Windows Analysis Report
Payroll List_pdf.exe

Overview

General Information

Sample name: Payroll List_pdf.exe
(renamed file extension from bat to exe)
Original sample name: Payroll List_pdf.bat
Analysis ID: 1650777
MD5: 55c905a0ec317664371b8ae3962d90cc
SHA1: 1cc73aeb68495a320d14b23c720d47167989b214
SHA256: 2edffaa16ba62436a4744e31d76dfaba8748534e4d6c752ca5b11949c25a4a7a
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Payroll List_pdf.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Remcos\remcos.exe Avira: detection malicious, Label: HEUR/AGEN.1338455
Found malware configuration
Source: 00000004.00000003.1850057752.0000000002F39000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["196.251.86.105:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MJDICZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Remcos\remcos.exe Virustotal: Detection: 28% Perma Link
Multi AV Scanner detection for submitted file
Source: Payroll List_pdf.exe Virustotal: Detection: 28% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000003.1850057752.0000000002F39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1854370103.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payroll List_pdf.exe PID: 9072, type: MEMORYSTR
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 92.4%
Uses 32bit PE files
Source: Payroll List_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.251.40.206:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.64.65:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.40.206:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: Payroll List_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00402862 FindFirstFileW, 4_2_00402862
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_004066F3 FindFirstFileW,FindClose, 4_2_004066F3
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 4_2_00405ABE
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00402862 FindFirstFileW, 8_2_00402862
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_004066F3 FindFirstFileW,FindClose, 8_2_004066F3
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_00405ABE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 196.251.86.105
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SONIC-WirelessZA SONIC-WirelessZA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49727 -> 142.251.40.206:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49730 -> 142.251.40.206:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: Payroll List_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793755889.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/A.-
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/p)
Source: Payroll List_pdf.exe, 00000004.00000002.1855519071.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002F04000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2749058785.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP
Source: Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002F04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP5
Source: remcos.exe, 0000000C.00000002.2814022694.00000000331AD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP;
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP=GP
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBPX
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBPverse
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/$
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/.cn
Source: remcos.exe, 0000000C.00000002.2814022694.00000000331AD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP&export
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP&export=download
Source: remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1gYV_wmSK7rZEBVczR5knLY0THa1TmbBP&export=downloads-
Source: Payroll List_pdf.exe, 00000004.00000003.1825993990.0000000002F39000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1850057752.0000000002F39000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002F37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/~
Source: Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793755889.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793755889.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793755889.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793755889.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793476131.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000003.1793755889.0000000002F41000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FBE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown HTTPS traffic detected: 142.251.40.206:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.64.65:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.40.206:443 -> 192.168.2.5:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405553

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000003.1850057752.0000000002F39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1854370103.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payroll List_pdf.exe PID: 9072, type: MEMORYSTR

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payroll List_pdf.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00403489 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_00403489
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00403489 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 4_2_00403489
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_00403489
Creates files inside the system directory
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\Windows\SysWOW64\Disarticulating.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00404D90 0_2_00404D90
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00406ABA 0_2_00406ABA
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00404D90 4_2_00404D90
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00406ABA 4_2_00406ABA
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00404D90 8_2_00404D90
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00406ABA 8_2_00406ABA
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsl358B.tmp\System.dll F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsu65C8.tmp\System.dll F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: String function: 00402C37 appears 49 times
Uses 32bit PE files
Source: Payroll List_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/25@2/3
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00403489 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_00403489
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00403489 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 4_2_00403489
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 8_2_00403489
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW, 0_2_00404814
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_004020FE LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk, 0_2_004020FE
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\Program Files (x86)\dyppekogerens.ini Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\Users\user\lvstikke.ini Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-MJDICZ
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsi6364.tmp Jump to behavior
Source: Payroll List_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payroll List_pdf.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File read: C:\Users\user\Desktop\Payroll List_pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payroll List_pdf.exe "C:\Users\user\Desktop\Payroll List_pdf.exe"
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process created: C:\Users\user\Desktop\Payroll List_pdf.exe "C:\Users\user\Desktop\Payroll List_pdf.exe"
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: unknown Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe"
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process created: C:\Users\user\Desktop\Payroll List_pdf.exe "C:\Users\user\Desktop\Payroll List_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\censorkorpsenes.ini Jump to behavior
Source: Payroll List_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000C.00000002.2589769449.0000000001887000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1605829376.00000000032D7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1851860987.0000000001887000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2278078106.00000000033F7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_10001B18 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Drops PE files
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsu65C8.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe File created: C:\Users\user\AppData\Local\Temp\nsl358B.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Payroll List_pdf.exe File created: C:\ProgramData\Remcos\remcos.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-MJDICZ Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-MJDICZ Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-MJDICZ Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-MJDICZ Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-MJDICZ Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Payroll List_pdf.exe API/Special instruction interceptor: Address: 3AD05C5
Source: C:\Users\user\Desktop\Payroll List_pdf.exe API/Special instruction interceptor: Address: 20805C5
Source: C:\ProgramData\Remcos\remcos.exe API/Special instruction interceptor: Address: 3BF05C5
Source: C:\ProgramData\Remcos\remcos.exe API/Special instruction interceptor: Address: 20805C5
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Payroll List_pdf.exe RDTSC instruction interceptor: First address: 3A852B9 second address: 3A852B9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FAB94519E38h 0x00000006 inc ebp 0x00000007 test al, cl 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Payroll List_pdf.exe RDTSC instruction interceptor: First address: 20352B9 second address: 20352B9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FAB94748BE8h 0x00000006 inc ebp 0x00000007 test al, cl 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\ProgramData\Remcos\remcos.exe RDTSC instruction interceptor: First address: 3BA52B9 second address: 3BA52B9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FAB94519E38h 0x00000006 inc ebp 0x00000007 test al, cl 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\ProgramData\Remcos\remcos.exe RDTSC instruction interceptor: First address: 20352B9 second address: 20352B9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FAB94748BE8h 0x00000006 inc ebp 0x00000007 test al, cl 0x00000009 inc ebx 0x0000000a rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu65C8.tmp\System.dll Jump to dropped file
Source: C:\ProgramData\Remcos\remcos.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl358B.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00402862 FindFirstFileW, 4_2_00402862
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_004066F3 FindFirstFileW,FindClose, 4_2_004066F3
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 4_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 4_2_00405ABE
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00402862 FindFirstFileW, 8_2_00402862
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_004066F3 FindFirstFileW,FindClose, 8_2_004066F3
Source: C:\ProgramData\Remcos\remcos.exe Code function: 8_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_00405ABE
Source: Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002F04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWS
Source: Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp, Payroll List_pdf.exe, 00000004.00000002.1854370103.0000000002EEE000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 0000000C.00000002.2697586092.0000000002F28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Payroll List_pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Payroll List_pdf.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Remcos\remcos.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00402644 MultiByteToWideChar,ReadFile,LdrInitializeThunk,MultiByteToWideChar,SetFilePointer,LdrInitializeThunk,MultiByteToWideChar,SetFilePointer, 0_2_00402644
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_10001B18 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process created: C:\Users\user\Desktop\Payroll List_pdf.exe "C:\Users\user\Desktop\Payroll List_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\ProgramData\Remcos\remcos.exe Process created: C:\ProgramData\Remcos\remcos.exe "C:\ProgramData\Remcos\remcos.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Code function: 0_2_00403489 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_00403489

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000003.1850057752.0000000002F39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1854370103.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payroll List_pdf.exe PID: 9072, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\Payroll List_pdf.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MJDICZ Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000003.1850057752.0000000002F39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1854370103.0000000002F37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payroll List_pdf.exe PID: 9072, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650777 Sample: Payroll List_pdf.bat Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 37 196.251.86.105 SONIC-WirelessZA Seychelles 2->37 39 drive.usercontent.google.com 2->39 41 drive.google.com 2->41 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 9 Payroll List_pdf.exe 5 44 2->9         started        12 remcos.exe 20 2->12         started        14 remcos.exe 20 2->14         started        16 remcos.exe 20 2->16         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\System.dll, PE32 9->35 dropped 18 Payroll List_pdf.exe 2 10 9->18         started        process6 dnsIp7 43 drive.usercontent.google.com 142.250.64.65, 443, 49728 GOOGLEUS United States 18->43 45 drive.google.com 142.251.40.206, 443, 49727, 49730 GOOGLEUS United States 18->45 29 C:\ProgramData\Remcos\remcos.exe, PE32 18->29 dropped 31 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->31 dropped 55 Detected Remcos RAT 18->55 57 Creates autostart registry keys with suspicious names 18->57 23 remcos.exe 23 18->23         started        file8 signatures9 process10 file11 33 C:\Users\user\AppData\Local\...\System.dll, PE32 23->33 dropped 59 Antivirus detection for dropped file 23->59 61 Multi AV Scanner detection for dropped file 23->61 63 Tries to detect virtualization through RDTSC time measurements 23->63 65 Switches to a custom stack to bypass stack traces 23->65 27 remcos.exe 23->27         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.64.65
 drive.usercontent.google.com United States
15169 GOOGLEUS false
142.251.40.206
 drive.google.com United States
15169 GOOGLEUS false
196.251.86.105
 unknown Seychelles
37417 SONIC-WirelessZA true

Contacted Domains

Name IP Active
drive.google.com 142.251.40.206 true
drive.usercontent.google.com 142.250.64.65 true