Malware Analysis Report

2025-04-03 10:26

Sample ID 250308-lp9jgavm19
Target 7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
SHA256 7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b
Tags
latentbot remcos feb 13 discovery execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b

Threat Level: Known bad

The file 7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe was found to be: Known bad.

Malicious Activity Summary

latentbot remcos feb 13 discovery execution rat trojan

Latentbot family

LatentBot

Remcos

Remcos family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 09:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 09:43

Reported

2025-03-08 09:46

Platform

win7-20240729-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Remcos

rat remcos

Remcos family

remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2668 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe

"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obrlHi.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\obrlHi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp"

C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe

"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 oktoviyanto.ddns.net udp
MY 103.186.117.61:9373 tcp
US 8.8.8.8:53 benhenry2234.zapto.org udp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp

Files

memory/2668-0-0x000000007421E000-0x000000007421F000-memory.dmp

memory/2668-1-0x0000000000A20000-0x0000000000B78000-memory.dmp

memory/2668-2-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/2668-3-0x0000000000990000-0x00000000009AE000-memory.dmp

memory/2668-4-0x000000007421E000-0x000000007421F000-memory.dmp

memory/2668-5-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/2668-6-0x0000000005610000-0x00000000056D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp

MD5 acf5f5f5aa64b8f80fb6455f3d165784
SHA1 b70019a230467f64cce9dabc99b70de0ab4ed775
SHA256 d73ba41e9e0bb3c115c54377003927da905171d3798c097b760466cd290d2ab2
SHA512 2204ccd3c6041bbeed32faa06356375d40150d531cf171129d2b442049684eed2fc7db5b4d925884cb2271693816179bc0e1dde556d4b4c81601d55fc472f26b

memory/2528-12-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-29-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-34-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-30-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2528-26-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-22-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-18-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-16-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-14-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2668-37-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/2528-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-44-0x0000000000400000-0x000000000047F000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 da790874cffba6fb79b6da884472b3ea
SHA1 553ba55e889d60869465d70676f34b6d65685d24
SHA256 db777010fc7e4e4a16f7e2cbb2a5e49556f1a416c33305b65d7fca6fe43b2dfc
SHA512 c4e5e6fbc7b9f7b18b096c02790d27840fca83932d170336fa2720c3facb57ceb8fb31505401996302b13cfd0a1fd44c23361fdd97254abd6e8c340d0cdf9bfb

memory/2528-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2528-76-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-08 09:43

Reported

2025-03-08 09:46

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Remcos

rat remcos

Remcos family

remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe
PID 2628 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe

"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obrlHi.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\obrlHi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAB7.tmp"

C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe

"C:\Users\Admin\AppData\Local\Temp\7cc14c13ddf6719afb12d3ef8f7ebe89de36ab0fb15fb0c2c908383f44f53c7b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 oktoviyanto.ddns.net udp
MY 103.186.117.61:9373 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 benhenry2234.zapto.org udp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp
MY 103.186.117.61:9373 tcp

Files

memory/2628-0-0x000000007481E000-0x000000007481F000-memory.dmp

memory/2628-1-0x0000000000D50000-0x0000000000EA8000-memory.dmp

memory/2628-2-0x0000000005E70000-0x0000000006414000-memory.dmp

memory/2628-3-0x00000000058C0000-0x0000000005952000-memory.dmp

memory/2628-4-0x0000000005880000-0x000000000588A000-memory.dmp

memory/2628-5-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/2628-6-0x0000000007330000-0x000000000734E000-memory.dmp

memory/2628-7-0x000000007481E000-0x000000007481F000-memory.dmp

memory/2628-8-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/2628-9-0x00000000071B0000-0x0000000007270000-memory.dmp

memory/2628-10-0x000000000CE50000-0x000000000CEEC000-memory.dmp

memory/4748-15-0x0000000005240000-0x0000000005276000-memory.dmp

memory/4748-16-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/4748-18-0x0000000005A30000-0x0000000006058000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAAB7.tmp

MD5 350fcc01898078c2ff771b725228c3f3
SHA1 0df780a5b7325a1d5bd2f5f1b6a08082ed1230c4
SHA256 45aa26bd0d4b917bdbb6aa712730d664bc876dd59f84e108d572df867cc24a19
SHA512 129bad9027b33ba436d71a4480a3753e7bcf7c448e4d8bb90143513c95aefe665b7bf69dad2ad7e7eba26209fc3b5c623aa65777c9c58983a75f2723dbc1e545

memory/4748-20-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/4748-19-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/4748-21-0x0000000005840000-0x0000000005862000-memory.dmp

memory/4748-22-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/3640-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-34-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4748-36-0x0000000006220000-0x0000000006574000-memory.dmp

memory/3640-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-41-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aasaheb.0zm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4748-23-0x00000000061B0000-0x0000000006216000-memory.dmp

memory/4748-44-0x0000000006800000-0x000000000681E000-memory.dmp

memory/4748-45-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/2628-46-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3640-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4748-47-0x00000000077B0000-0x00000000077E2000-memory.dmp

memory/4748-48-0x000000006F1C0000-0x000000006F20C000-memory.dmp

memory/4748-58-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

memory/4748-59-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/4748-60-0x0000000008180000-0x00000000087FA000-memory.dmp

memory/4748-61-0x0000000007B40000-0x0000000007B5A000-memory.dmp

memory/4748-62-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

memory/4748-63-0x0000000007DC0000-0x0000000007E56000-memory.dmp

memory/4748-64-0x0000000007D40000-0x0000000007D51000-memory.dmp

memory/4748-65-0x0000000007D70000-0x0000000007D7E000-memory.dmp

memory/4748-66-0x0000000007D80000-0x0000000007D94000-memory.dmp

memory/4748-67-0x0000000007E80000-0x0000000007E9A000-memory.dmp

memory/4748-68-0x0000000007E60000-0x0000000007E68000-memory.dmp

memory/4748-71-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/3640-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-78-0x0000000000400000-0x000000000047F000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a7113a32d76d07889b4817a9ff3f3f00
SHA1 b3d5be621cde9dce35506c5f73e964a071a53233
SHA256 09a3f1c701854910a22da5a916c17f993c62b2c46263151db9138c7cf9c8a974
SHA512 c994937f12b11192ef5df81d25c4258fd7e3eb871688ac4309a7ddaff113c1c4a34467069a55daa8d0f3cf00fa9f0a273ccc30fe25e9528266cefbfa9909a97b

memory/3640-83-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-84-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-90-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-91-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-96-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-97-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-102-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-104-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-109-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3640-110-0x0000000000400000-0x000000000047F000-memory.dmp