Analysis Overview
SHA256
eaac1b1dda1328d09641300b4eeba319d467f58b7b01214d70ea41ce4ddad3fd
Threat Level: Known bad
The file FACTURA090000.zIP was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-06 14:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-06 14:07
Reported
2023-12-06 14:10
Platform
win7-20231023-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3036 set thread context of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
| PID 2628 set thread context of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
| PID 2628 set thread context of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
| PID 2628 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jCaIeJ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jCaIeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F45.tmp"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\anrhumgnxfi"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\lpxavxroloaqdgt"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjckwpbizwsvfuhzeh"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjckwpbizwsvfuhzeh"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjckwpbizwsvfuhzeh"
Network
| Country | Destination | Domain | Proto |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/3036-0-0x00000000013B0000-0x00000000014AE000-memory.dmp
memory/3036-1-0x0000000074190000-0x000000007487E000-memory.dmp
memory/3036-2-0x0000000005190000-0x00000000051D0000-memory.dmp
memory/3036-3-0x0000000000430000-0x000000000044A000-memory.dmp
memory/3036-4-0x0000000000460000-0x0000000000468000-memory.dmp
memory/3036-5-0x00000000004B0000-0x00000000004BA000-memory.dmp
memory/3036-6-0x00000000055B0000-0x0000000005668000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F45.tmp
| MD5 | a48bfee41bcf023f5bc34f930b7f93d6 |
| SHA1 | 85a326d34e46588c1faf9594734827762937c13f |
| SHA256 | 87b67277dec1571899136fcaa33b64f06f1772b64c85661397bf1e1d1e114c33 |
| SHA512 | e5aa3a73d1c24edcaae33d29a044ba1f857f90214d1426192ce677cb41314b7972dc8b65ef8ae680b0d6537e4b4ca2979ab8198f94207ae5f46f68c33f16b8da |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 975155c88f5d6cb3f72d2e2db170ccb0 |
| SHA1 | df0b534d6a27f340690c8054b7198e33c4ac2a9a |
| SHA256 | e8b3ff96675f982eedd55ee6e42e16251aa4f0f1bf03b40f58a76e101936d40c |
| SHA512 | 6fbe5df3599a9d9fe2ea87c32701eca4e17d51153a920956c5aab2c8de2c6b838df11085c662ee040fdb17977084ceae1b566349d56d310a028b41f6b77aa540 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HNHOJSVFKPND8USG3ZFN.temp
| MD5 | 975155c88f5d6cb3f72d2e2db170ccb0 |
| SHA1 | df0b534d6a27f340690c8054b7198e33c4ac2a9a |
| SHA256 | e8b3ff96675f982eedd55ee6e42e16251aa4f0f1bf03b40f58a76e101936d40c |
| SHA512 | 6fbe5df3599a9d9fe2ea87c32701eca4e17d51153a920956c5aab2c8de2c6b838df11085c662ee040fdb17977084ceae1b566349d56d310a028b41f6b77aa540 |
memory/2628-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2628-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3036-31-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2704-32-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2628-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1620-36-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2628-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2704-38-0x0000000002500000-0x0000000002540000-memory.dmp
memory/2628-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1620-40-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2704-42-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/1620-43-0x0000000002610000-0x0000000002650000-memory.dmp
memory/2628-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2704-48-0x0000000002500000-0x0000000002540000-memory.dmp
memory/1620-45-0x0000000002610000-0x0000000002650000-memory.dmp
memory/2628-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2704-53-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/1620-54-0x000000006ECB0000-0x000000006F25B000-memory.dmp
memory/2740-57-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2740-60-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2740-62-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3016-63-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2740-64-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3016-67-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3016-69-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2040-70-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2040-72-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2040-73-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2040-74-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2740-80-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\anrhumgnxfi
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3016-82-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2628-86-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2628-87-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2628-83-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2628-88-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2628-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-94-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 5547374c9c9ac75ad1593d8dfecba104 |
| SHA1 | 56c9a01c96a663a83870f0dcef02478c2de8443b |
| SHA256 | 2120b7244553657fb6314a9f851949d594a63b3377c5831b3b536c3a48e5ccfc |
| SHA512 | d201aa5b0afff40dabbd420202dcb40aa0eb0124b71a9737b9e815beceb81cfffb3fe0e6c7087a0bd9633ba194e8ee367444c239d0d1aeba60810d36bd9c222f |
memory/2628-98-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2628-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-110-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-118-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2628-119-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-06 14:07
Reported
2023-12-06 14:09
Platform
win10v2004-20231130-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2784 set thread context of 3880 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
| PID 3880 set thread context of 5100 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
| PID 3880 set thread context of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
| PID 3880 set thread context of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jCaIeJ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jCaIeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnpyznniqpgunueeftdivvxkos"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsjfyuuocgoplgisojrhsrc"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\fqevycjmoywkbauofyw"
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnpyznniqpgunueeftdivvxkos"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 139.229.175.107.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
Files
memory/2784-0-0x00000000002A0000-0x000000000039E000-memory.dmp
memory/2784-1-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/2784-2-0x0000000005470000-0x0000000005A14000-memory.dmp
memory/2784-3-0x0000000004D90000-0x0000000004E22000-memory.dmp
memory/2784-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/2784-5-0x0000000004E40000-0x0000000004E4A000-memory.dmp
memory/2784-6-0x0000000005140000-0x000000000515A000-memory.dmp
memory/2784-7-0x0000000005170000-0x0000000005178000-memory.dmp
memory/2784-8-0x0000000005180000-0x000000000518A000-memory.dmp
memory/2784-9-0x00000000062D0000-0x0000000006388000-memory.dmp
memory/2784-10-0x0000000008B00000-0x0000000008B9C000-memory.dmp
memory/1828-16-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/1828-15-0x0000000001600000-0x0000000001636000-memory.dmp
memory/2784-17-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/1828-19-0x0000000005B10000-0x0000000006138000-memory.dmp
memory/768-22-0x0000000000C10000-0x0000000000C20000-memory.dmp
memory/2784-21-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/1828-20-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/1828-18-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/768-24-0x0000000074720000-0x0000000074ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp
| MD5 | e95f7db0c061f494af12eca56d64be3d |
| SHA1 | fb62a2c1869aa903cf4c84f4c22b1e05da5e6bf5 |
| SHA256 | 5f8041f71cd1ee7d7e50838b5bee9ac1c60c57da7150aabe3acbd9e6314a68dd |
| SHA512 | f3f8f5e7784f50e09e7507ec7bcf7b0f551b7aba515c07dc265aeb9e7a198880458aa70d9d5d0bd1d7f07b176a4ea5683a7266101192cd5e6408dd1a78833947 |
memory/1828-23-0x00000000058E0000-0x0000000005902000-memory.dmp
memory/768-27-0x0000000004D70000-0x0000000004DD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gs0inpch.20v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3880-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1828-46-0x0000000006410000-0x0000000006764000-memory.dmp
memory/3880-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/768-58-0x00000000059D0000-0x00000000059EE000-memory.dmp
memory/3880-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/768-59-0x0000000005F80000-0x0000000005FCC000-memory.dmp
memory/2784-51-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/3880-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/768-26-0x0000000004AD0000-0x0000000004B36000-memory.dmp
memory/3880-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/768-73-0x0000000005F10000-0x0000000005F2E000-memory.dmp
memory/768-63-0x00000000731C0000-0x000000007320C000-memory.dmp
memory/1828-75-0x00000000731C0000-0x000000007320C000-memory.dmp
memory/3880-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1828-91-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/3880-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1828-93-0x0000000007AB0000-0x0000000007ACA000-memory.dmp
memory/768-92-0x0000000007350000-0x00000000079CA000-memory.dmp
memory/768-89-0x0000000000C10000-0x0000000000C20000-memory.dmp
memory/1828-88-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/768-77-0x0000000006A10000-0x0000000006AB3000-memory.dmp
memory/1828-76-0x000000007FC50000-0x000000007FC60000-memory.dmp
memory/768-94-0x0000000006D80000-0x0000000006D8A000-memory.dmp
memory/768-74-0x000000007F620000-0x000000007F630000-memory.dmp
memory/1828-62-0x0000000007700000-0x0000000007732000-memory.dmp
memory/3880-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/768-97-0x0000000006F90000-0x0000000007026000-memory.dmp
memory/1828-98-0x0000000007CB0000-0x0000000007CC1000-memory.dmp
memory/768-99-0x0000000006F40000-0x0000000006F4E000-memory.dmp
memory/1828-102-0x0000000007DD0000-0x0000000007DD8000-memory.dmp
memory/1828-101-0x0000000007DF0000-0x0000000007E0A000-memory.dmp
memory/768-100-0x0000000006F50000-0x0000000006F64000-memory.dmp
memory/768-109-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/1828-108-0x0000000074720000-0x0000000074ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9e77a2e9ccd76de55360a4cfeec03bda |
| SHA1 | 4a7ddee3fa5bf830b497718c1a49a87e1bcadbdf |
| SHA256 | cd83c74f972a8a6d27452bf09de9bd3be8e8d7e4856612a9ead9d277ff082afc |
| SHA512 | c66968c03be88065e850bf831c01f9aeb527d9f01287c764753c21a97ebe6afc9b42c86f5f5387b649ad45e127be5db402cd0548f885388c80cd545d5a9351c3 |
memory/5100-110-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2176-111-0x0000000000400000-0x0000000000457000-memory.dmp
memory/5100-114-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2176-115-0x0000000000400000-0x0000000000457000-memory.dmp
memory/5100-117-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4604-122-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4604-125-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4604-126-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4604-128-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4604-127-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2176-124-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2176-121-0x0000000000400000-0x0000000000457000-memory.dmp
memory/5100-130-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3880-135-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3880-138-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3880-137-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-136-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3880-132-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqevycjmoywkbauofyw
| MD5 | 05b913e050d2b362781248c7eeb17ee4 |
| SHA1 | 0f263d74a27527154c8381bb34049a121851467f |
| SHA256 | 28a8b87fe959106951e7f632c0a1b0b52d4542da12a3679176c3707926251c27 |
| SHA512 | 70335927da5010cb8a1e9718dab4c62964c33451545ca19c0bde6027c3165233cfded1157575eaba48aab4b43978812db1afa63eb631d2df0f2b30da16e8067c |
memory/3880-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-144-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-145-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 7e59deb6649494bf5da7c4a5ea831374 |
| SHA1 | e865d664d0a5721cd6f47fff6450a0e3d4bcf88b |
| SHA256 | 9baeb8d33ceeda825c93418df69084b32bff065eb727e5769cc38bab01e6bf2f |
| SHA512 | c9b2c12651a44f1c5ccb612ee82b644e8d866e4d51392f6f0a2709a7dd5059d62c3a617e539151a01770a182f902225e51ebef93c16017b31c65526a564e880b |
memory/3880-152-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-153-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-168-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3880-169-0x0000000000400000-0x0000000000482000-memory.dmp