Malware Analysis Report

2025-06-16 01:18

Sample ID 231206-v6yb7sbc66
Target fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
SHA256 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd

Threat Level: Known bad

The file fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-06 17:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 17:36

Reported

2023-12-06 17:39

Platform

win7-20231023-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 2660 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\kfnmylyhyfvmjczknyyuyoqonrqcrdh"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\uhtxrdjjmnnruivofjlvbtkfwgidkoymty"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\xcypsvt"

Network

Country Destination Domain Proto
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2868-0-0x00000000011D0000-0x00000000012DE000-memory.dmp

memory/2868-1-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/2868-2-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2868-3-0x0000000000460000-0x0000000000478000-memory.dmp

memory/2868-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/2868-5-0x0000000000300000-0x000000000030A000-memory.dmp

memory/2868-6-0x00000000053C0000-0x0000000005478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp

MD5 bd6d3f8dc518bbf4d7695b69f1cf1fdb
SHA1 0b9d0b8eb0edef2e063e2c9e16d4896dedbd4246
SHA256 a56adad54b7d2e8f4d6b868e3cbd87e27cc6d86c60e7a6e447d5f1f9b3fe3782
SHA512 71a128513b82dc343b707bdf3f8f084baa67122d29c9761687742c860c33823f8f650f98885dc42c6379578ed39ffcc689bc028b10927cfa074c2598264b7b42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UGCIF5KJLJI7KVXK52O.temp

MD5 9a52cdd720d600b74dc53e32b879581b
SHA1 b5f59e97d8688176f6fd80e3a1a521b0a0f08321
SHA256 111bde4d8fb7edf91441db7b1a3077034dac602efc2ad70f0e5a1b5dfc1e27f3
SHA512 c1a47d068ba717ddf856cf374de4545c0a2ed5c7c0d560dddea1f36752056b44533b974e189076c051c6b8af2f3676238f2cf927dac1be765d882ece3ed48f88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9a52cdd720d600b74dc53e32b879581b
SHA1 b5f59e97d8688176f6fd80e3a1a521b0a0f08321
SHA256 111bde4d8fb7edf91441db7b1a3077034dac602efc2ad70f0e5a1b5dfc1e27f3
SHA512 c1a47d068ba717ddf856cf374de4545c0a2ed5c7c0d560dddea1f36752056b44533b974e189076c051c6b8af2f3676238f2cf927dac1be765d882ece3ed48f88

memory/2660-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2660-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2868-33-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/2660-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2652-39-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2716-40-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2716-41-0x00000000026C0000-0x0000000002700000-memory.dmp

memory/2652-42-0x0000000002690000-0x00000000026D0000-memory.dmp

memory/2652-43-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2660-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2652-51-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2716-50-0x000000006EF80000-0x000000006F52B000-memory.dmp

memory/2408-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2408-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2408-56-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1812-61-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2408-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/932-64-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1812-66-0x0000000000400000-0x0000000000457000-memory.dmp

memory/932-68-0x0000000000400000-0x0000000000424000-memory.dmp

memory/932-70-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1812-71-0x0000000000400000-0x0000000000457000-memory.dmp

memory/932-72-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-75-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kfnmylyhyfvmjczknyyuyoqonrqcrdh

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2408-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2660-82-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-90-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1812-88-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2660-87-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-86-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2660-85-0x0000000010000000-0x0000000010019000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 55e6bfffcb10f3ab08a3c2fbe1839087
SHA1 d9fdcc9c92b06d94221e7decad0e2dfecd74f662
SHA256 e9fce4366bd33f8e99e0a145c84cfe03eca82b040a5a30b3dfdd61c1e21c5663
SHA512 708d500d110710fadd055f94b7a6f31dbaa440d80ed1bb0ec71eedf0aed30a84b7b145b85c87431b6ca052647ee8dc6a89d1c6e76c59fb29254696af1d86537e

memory/932-95-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2660-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2660-123-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-06 17:36

Reported

2023-12-06 17:39

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5048 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5048 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5048 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 5048 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
PID 4992 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\nzrmefrvlp"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\cembln"

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe

C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\acgjluvabzbeasiypitglgvrwekumdbvut"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 139.229.175.107.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp

Files

memory/5048-1-0x0000000000C10000-0x0000000000D1E000-memory.dmp

memory/5048-0-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/5048-3-0x0000000005750000-0x00000000057E2000-memory.dmp

memory/5048-4-0x0000000005740000-0x0000000005750000-memory.dmp

memory/5048-2-0x0000000005C60000-0x0000000006204000-memory.dmp

memory/5048-5-0x0000000005710000-0x000000000571A000-memory.dmp

memory/5048-6-0x0000000006D10000-0x0000000006D28000-memory.dmp

memory/5048-7-0x0000000006920000-0x0000000006928000-memory.dmp

memory/5048-8-0x0000000006930000-0x000000000693A000-memory.dmp

memory/5048-9-0x0000000006EB0000-0x0000000006F68000-memory.dmp

memory/5048-10-0x0000000006A90000-0x0000000006B2C000-memory.dmp

memory/420-15-0x0000000004670000-0x00000000046A6000-memory.dmp

memory/420-16-0x0000000004E10000-0x0000000005438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp

MD5 4e93b25fb2893c67681f775594d3150d
SHA1 b8c2fdb3cf3aba3fdb6d2efb0b19005031bd71b1
SHA256 ff70ed8c74cd6b837b69cf8b94fda4831dc7bb8250be307a353766c3c9e4c9b7
SHA512 caf7aac1a5a2e198e608c4931e766ec64353065aa8c9f6dc95bc51b4d9503e260584839c821838131cb3232a2ad5ce240544f4abcdee8320f4d5476ab901d534

memory/528-20-0x0000000005530000-0x0000000005552000-memory.dmp

memory/528-23-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/528-33-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/528-34-0x00000000052A0000-0x00000000052B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2m4mpe5v.vnp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/528-44-0x0000000006120000-0x0000000006474000-memory.dmp

memory/4992-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/528-57-0x0000000006610000-0x000000000662E000-memory.dmp

memory/4992-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/528-58-0x0000000006660000-0x00000000066AC000-memory.dmp

memory/5048-52-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4992-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5048-50-0x0000000005740000-0x0000000005750000-memory.dmp

memory/4992-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5048-46-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/528-22-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/420-21-0x0000000004C90000-0x0000000004CF6000-memory.dmp

memory/420-18-0x00000000047D0000-0x00000000047E0000-memory.dmp

memory/420-17-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4992-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/420-61-0x000000007F150000-0x000000007F160000-memory.dmp

memory/420-65-0x00000000735C0000-0x000000007360C000-memory.dmp

memory/528-67-0x00000000735C0000-0x000000007360C000-memory.dmp

memory/420-77-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

memory/420-90-0x00000000047D0000-0x00000000047E0000-memory.dmp

memory/528-89-0x0000000007600000-0x00000000076A3000-memory.dmp

memory/528-92-0x0000000007940000-0x000000000795A000-memory.dmp

memory/528-93-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/420-91-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/528-88-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/420-86-0x00000000047D0000-0x00000000047E0000-memory.dmp

memory/4992-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/528-66-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

memory/420-96-0x00000000071F0000-0x0000000007286000-memory.dmp

memory/420-97-0x0000000007170000-0x0000000007181000-memory.dmp

memory/4992-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/420-63-0x0000000006BF0000-0x0000000006C22000-memory.dmp

memory/4992-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/420-98-0x00000000071A0000-0x00000000071AE000-memory.dmp

memory/528-100-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/528-101-0x0000000007C60000-0x0000000007C68000-memory.dmp

memory/528-99-0x0000000007B80000-0x0000000007B94000-memory.dmp

memory/528-108-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/420-107-0x0000000074AF0000-0x00000000752A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c76a8ad7106df206bf42fac3793e97f
SHA1 2a44867a679fae10a3a87f8dd352a72244c98daa
SHA256 63b932050a6e219667803e760f6051fdb59608635d8d96b3c7e70339a697ee71
SHA512 fc180cc80d360c708fe9969e7a5fdf30ff0bf9096303b4459267d2ffdae31dfb0d4b8bcb029001035191cb68b6dece93898e194c99d4b8728f484684c9bc5f17

memory/2428-109-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4444-110-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2428-112-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4444-115-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2804-114-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2804-124-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4444-120-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2804-126-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4444-127-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2428-117-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2804-128-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2428-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4992-136-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4992-135-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4992-132-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\acgjluvabzbeasiypitglgvrwekumdbvut

MD5 3772aaa65e9c5c579bf2a54fb9ab6265
SHA1 61196978558fc89e2fed95eed55b4dfdaf984c3a
SHA256 55ffc234341ed4f8be0fe8c2b5971f4b2954abdba5f452dcd9c18dba860ca2d0
SHA512 01da8983568c857a0c5b3c47e10abcad5cee8a414056577a5f233e3363b4d7f40b72359d7b71830953c03ccf80a929c0d81ce54df3f1f51fd753c3d5b55e0bae

memory/4992-138-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4992-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-143-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 2bbe865b94b15023d1713a384dab3644
SHA1 5a7fee6574205441cc70ec2bc00fd678eabbbc07
SHA256 a1a719eda331cdc9c086951e35ae8df0662e85575b0757b730e2b711ce05d027
SHA512 d4ee914ff7f44f84acab2b0a273273036e1073d842dcea6e2ebafc4fd966cf61a0fae75e6b3fcf4a6f1e9fb90f88bf81c4aab3a1340b658813693264245917db

memory/4992-150-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-151-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-158-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-166-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-167-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-174-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4992-175-0x0000000000400000-0x0000000000482000-memory.dmp