Malware Analysis Report

2025-06-16 01:18

Sample ID 231205-vereksdb86
Target FADTQWERT.bat.exe
SHA256 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd

Threat Level: Known bad

The file FADTQWERT.bat.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 16:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 16:54

Reported

2023-12-05 16:57

Platform

win7-20231023-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2372 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp899A.tmp"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

Network

N/A

Files

memory/2372-0-0x0000000000190000-0x000000000029E000-memory.dmp

memory/2372-1-0x0000000074E00000-0x00000000754EE000-memory.dmp

memory/2372-2-0x0000000004780000-0x00000000047C0000-memory.dmp

memory/2372-3-0x0000000000380000-0x0000000000398000-memory.dmp

memory/2372-4-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2372-5-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/2372-6-0x00000000052F0000-0x00000000053A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp899A.tmp

MD5 e26c9dbf42218c0a87338a6db4dbc72b
SHA1 fe1066bcf7a6c642433d652d6a709088f7330fa6
SHA256 2ee71bede5aa73ed771fa2ae4ea5766c093d3f57c5c48441a2e6f92c7fd81c6e
SHA512 19c782f61e2178827adaa5b363ef8c08cf012611ec5a04a5c0043b56ad42d6de778188ab7a55396b47fa9a8410cda85036c1ff234cf549309719a847b5704bf2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 acdd4ad869d0c66556d0852baf386a5f
SHA1 4c62319ce57c3cac4c55b864f7407c3b9aed3511
SHA256 8592d77fc8d8ad3dab0519b91556cd840f6cb940c65f4f2c3bc06ee353654a31
SHA512 c93dd87ef534ac49c2ffcfcf81423703fcd4008f387a67fa22358e87fa5127e771a464241f310a6378670937fdd7234bb7b200ac5eb289b3db65b139d121c56a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 acdd4ad869d0c66556d0852baf386a5f
SHA1 4c62319ce57c3cac4c55b864f7407c3b9aed3511
SHA256 8592d77fc8d8ad3dab0519b91556cd840f6cb940c65f4f2c3bc06ee353654a31
SHA512 c93dd87ef534ac49c2ffcfcf81423703fcd4008f387a67fa22358e87fa5127e771a464241f310a6378670937fdd7234bb7b200ac5eb289b3db65b139d121c56a

memory/2372-19-0x0000000074E00000-0x00000000754EE000-memory.dmp

memory/2616-20-0x000000006FCA0000-0x000000007024B000-memory.dmp

memory/2724-21-0x000000006FCA0000-0x000000007024B000-memory.dmp

memory/2616-22-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2616-23-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2616-24-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2724-25-0x0000000002420000-0x0000000002460000-memory.dmp

memory/2616-26-0x000000006FCA0000-0x000000007024B000-memory.dmp

memory/2616-27-0x000000006FCA0000-0x000000007024B000-memory.dmp

memory/2724-28-0x000000006FCA0000-0x000000007024B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 16:54

Reported

2023-12-05 16:57

Platform

win10v2004-20231201-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe
PID 2664 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EF4.tmp"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe

"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp

Files

memory/2664-0-0x00000000007D0000-0x00000000008DE000-memory.dmp

memory/2664-1-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/2664-2-0x00000000057F0000-0x0000000005D94000-memory.dmp

memory/2664-3-0x00000000052E0000-0x0000000005372000-memory.dmp

memory/2664-4-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/2664-5-0x00000000052D0000-0x00000000052DA000-memory.dmp

memory/2664-6-0x0000000005420000-0x0000000005438000-memory.dmp

memory/2664-7-0x00000000055D0000-0x00000000055D8000-memory.dmp

memory/2664-8-0x00000000055F0000-0x00000000055FA000-memory.dmp

memory/2664-9-0x0000000006800000-0x00000000068B8000-memory.dmp

memory/2664-10-0x0000000006640000-0x00000000066DC000-memory.dmp

memory/1628-15-0x00000000024E0000-0x0000000002516000-memory.dmp

memory/1628-16-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/1628-17-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/2664-18-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/1456-19-0x0000000005370000-0x0000000005380000-memory.dmp

memory/1628-20-0x0000000004910000-0x0000000004920000-memory.dmp

memory/1628-21-0x0000000004910000-0x0000000004920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7EF4.tmp

MD5 bff1cf744ec29958693e883150bde54b
SHA1 ae28c052988aadc9239c5bcc32c861f778f9dda6
SHA256 f9d30a5bc3217bfb13a1c8aa18599d72854c046fc783271bcf11bde3ffb205e1
SHA512 07f4390f9befe5464f14606301a954903d3aaeb60f8621f8ad0116f735c8ac67191fd35e28738055a96b74545874aafbc35240f932e853ee51317856b5b3ed32

memory/1456-25-0x0000000005370000-0x0000000005380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4x2hja2y.tjp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1628-31-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/1628-37-0x00000000057D0000-0x0000000005B24000-memory.dmp

memory/3240-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1456-32-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/1456-24-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/1628-23-0x0000000004DE0000-0x0000000004E02000-memory.dmp

memory/3240-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2664-50-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3240-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1628-54-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/3240-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1628-58-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/3240-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1628-61-0x0000000006D20000-0x0000000006D52000-memory.dmp

memory/1628-62-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/1628-60-0x000000007EF20000-0x000000007EF30000-memory.dmp

memory/1628-72-0x0000000006D60000-0x0000000006D7E000-memory.dmp

memory/1628-73-0x0000000004910000-0x0000000004920000-memory.dmp

memory/1628-75-0x0000000004910000-0x0000000004920000-memory.dmp

memory/1628-74-0x0000000006F90000-0x0000000007033000-memory.dmp

memory/1456-87-0x0000000005370000-0x0000000005380000-memory.dmp

memory/1456-77-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

memory/1456-76-0x0000000070CB0000-0x0000000070CFC000-memory.dmp

memory/1628-89-0x0000000007710000-0x0000000007D8A000-memory.dmp

memory/1456-88-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/1628-90-0x0000000007140000-0x000000000714A000-memory.dmp

memory/1628-91-0x0000000007350000-0x00000000073E6000-memory.dmp

memory/1628-92-0x00000000072D0000-0x00000000072E1000-memory.dmp

memory/1628-93-0x0000000007300000-0x000000000730E000-memory.dmp

memory/1628-94-0x0000000007310000-0x0000000007324000-memory.dmp

memory/1456-95-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

memory/1628-96-0x00000000073F0000-0x00000000073F8000-memory.dmp

memory/1456-99-0x00000000744C0000-0x0000000074C70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0ca2399de8c41f3dcdbd044c62ab22b1
SHA1 36b33ab517a826406faa7ff00933cc8bd1112fea
SHA256 5effcdb291ff4c1284ee0a7d203301f5fd516b91424c948e305366e565a0d21b
SHA512 6e850fb5e4d5d9317c614524a96ef6ff58a11f941b1fa81a404c4c87b7ffd8b0e76eb0998a4e7438d4e6f27a2ce7a1fbc835e854bc90ccca6849a02ea6b4bfce

memory/1628-103-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3240-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-110-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 4f8c1569b18426f7458ea7da60876653
SHA1 8a2c7d310a2d950bf4de616e9361e89d8eff3bec
SHA256 40b82f87d28110257d4c45da4b4b58308cf3a43f76b1b32f41ad72c2b2df52b7
SHA512 cca3dcd74f08a002a2bfcea40b6af1068843d402db929ddf99dc68e9eeb727603888ab0094f5ef54de49c09d551b7a873f5c421d553087d3d9eb41b2ef78ba63

memory/3240-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-134-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-136-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3240-141-0x0000000000400000-0x0000000000482000-memory.dmp