Malware analysis Laporan Survei Karyawan.PDF.exe Malicious activity

Add for printing

File name:	Laporan Survei Karyawan.PDF.exe
Full analysis:	https://app.any.run/tasks/b4581bae-d939-4ced-bd63-68aa9362d955
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	June 26, 2025, 08:25:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg rat remcos
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	EA22EBBBA9F0D0248332DB643BD2E6DA
SHA1:	B77C15B2F3569B3DA3AF91DCA1F0D66096481517
SHA256:	C1FA6E55486B388EB064F222153D7DF4580EB1C6D804EC5156411AC62254D4EF
SSDEEP:	24576:uRyguKuDowdTNfAqF7lLLQmxcHjctIhIYFCOcIW4lFDtwkuA7X4Y/GL28IhT3/:uRyguKuDowdTN5BlLLQmxajctIhIYFCU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- REMCOS mutex has been found
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
- REMCOS has been detected
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
- Changes the autorun value in the registry
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
- REMCOS has been detected (YARA)
  - remcos.exe (PID: 6228)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - remcos.exe (PID: 5020)
- The process creates files with name similar to system file names
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - remcos.exe (PID: 5020)
- Executable content was dropped or overwritten
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 5020)
- Application launched itself
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - updater.exe (PID: 1324)
  - remcos.exe (PID: 5020)
- Reads security settings of Internet Explorer
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
- Starts itself from another location
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
- The process executes via Task Scheduler
  - updater.exe (PID: 1324)
- There is functionality for taking screenshot (YARA)
  - remcos.exe (PID: 3880)
  - remcos.exe (PID: 6228)
- Connects to unusual port
  - remcos.exe (PID: 6228)
INFO
- Checks supported languages
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 5020)
  - updater.exe (PID: 1324)
  - remcos.exe (PID: 3880)
  - updater.exe (PID: 6472)
  - remcos.exe (PID: 6228)
- Creates files or folders in the user directory
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
- The sample compiled with english language support
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
- Reads the computer name
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 5020)
  - updater.exe (PID: 1324)
  - remcos.exe (PID: 3880)
  - remcos.exe (PID: 6228)
- Create files in a temporary directory
  - Laporan Survei Karyawan.PDF.exe (PID: 2780)
  - remcos.exe (PID: 5020)
- Reads the machine GUID from the registry
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
- Reads the software policy settings
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
  - slui.exe (PID: 4844)
- Checks proxy server information
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
  - slui.exe (PID: 4844)
- Creates files in the program directory
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
- Launching a file from a Registry key
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
  - remcos.exe (PID: 6228)
- Process checks computer location settings
  - Laporan Survei Karyawan.PDF.exe (PID: 7048)
- Manual execution by a user
  - remcos.exe (PID: 3880)
- Process checks whether UAC notifications are on
  - updater.exe (PID: 1324)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Remcos

(PID) Process(6228) remcos.exe

C2 (3)104.37.4.100:6000

104.37.4.100:6001

104.37.4.100:6002

BotnetRemoteHost

Options

Connect_interval1

Install_flagTrue

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-B3LFEQ

Keylog_flag0

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path1

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:16 00:50:59+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	186368
UninitializedDataSize:	2048
EntryPoint:	0x33fa
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.4.0.0
ProductVersionNumber:	1.4.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	haandskriften antimonate
CompanyName:	pyoptysis bogstavelig
FileDescription:	geologi
InternalName:	mimus damascerer.exe
LegalTrademarks:	houdah trawlfiskeris fuppen
ProductName:	macerators clints skridtendes
ProductVersion:	1.4.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1324

"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --system

C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe

—

svchost.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Updater

Exit code:

Version:

134.0.6985.0

Modules

Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

2780

"C:\Users\admin\AppData\Local\Temp\Laporan Survei Karyawan.PDF.exe"

C:\Users\admin\AppData\Local\Temp\Laporan Survei Karyawan.PDF.exe

explorer.exe

User:

admin

Company:

pyoptysis bogstavelig

Integrity Level:

MEDIUM

Description:

geologi

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\laporan survei karyawan.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3880

"C:\ProgramData\Remcos\remcos.exe"

C:\ProgramData\Remcos\remcos.exe

—

explorer.exe

User:

admin

Company:

pyoptysis bogstavelig

Integrity Level:

MEDIUM

Description:

geologi

Modules

Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

4844

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5020

"C:\ProgramData\Remcos\remcos.exe"

C:\ProgramData\Remcos\remcos.exe

Laporan Survei Karyawan.PDF.exe

User:

admin

Company:

pyoptysis bogstavelig

Integrity Level:

MEDIUM

Description:

geologi

Exit code:

Modules

Images
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6228

"C:\ProgramData\Remcos\remcos.exe"

C:\ProgramData\Remcos\remcos.exe

remcos.exe

User:

admin

Company:

pyoptysis bogstavelig

Integrity Level:

MEDIUM

Description:

geologi

Modules

Images
c:\windows\syswow64\mshtml.dll
c:\programdata\remcos\remcos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Remcos

(PID) Process(6228) remcos.exe

C2 (3)104.37.4.100:6000

104.37.4.100:6001

104.37.4.100:6002

BotnetRemoteHost

Options

Connect_interval1

Install_flagTrue

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-B3LFEQ

Keylog_flag0

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path1

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

6472

"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x111c460,0x111c46c,0x111c478

C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe

—

updater.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Updater

Exit code:

Version:

134.0.6985.0

Modules

Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

7048

"C:\Users\admin\AppData\Local\Temp\Laporan Survei Karyawan.PDF.exe"

C:\Users\admin\AppData\Local\Temp\Laporan Survei Karyawan.PDF.exe

Laporan Survei Karyawan.PDF.exe

User:

admin

Company:

pyoptysis bogstavelig

Integrity Level:

MEDIUM

Description:

geologi

Exit code:

Modules

Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\laporan survei karyawan.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

5 422

Read events

5 403

Write events

Delete events

Modification events


(PID) Process:	(2780) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CLR\Start
Operation:	write	Name:	CLR Start
Value: 2
(PID) Process:	(2780) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5
(PID) Process:	(2780) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::SetFilePointer(i r5, i 13101 , i 0,i 0)
(PID) Process:	(2780) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::VirtualAlloc(i 0,i 38658048, i 0x3000, i 0x40)p.r2
(PID) Process:	(2780) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::ReadFile(i r5, i r2, i 38658048,*i 0, i 0)
(PID) Process:	(2780) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: user32::EnumWindows(i r2 ,i 0)
(PID) Process:	(7048) Laporan Survei Karyawan.PDF.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Rmc-B3LFEQ
Value: "C:\ProgramData\Remcos\remcos.exe"
(PID) Process:	(5020) remcos.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5
(PID) Process:	(5020) remcos.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::SetFilePointer(i r5, i 13101 , i 0,i 0)
(PID) Process:	(5020) remcos.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Service
Operation:	write	Name:	System_Check
Value: kernel32::ReadFile(i r5, i r2, i 38658048,*i 0, i 0)

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Ovariohysterectomy.Sma		abr
		MD5:E0ADCE89B9DCFA6049FE7CDE69289636	SHA256:FE8303941033923239EE1827C0E8944B8376B8AA3F4EFA5C3DB206B700AC6CDE
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Flyvercertifikat.txt		text
		MD5:0377BEF66E3CF14857C3833F1C588F52	SHA256:A9996639C229FE532BACACDE560870074F32DE64D0359AAF46CF98D38B2CDF88
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Skrudet\forfladigelsen.ini		text
		MD5:C9D70580BC3F17BBDD3B70591C629A02	SHA256:93497DB2D36BB1AD587F554CBA2475CCC79219DC68A1E9F1F5D21B5E1E6CEBAB
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Skrudet\stenkastene.jpg		image
		MD5:8E52890BDF9FA28D90D366CB6FCDE015	SHA256:AA002A1A6BDADD8793603BB958DA7C8276091AD38E517A649DD545982054403B
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Skrudet\stikpillerne.sli		binary
		MD5:E81099871BFFF165C8479BCA98451AE1	SHA256:55E493F43E0A0444EC79C4663E3D4B63E713FF8B7150F871C5BE1E3E7D11CB8F
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Skrudet\autochthonal.run		binary
		MD5:11DFE27FCA1A6B0701B2BE3B81AA1F10	SHA256:5E2F680A88E049C67C9C83A5BFF45D9F9193E0C9C66926127D09F2EBA6AACD9A
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Skrudet\airspace.chi		abr
		MD5:C688102A5F937218B5BA5AE8F98F3E5C	SHA256:6BE9559ED3A46CC546A4AD14F0AF8BD3B852D3F1C11B5F460A89E4192BF8734C
7048	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C60C0C29522E01E6A22BD2717F20782E_927CD7694ABAB4DA64EA66E7743CA0D9		der
		MD5:039640CBCBAFF56C7121F6E263C9109B	SHA256:732360C77B2DCE601BE41E17458579C4C9DFE6720DEA8319349DFAC79E3F79E8
7048	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		der
		MD5:4A90329071AE30B759D279CCA342B0A6	SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
2780	Laporan Survei Karyawan.PDF.exe	C:\Users\admin\AppData\Local\rutilate\alme\Skrudet\tins.ini		text
		MD5:BF3D97C32AB148F648299771BA7081A0	SHA256:9FC706813A5B88855289728EF091D86516E5574664A1F6FCCC6A95CC1239FA4D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7048	Laporan Survei Karyawan.PDF.exe	GET	200	216.58.206.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
7048	Laporan Survei Karyawan.PDF.exe	GET	200	216.58.206.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
7048	Laporan Survei Karyawan.PDF.exe	GET	200	216.58.206.35:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCebGtkb2cNegm%2FGwwoZmjS	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5628	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2940	svchost.exe	GET	200	69.192.161.44:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted
2876	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5628	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7048	Laporan Survei Karyawan.PDF.exe	GET	200	216.58.206.35:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCLv9IIZH%2B2MBIS18%2FOut80	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1740	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7048	Laporan Survei Karyawan.PDF.exe	142.250.185.174:443	drive.google.com	GOOGLE	US	whitelisted
7048	Laporan Survei Karyawan.PDF.exe	216.58.206.35:80	c.pki.goog	GOOGLE	US	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 20.73.194.208	whitelisted
google.com	172.217.16.206	whitelisted
drive.google.com	142.250.185.174	whitelisted
c.pki.goog	216.58.206.35	whitelisted
o.pki.goog	216.58.206.35	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 23.216.77.42	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
drive.usercontent.google.com	142.250.185.97	whitelisted
login.live.com	20.190.160.66 40.126.32.136 40.126.32.140 20.190.160.64 20.190.160.130 20.190.160.17 20.190.160.20 20.190.160.14	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

Laporan Survei Karyawan.PDF.exe

EA22EBBBA9F0D0248332DB643BD2E6DA

B77C15B2F3569B3DA3AF91DCA1F0D66096481517

C1FA6E55486B388EB064F222153D7DF4580EB1C6D804EC5156411AC62254D4EF

24576:uRyguKuDowdTNfAqF7lLLQmxcHjctIhIYFCOcIW4lFDtwkuA7X4Y/GL28IhT3/:uRyguKuDowdTN5BlLLQmxajctIhIYFCU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REMCOS mutex has been found

REMCOS has been detected

Changes the autorun value in the registry

REMCOS has been detected (YARA)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Application launched itself

Reads security settings of Internet Explorer

Starts itself from another location

The process executes via Task Scheduler

There is functionality for taking screenshot (YARA)

Connects to unusual port

INFO

Checks supported languages

Creates files or folders in the user directory

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Creates files in the program directory

Launching a file from a Registry key

Process checks computer location settings

Manual execution by a user

Process checks whether UAC notifications are on

Malware configuration

Remcos

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Remcos

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings