0000000003DF0000-0x0000000004C79000-memory.dmp
memory/2108-578-0x0000000077AB1000-0x0000000077BB2000-memory.dmp
memory/2108-579-0x0000000077AB0000-0x0000000077C59000-memory.dmp
memory/2108-580-0x0000000003DF0000-0x0000000004C79000-memory.dmp
memory/824-581-0x0000000077AB0000-0x0000000077C59000-memory.dmp
memory/2108-582-0x0000000003DF0000-0x0000000004C79000-memory.dmp
memory/824-583-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-584-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/1004-589-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1984-602-0x0000000000400000-0x0000000000424000-memory.dmp
memory/612-593-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1984-603-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1004-592-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1004-591-0x0000000000400000-0x0000000000478000-memory.dmp
memory/612-601-0x0000000000400000-0x0000000000462000-memory.dmp
memory/612-600-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1004-599-0x0000000077AB0000-0x0000000077C59000-memory.dmp
memory/1984-598-0x0000000000400000-0x0000000000424000-memory.dmp
memory/612-597-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1984-596-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1984-595-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1004-594-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1004-611-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yedbjfft
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/824-618-0x0000000031F00000-0x0000000031F19000-memory.dmp
memory/824-617-0x0000000031F00000-0x0000000031F19000-memory.dmp
memory/824-614-0x0000000031F00000-0x0000000031F19000-memory.dmp
memory/612-619-0x0000000000400000-0x0000000000462000-memory.dmp
memory/824-621-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-624-0x0000000000480000-0x00000000014E2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 6bc00224ba03e285df5e30c501463803 |
| SHA1 | 61fda1c1cf15227e35283f3f746bb203e4d19137 |
| SHA256 | cf425e31b41a2dd76d747a216f658da4803c58b1b66205951d37e1190325d6e7 |
| SHA512 | 7cce6068b336a9c95bc73b145e95983fbf32eb53a41135d6d06daf77b8eb8edf42b8de12538a8ae275fd0516818214a9b3ed52da424003aba796131d33fa1167 |
memory/824-627-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-630-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-633-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-636-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-639-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-642-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-645-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-648-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-651-0x0000000000480000-0x00000000014E2000-memory.dmp
memory/824-654-0x0000000000480000-0x00000000014E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-17 02:11
Reported
2024-12-17 02:13
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\yfhkeefakebbcudbhqpr"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\bzuufxqtymtgfbrfybbteew"
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbznfpavuullppojhmouprjlkt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 66.63.187.30:80 | 66.63.187.30 | tcp |
| US | 8.8.8.8:53 | 30.187.63.66.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | 87.122.251.162.in-addr.arpa | udp |
| US | 162.251.122.87:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp
| MD5 | 50484c19f1afdaf3841a0d821ed393d2 |
| SHA1 | c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b |
| SHA256 | 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c |
| SHA512 | d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b |
C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp
| MD5 | 9111ba1d1ceb4b7f775d74730aac363e |
| SHA1 | c0af4968c775735be12419b60b257ed4359cb9b2 |
| SHA256 | 0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91 |
| SHA512 | 836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf |
C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp
| MD5 | 763ec4bcf1080106283ac75cc79cfdc5 |
| SHA1 | e916ad8ee0d278848350e957be6e99f8916c9f0e |
| SHA256 | e9f76c3dcf61068c71c8748639c37793963e1929aca11eed3c2caed692bd17ff |
| SHA512 | 52273017ba7559aee2f73498b1d277517d2c163ab9eb6891a838664dd4b6ce3a576ae05116deecf502e8494522ce31209dffd2ab68462a75fb841592c83381d2 |
C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp
| MD5 | 2598d3e10bec5798f73f49de505a8514 |
| SHA1 | 4431b20a112e277250649a917f846a6627870a60 |
| SHA256 | 08643cfe1a514214ae4175809b7eadbc0bff209e07adf091e91748dccf9ca874 |
| SHA512 | 83687d6fb3238184b92f04cc70e54ede282d56e34f67781db6c4dfd9529cab30ba15d9ca3059b68f9d82eb87a8d6432e80ba0779d1438c1df861b0bb30905f24 |
C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp
| MD5 | 16d513397f3c1f8334e8f3e4fc49828f |
| SHA1 | 4ee15afca81ca6a13af4e38240099b730d6931f0 |
| SHA256 | d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36 |
| SHA512 | 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3 |
C:\Users\Admin\AppData\Local\Temp\nst82B0.tmp\System.dll
| MD5 | ca332bb753b0775d5e806e236ddcec55 |
| SHA1 | f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f |
| SHA256 | df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d |
| SHA512 | 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00 |
C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp
| MD5 | 9a53fc1d7126c5e7c81bb5c15b15537b |
| SHA1 | e2d13e0fa37de4c98f30c728210d6afafbb2b000 |
| SHA256 | a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92 |
| SHA512 | b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1 |
C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp
| MD5 | d0c16d35895f4a76cb4fa85fc11c6842 |
| SHA1 | 61d36c5b3fd3f0772608359b7ed9890b0474aee0 |
| SHA256 | d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59 |
| SHA512 | 3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951 |
C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp
| MD5 | 34d32f9b446e46883ec3157794403748 |
| SHA1 | e797e81a28e395ea751871b21e638e43d62d0f61 |
| SHA256 | a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e |
| SHA512 | 48b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1 |
C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp
| MD5 | 5d04a35d3950677049c7a0cf17e37125 |
| SHA1 | cafdd49a953864f83d387774b39b2657a253470f |
| SHA256 | a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266 |
| SHA512 | c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b |
C:\Users\Admin\AppData\Local\Temp\nsy831F.tmp
| MD5 | cc98cdbdb6e4571f9dbef3d7ef0cecb6 |
| SHA1 | 0c6c945dacb7dc9269bb8659e61b6bd44e03b5f4 |
| SHA256 | fdd17f70c2c855ed3b81bf41d2dbff3a0d85a7f7b019f04c569f897188e0d3b3 |
| SHA512 | 83a41e73d62f77faf633e3fc5fb4f0ee4984881dc7ed5bbfcd73be815c89a606349cb0adf5de1552cfd0ca0ff3d7bd9c2332658586e582158e53777e2fcfba4c |
C:\Users\Admin\AppData\Local\Temp\nsy831F.tmp
| MD5 | 42d0d094fb9cf401430cd1377e6128db |
| SHA1 | 48b6b6a975ecb92b8fbbd7fc6a5f9aa858d9ad51 |
| SHA256 | 1bce2e52c57c18758a9de5f51c9bec29fa42ab4881d269baa78c92a6c5fe9ab1 |
| SHA512 | 63ee2eefa05e5113f69c4d60e4fa56651b2aa522b8b2e7f06b4fa2761486a12aa9fbd040cd921cd9169dbbf6e4850071445093461d7e0e7507e1bddd8e14c45a |
C:\Users\Admin\AppData\Local\Temp\nsy831F.tmp
| MD5 | 33714fd37d9159cf4911fe47896b9e69 |
| SHA1 | 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611 |
| SHA256 | 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2 |
| SHA512 | e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a |
C:\Users\Admin\AppData\Local\Temp\nso837E.tmp
| MD5 | cda05fedfd1133dfc6439e441829b6ba |
| SHA1 | e0dfbcfe83a13922d365506312212928871f9c0b |
| SHA256 | 27fad7aa07fb564d9f9e0cbaf6515fe34bb0f8647cd200fee1eaad0167523099 |
| SHA512 | 1180a5fac7c9c8ce445b5966b45bda7d38bb65d2ae2b1bb096d01e09476622bb0bf745dfed3104cd7b5da766322653bb14720b3394e2cb87950191a66b94efaf |
C:\Users\Admin\AppData\Local\Temp\nso837E.tmp
| MD5 | 1a069d3d8cca839a3c2f44a0e833d67c |
| SHA1 | 2bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf |
| SHA256 | 0c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309 |
| SHA512 | 970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2 |
C:\Users\Admin\AppData\Local\Temp\nso837E.tmp
| MD5 | bcc2d4708d4557cd6dfb4ca08164719c |
| SHA1 | 5158b5fb3bcd9238e69352fb94a039ec90eddf86 |
| SHA256 | b029fc5e9252f17e84ef53c084ba0d67a0931fa02eb9e5a13bba202a008d7553 |
| SHA512 | 8f179a8895d1afe69d2ef5583eb63a1821ee94a0c30cd7c8cbb3ce40165bd1c0c5d30ea4156b81000e37c1ea71c57d34e059cd658e22056c4e06788badad54b2 |
C:\Users\Admin\AppData\Local\Temp\nso837E.tmp
| MD5 | 24c65563d17054b07c6135e87a53cffd |
| SHA1 | 4765777312bf6c4c7272e61b4dbbce3202bb2d68 |
| SHA256 | e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce |
| SHA512 | f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f |
C:\Users\Admin\AppData\Local\Temp\nse83DD.tmp
| MD5 | 38f296e431f9e889c855110f746a1a1f |
| SHA1 | a1f2212648b7d681e10a295ca270ec6ef9c7cb2a |
| SHA256 | 89870b6b02e2247d1e10942aceede7bf4adeb820bae945b77d0e2c5f5669e514 |
| SHA512 | a074bd4debd9aa11fc50c3ab1cd5b1aaf365931d790600818ea51a58bfca6ea17feb872a1a11dfd8542cd5e1798bdf171e4305e81e4a409a0253db31c84b91e9 |
C:\Users\Admin\AppData\Local\Temp\nse83DD.tmp
| MD5 | f15bfdebb2df02d02c8491bde1b4e9bd |
| SHA1 | 93bd46f57c3316c27cad2605ddf81d6c0bde9301 |
| SHA256 | c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043 |
| SHA512 | 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1 |
memory/4904-575-0x0000000004A10000-0x0000000005899000-memory.dmp
memory/4904-576-0x00000000771E1000-0x0000000077301000-memory.dmp
memory/4904-578-0x0000000010004000-0x0000000010005000-memory.dmp
memory/4904-577-0x0000000004A10000-0x0000000005899000-memory.dmp
memory/3588-580-0x00000000016E0000-0x0000000002569000-memory.dmp
memory/4904-579-0x0000000004A10000-0x0000000005899000-memory.dmp
memory/3588-581-0x0000000077268000-0x0000000077269000-memory.dmp
memory/3588-582-0x0000000077285000-0x0000000077286000-memory.dmp
memory/3588-583-0x00000000016E0000-0x0000000002569000-memory.dmp
memory/3588-585-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-588-0x00000000771E1000-0x0000000077301000-memory.dmp
memory/3588-590-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/2320-592-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2320-595-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2156-600-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2680-609-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2680-607-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2680-603-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2680-602-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2320-601-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2156-599-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2320-598-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2156-597-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2156-594-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2320-613-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3588-616-0x0000000033560000-0x0000000033579000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yfhkeefakebbcudbhqpr
| MD5 | 562a58578d6d04c7fb6bda581c57c03c |
| SHA1 | 12ab2b88624d01da0c5f5d1441aa21cbc276c5f5 |
| SHA256 | ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8 |
| SHA512 | 3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e |
memory/3588-620-0x0000000033560000-0x0000000033579000-memory.dmp
memory/3588-619-0x0000000033560000-0x0000000033579000-memory.dmp
memory/3588-622-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-625-0x0000000000480000-0x00000000016D4000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 00a5bc06b6782f43ea05b4570a73e122 |
| SHA1 | c27f90513a3bebf470bfc9bf2313dfd7ed27f220 |
| SHA256 | 4265a812c897bae42aa52b3f3f1e0fafa8cffd75484f46fe0ec72d27f04b66f2 |
| SHA512 | b2b30e785d6135ee32062b0f632096316301b9293d08d8af833c1d1d78a1a75e2521278fd5e96d986ffade0b73326058069d038c44c1f0a0808d219891951c03 |
memory/3588-628-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-631-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-634-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-637-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-640-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-643-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-646-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-649-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-652-0x0000000000480000-0x00000000016D4000-memory.dmp
memory/3588-655-0x0000000000480000-0x00000000016D4000-memory.dmp