remcos | 2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFER - FLG 80460-7946893.exe
Size

1.1MB
MD5

f2121e6f89567e460e1d5db6d2ac8740
SHA1

2c6b0077b423e11bbfa00b9446f5f8614acd33df
SHA256

2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
SHA512

85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391
SSDEEP

24576:M+dborkAeFc65AX4LdHCcbnbUqcXG1+JIL66hP:M+dErkq0HCczbnY2l

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

212.193.30.230:3330

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VPI7TY
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4836-310-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/4836-319-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3668-308-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3668-322-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3668-324-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/4836-310-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3668-308-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4836-319-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/2092-320-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2092-321-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3668-322-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3668-324-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	OFFER - FLG 80460-7946893.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	OFFER - FLG 80460-7946893.exe

Executes dropped EXE 9 IoCs

pid	Process
4520	remcos.exe
4616	remcos.exe
3668	remcos.exe
4836	remcos.exe
1940	remcos.exe
716	remcos.exe
792	remcos.exe
4272	remcos.exe
2092	remcos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	remcos.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	OFFER - FLG 80460-7946893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	OFFER - FLG 80460-7946893.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run\	OFFER - FLG 80460-7946893.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	OFFER - FLG 80460-7946893.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3804 set thread context of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 4520 set thread context of 4616	4520	remcos.exe	123
PID 4616 set thread context of 3668	4616	remcos.exe	124
PID 4616 set thread context of 4836	4616	remcos.exe	125
PID 4616 set thread context of 2092	4616	remcos.exe	128

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3540	schtasks.exe
3916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
4968	powershell.exe
2572	powershell.exe
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
3804	OFFER - FLG 80460-7946893.exe
4968	powershell.exe
2572	powershell.exe
4520	remcos.exe
4520	remcos.exe
4520	remcos.exe
1988	powershell.exe
4520	remcos.exe
4340	powershell.exe
1988	powershell.exe
4340	powershell.exe
3668	remcos.exe
3668	remcos.exe
2092	remcos.exe
2092	remcos.exe
3668	remcos.exe
3668	remcos.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4616	remcos.exe
4616	remcos.exe
4616	remcos.exe
4616	remcos.exe
4616	remcos.exe
4616	remcos.exe
4616	remcos.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	OFFER - FLG 80460-7946893.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4520	remcos.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	2092	remcos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 2572	3804	OFFER - FLG 80460-7946893.exe	106
PID 3804 wrote to memory of 2572	3804	OFFER - FLG 80460-7946893.exe	106
PID 3804 wrote to memory of 2572	3804	OFFER - FLG 80460-7946893.exe	106
PID 3804 wrote to memory of 4968	3804	OFFER - FLG 80460-7946893.exe	108
PID 3804 wrote to memory of 4968	3804	OFFER - FLG 80460-7946893.exe	108
PID 3804 wrote to memory of 4968	3804	OFFER - FLG 80460-7946893.exe	108
PID 3804 wrote to memory of 3540	3804	OFFER - FLG 80460-7946893.exe	110
PID 3804 wrote to memory of 3540	3804	OFFER - FLG 80460-7946893.exe	110
PID 3804 wrote to memory of 3540	3804	OFFER - FLG 80460-7946893.exe	110
PID 3804 wrote to memory of 1768	3804	OFFER - FLG 80460-7946893.exe	112
PID 3804 wrote to memory of 1768	3804	OFFER - FLG 80460-7946893.exe	112
PID 3804 wrote to memory of 1768	3804	OFFER - FLG 80460-7946893.exe	112
PID 3804 wrote to memory of 1000	3804	OFFER - FLG 80460-7946893.exe	113
PID 3804 wrote to memory of 1000	3804	OFFER - FLG 80460-7946893.exe	113
PID 3804 wrote to memory of 1000	3804	OFFER - FLG 80460-7946893.exe	113
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 3804 wrote to memory of 1236	3804	OFFER - FLG 80460-7946893.exe	114
PID 1236 wrote to memory of 4520	1236	OFFER - FLG 80460-7946893.exe	115
PID 1236 wrote to memory of 4520	1236	OFFER - FLG 80460-7946893.exe	115
PID 1236 wrote to memory of 4520	1236	OFFER - FLG 80460-7946893.exe	115
PID 4520 wrote to memory of 1988	4520	remcos.exe	117
PID 4520 wrote to memory of 1988	4520	remcos.exe	117
PID 4520 wrote to memory of 1988	4520	remcos.exe	117
PID 4520 wrote to memory of 4340	4520	remcos.exe	119
PID 4520 wrote to memory of 4340	4520	remcos.exe	119
PID 4520 wrote to memory of 4340	4520	remcos.exe	119
PID 4520 wrote to memory of 3916	4520	remcos.exe	121
PID 4520 wrote to memory of 3916	4520	remcos.exe	121
PID 4520 wrote to memory of 3916	4520	remcos.exe	121
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4520 wrote to memory of 4616	4520	remcos.exe	123
PID 4616 wrote to memory of 3668	4616	remcos.exe	124
PID 4616 wrote to memory of 3668	4616	remcos.exe	124
PID 4616 wrote to memory of 3668	4616	remcos.exe	124
PID 4616 wrote to memory of 3668	4616	remcos.exe	124
PID 4616 wrote to memory of 4836	4616	remcos.exe	125
PID 4616 wrote to memory of 4836	4616	remcos.exe	125
PID 4616 wrote to memory of 4836	4616	remcos.exe	125
PID 4616 wrote to memory of 4836	4616	remcos.exe	125
PID 4616 wrote to memory of 1940	4616	remcos.exe	126
PID 4616 wrote to memory of 1940	4616	remcos.exe	126
PID 4616 wrote to memory of 1940	4616	remcos.exe	126
PID 4616 wrote to memory of 716	4616	remcos.exe	127
PID 4616 wrote to memory of 716	4616	remcos.exe	127

C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe
"C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obRUfIkARXIyf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\obRUfIkARXIyf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60FC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe
  "C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe"
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe
  "C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe"
  2⤵
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe
  "C:\Users\Admin\AppData\Local\Temp\OFFER - FLG 80460-7946893.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obRUfIkARXIyf.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4340
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\obRUfIkARXIyf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3916
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\sicemfvmmcfdnof"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3668
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\cdiomygozkxiqutezj"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:4836
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfvhnqqinspmaapiquqqhk"
        5⤵
        Executes dropped EXE
        
        PID:1940
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfvhnqqinspmaapiquqqhk"
        5⤵
        Executes dropped EXE
        
        PID:716
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfvhnqqinspmaapiquqqhk"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfvhnqqinspmaapiquqqhk"
        5⤵
        Executes dropped EXE
        
        PID:4272
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfvhnqqinspmaapiquqqhk"
        5⤵
        Executes dropped EXE
        
        PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
fa2877cb454cd39f486c9b37167174da

SHA1
a41e0712602fb31858e186699d99c2edfb3148d8

SHA256
d1e889dc9cfcdc6f16289164ed5e3ff6aac1a1cd119762d60c5f55a6bfd47188

SHA512
1b57f554329d1bba00e6be3607fd764ca52046453d53233bf76cdad503ebaec2678f1f30d47ef95c8313908dd1ef6178205b29bccd829c76d55ccf81de8f1278

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
1.1MB

MD5
f2121e6f89567e460e1d5db6d2ac8740

SHA1
2c6b0077b423e11bbfa00b9446f5f8614acd33df

SHA256
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

SHA512
85084597c888169c742beffa119aea1cbd862238b05ff96b49c460aed350bc04deedbbb2fa3a4c7e8c1a9b6763fbcece529f332703bc04826235cbd3c4b5f391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f570cb7e72676f36cd1a52f57704057c

SHA1
3b1e130ee5976ced4e73d199191428d12e1d6b54

SHA256
1c330a7158b0a6fcb5e2974c7164c77f2a0b09b4dfcd1484367bc2759ea1ba07

SHA512
8dd29c64bed175c327635e3588761ed858297a528258602a2ff33baa3fd7f37821c10c9129538899687d0a629774a1f313b679f45fb3a50f8c99237747ff176a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
60bde893a2dad10781a0f93f0c3bd9da

SHA1
1d64dc7d49e82e238b3b7ebd00c8831b248d6713

SHA256
7feeffeb75fda82c3a501f8b1220572d332c8309f89cf435a24f61dccd944ff4

SHA512
486562a5054f8d68f6d3c5fb7c0779f01758ba12b1d5d15941738317a741bc7aae9710a51c1a39781a9749f7a0e5ca5aa6b966187822bfcc048535484a806f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlmihwai.udb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sicemfvmmcfdnof

Filesize
4KB

MD5
9d9e72c9c9718c1b11fa079c9e176126

SHA1
84061c88da377e5badb0456d7e7d27b2b589da53

SHA256
c1b68659db646a5da925a4bb927a9803ab7d10ae74516a2547c87097f87ba317

SHA512
1b1aba5888e92f1afd33454ae69de66bc8202a4974b36696a0a6903cc528cb59810f778446ba855ac125b3c77f6be0ebee5d6df49a2838e0c0543a9a29a4e428

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp

Filesize
1KB

MD5
7cf790a897269a8a6628509f855158c3

SHA1
25d18f4240116bbcfe0cfe4e13960ba7bd1db166

SHA256
7ca7f80448b8e27879dd90575617c75f786160ac60611144225fc5fa9aa5e96a

SHA512
9ecbfa3601271fa5916bec4cdbd79cefd38d518c42a712bde7875ec1578312f3386f5cecbb946cd14219a5b4998864a5d175a176b15923653e6ae936466bace3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60FC.tmp

Filesize
1KB

MD5
7cf790a897269a8a6628509f855158c3

SHA1
25d18f4240116bbcfe0cfe4e13960ba7bd1db166

SHA256
7ca7f80448b8e27879dd90575617c75f786160ac60611144225fc5fa9aa5e96a

SHA512
9ecbfa3601271fa5916bec4cdbd79cefd38d518c42a712bde7875ec1578312f3386f5cecbb946cd14219a5b4998864a5d175a176b15923653e6ae936466bace3

Download Submit
memory/1236-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1236-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1236-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1236-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1236-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1988-256-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/1988-265-0x0000000072170000-0x00000000721BC000-memory.dmp

Filesize
304KB

Download
memory/1988-286-0x000000007F790000-0x000000007F7A0000-memory.dmp

Filesize
64KB

Download
memory/1988-264-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/1988-254-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/2092-318-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-320-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-321-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2092-312-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-191-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2572-187-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2572-193-0x0000000071B70000-0x0000000071BBC000-memory.dmp

Filesize
304KB

Download
memory/2572-217-0x000000007EE50000-0x000000007EE60000-memory.dmp

Filesize
64KB

Download
memory/2572-214-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/2572-204-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/2572-220-0x00000000073B0000-0x00000000073BE000-memory.dmp

Filesize
56KB

Download
memory/2572-221-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/2572-143-0x0000000002560000-0x0000000002596000-memory.dmp

Filesize
216KB

Download
memory/2572-144-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/2572-150-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/3668-322-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3668-304-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3668-308-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3668-324-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3668-298-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3804-137-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3804-135-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/3804-136-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3804-134-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/3804-133-0x0000000000720000-0x000000000083C000-memory.dmp

Filesize
1.1MB

Download
memory/3804-138-0x0000000006BB0000-0x0000000006C4C000-memory.dmp

Filesize
624KB

Download
memory/4340-288-0x000000007FBD0000-0x000000007FBE0000-memory.dmp

Filesize
64KB

Download
memory/4340-285-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4340-275-0x0000000072170000-0x00000000721BC000-memory.dmp

Filesize
304KB

Download
memory/4340-262-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4340-263-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4520-189-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4520-225-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4616-326-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4616-344-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-289-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-246-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-290-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-291-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-245-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-296-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-234-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-232-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-329-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4616-231-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-287-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-248-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-343-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-330-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-336-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-335-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-247-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4616-331-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4616-333-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4836-306-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4836-319-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4836-310-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4836-300-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4968-218-0x000000007F560000-0x000000007F570000-memory.dmp

Filesize
64KB

Download
memory/4968-149-0x0000000005350000-0x0000000005372000-memory.dmp

Filesize
136KB

Download
memory/4968-147-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/4968-146-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/4968-151-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/4968-184-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/4968-194-0x0000000071B70000-0x0000000071BBC000-memory.dmp

Filesize
304KB

Download
memory/4968-192-0x00000000072C0000-0x00000000072F2000-memory.dmp

Filesize
200KB

Download
memory/4968-190-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/4968-216-0x0000000007690000-0x000000000769A000-memory.dmp

Filesize
40KB

Download
memory/4968-215-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/4968-145-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/4968-219-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/4968-222-0x0000000007940000-0x0000000007948000-memory.dmp

Filesize
32KB

Download