Analysis Overview
SHA256
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
Threat Level: Known bad
The file fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-06 17:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-06 17:36
Reported
2023-12-06 17:39
Platform
win7-20231023-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\kfnmylyhyfvmjczknyyuyoqonrqcrdh"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\uhtxrdjjmnnruivofjlvbtkfwgidkoymty"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\xcypsvt"
Network
| Country | Destination | Domain | Proto |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2868-0-0x00000000011D0000-0x00000000012DE000-memory.dmp
memory/2868-1-0x00000000740E0000-0x00000000747CE000-memory.dmp
memory/2868-2-0x0000000004C90000-0x0000000004CD0000-memory.dmp
memory/2868-3-0x0000000000460000-0x0000000000478000-memory.dmp
memory/2868-4-0x00000000002E0000-0x00000000002E8000-memory.dmp
memory/2868-5-0x0000000000300000-0x000000000030A000-memory.dmp
memory/2868-6-0x00000000053C0000-0x0000000005478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp
| MD5 | bd6d3f8dc518bbf4d7695b69f1cf1fdb |
| SHA1 | 0b9d0b8eb0edef2e063e2c9e16d4896dedbd4246 |
| SHA256 | a56adad54b7d2e8f4d6b868e3cbd87e27cc6d86c60e7a6e447d5f1f9b3fe3782 |
| SHA512 | 71a128513b82dc343b707bdf3f8f084baa67122d29c9761687742c860c33823f8f650f98885dc42c6379578ed39ffcc689bc028b10927cfa074c2598264b7b42 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UGCIF5KJLJI7KVXK52O.temp
| MD5 | 9a52cdd720d600b74dc53e32b879581b |
| SHA1 | b5f59e97d8688176f6fd80e3a1a521b0a0f08321 |
| SHA256 | 111bde4d8fb7edf91441db7b1a3077034dac602efc2ad70f0e5a1b5dfc1e27f3 |
| SHA512 | c1a47d068ba717ddf856cf374de4545c0a2ed5c7c0d560dddea1f36752056b44533b974e189076c051c6b8af2f3676238f2cf927dac1be765d882ece3ed48f88 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9a52cdd720d600b74dc53e32b879581b |
| SHA1 | b5f59e97d8688176f6fd80e3a1a521b0a0f08321 |
| SHA256 | 111bde4d8fb7edf91441db7b1a3077034dac602efc2ad70f0e5a1b5dfc1e27f3 |
| SHA512 | c1a47d068ba717ddf856cf374de4545c0a2ed5c7c0d560dddea1f36752056b44533b974e189076c051c6b8af2f3676238f2cf927dac1be765d882ece3ed48f88 |
memory/2660-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2660-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2868-33-0x00000000740E0000-0x00000000747CE000-memory.dmp
memory/2660-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2652-39-0x000000006EF80000-0x000000006F52B000-memory.dmp
memory/2716-40-0x000000006EF80000-0x000000006F52B000-memory.dmp
memory/2716-41-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2652-42-0x0000000002690000-0x00000000026D0000-memory.dmp
memory/2652-43-0x000000006EF80000-0x000000006F52B000-memory.dmp
memory/2660-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2652-51-0x000000006EF80000-0x000000006F52B000-memory.dmp
memory/2716-50-0x000000006EF80000-0x000000006F52B000-memory.dmp
memory/2408-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2408-54-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2408-56-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1812-61-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2408-60-0x0000000000400000-0x0000000000478000-memory.dmp
memory/932-64-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1812-66-0x0000000000400000-0x0000000000457000-memory.dmp
memory/932-68-0x0000000000400000-0x0000000000424000-memory.dmp
memory/932-70-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1812-71-0x0000000000400000-0x0000000000457000-memory.dmp
memory/932-72-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2660-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-75-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kfnmylyhyfvmjczknyyuyoqonrqcrdh
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2408-80-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2660-82-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2660-90-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2660-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1812-88-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2660-87-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2660-86-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2660-85-0x0000000010000000-0x0000000010019000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 55e6bfffcb10f3ab08a3c2fbe1839087 |
| SHA1 | d9fdcc9c92b06d94221e7decad0e2dfecd74f662 |
| SHA256 | e9fce4366bd33f8e99e0a145c84cfe03eca82b040a5a30b3dfdd61c1e21c5663 |
| SHA512 | 708d500d110710fadd055f94b7a6f31dbaa440d80ed1bb0ec71eedf0aed30a84b7b145b85c87431b6ca052647ee8dc6a89d1c6e76c59fb29254696af1d86537e |
memory/932-95-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2660-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-122-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2660-123-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-06 17:36
Reported
2023-12-06 17:39
Platform
win10v2004-20231130-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\nzrmefrvlp"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\cembln"
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\acgjluvabzbeasiypitglgvrwekumdbvut"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 107.175.229.139:8087 | tcp | |
| US | 107.175.229.139:8087 | tcp | |
| US | 8.8.8.8:53 | 139.229.175.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
Files
memory/5048-1-0x0000000000C10000-0x0000000000D1E000-memory.dmp
memory/5048-0-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/5048-3-0x0000000005750000-0x00000000057E2000-memory.dmp
memory/5048-4-0x0000000005740000-0x0000000005750000-memory.dmp
memory/5048-2-0x0000000005C60000-0x0000000006204000-memory.dmp
memory/5048-5-0x0000000005710000-0x000000000571A000-memory.dmp
memory/5048-6-0x0000000006D10000-0x0000000006D28000-memory.dmp
memory/5048-7-0x0000000006920000-0x0000000006928000-memory.dmp
memory/5048-8-0x0000000006930000-0x000000000693A000-memory.dmp
memory/5048-9-0x0000000006EB0000-0x0000000006F68000-memory.dmp
memory/5048-10-0x0000000006A90000-0x0000000006B2C000-memory.dmp
memory/420-15-0x0000000004670000-0x00000000046A6000-memory.dmp
memory/420-16-0x0000000004E10000-0x0000000005438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp
| MD5 | 4e93b25fb2893c67681f775594d3150d |
| SHA1 | b8c2fdb3cf3aba3fdb6d2efb0b19005031bd71b1 |
| SHA256 | ff70ed8c74cd6b837b69cf8b94fda4831dc7bb8250be307a353766c3c9e4c9b7 |
| SHA512 | caf7aac1a5a2e198e608c4931e766ec64353065aa8c9f6dc95bc51b4d9503e260584839c821838131cb3232a2ad5ce240544f4abcdee8320f4d5476ab901d534 |
memory/528-20-0x0000000005530000-0x0000000005552000-memory.dmp
memory/528-23-0x0000000005FB0000-0x0000000006016000-memory.dmp
memory/528-33-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/528-34-0x00000000052A0000-0x00000000052B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2m4mpe5v.vnp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/528-44-0x0000000006120000-0x0000000006474000-memory.dmp
memory/4992-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/528-57-0x0000000006610000-0x000000000662E000-memory.dmp
memory/4992-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/528-58-0x0000000006660000-0x00000000066AC000-memory.dmp
memory/5048-52-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/4992-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5048-50-0x0000000005740000-0x0000000005750000-memory.dmp
memory/4992-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/5048-46-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/528-22-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/420-21-0x0000000004C90000-0x0000000004CF6000-memory.dmp
memory/420-18-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/420-17-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/4992-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/420-61-0x000000007F150000-0x000000007F160000-memory.dmp
memory/420-65-0x00000000735C0000-0x000000007360C000-memory.dmp
memory/528-67-0x00000000735C0000-0x000000007360C000-memory.dmp
memory/420-77-0x0000000006BD0000-0x0000000006BEE000-memory.dmp
memory/420-90-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/528-89-0x0000000007600000-0x00000000076A3000-memory.dmp
memory/528-92-0x0000000007940000-0x000000000795A000-memory.dmp
memory/528-93-0x00000000079B0000-0x00000000079BA000-memory.dmp
memory/420-91-0x00000000075B0000-0x0000000007C2A000-memory.dmp
memory/528-88-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/420-86-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/4992-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/528-66-0x000000007F7E0000-0x000000007F7F0000-memory.dmp
memory/420-96-0x00000000071F0000-0x0000000007286000-memory.dmp
memory/420-97-0x0000000007170000-0x0000000007181000-memory.dmp
memory/4992-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/420-63-0x0000000006BF0000-0x0000000006C22000-memory.dmp
memory/4992-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/420-98-0x00000000071A0000-0x00000000071AE000-memory.dmp
memory/528-100-0x0000000007C80000-0x0000000007C9A000-memory.dmp
memory/528-101-0x0000000007C60000-0x0000000007C68000-memory.dmp
memory/528-99-0x0000000007B80000-0x0000000007B94000-memory.dmp
memory/528-108-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/420-107-0x0000000074AF0000-0x00000000752A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c76a8ad7106df206bf42fac3793e97f |
| SHA1 | 2a44867a679fae10a3a87f8dd352a72244c98daa |
| SHA256 | 63b932050a6e219667803e760f6051fdb59608635d8d96b3c7e70339a697ee71 |
| SHA512 | fc180cc80d360c708fe9969e7a5fdf30ff0bf9096303b4459267d2ffdae31dfb0d4b8bcb029001035191cb68b6dece93898e194c99d4b8728f484684c9bc5f17 |
memory/2428-109-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4444-110-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2428-112-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4444-115-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2804-114-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2804-124-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4444-120-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2804-126-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4444-127-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2428-117-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2804-128-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2428-130-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4992-136-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4992-135-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4992-132-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\acgjluvabzbeasiypitglgvrwekumdbvut
| MD5 | 3772aaa65e9c5c579bf2a54fb9ab6265 |
| SHA1 | 61196978558fc89e2fed95eed55b4dfdaf984c3a |
| SHA256 | 55ffc234341ed4f8be0fe8c2b5971f4b2954abdba5f452dcd9c18dba860ca2d0 |
| SHA512 | 01da8983568c857a0c5b3c47e10abcad5cee8a414056577a5f233e3363b4d7f40b72359d7b71830953c03ccf80a929c0d81ce54df3f1f51fd753c3d5b55e0bae |
memory/4992-138-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4992-137-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-142-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-143-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 2bbe865b94b15023d1713a384dab3644 |
| SHA1 | 5a7fee6574205441cc70ec2bc00fd678eabbbc07 |
| SHA256 | a1a719eda331cdc9c086951e35ae8df0662e85575b0757b730e2b711ce05d027 |
| SHA512 | d4ee914ff7f44f84acab2b0a273273036e1073d842dcea6e2ebafc4fd966cf61a0fae75e6b3fcf4a6f1e9fb90f88bf81c4aab3a1340b658813693264245917db |
memory/4992-150-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-151-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-158-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-159-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-166-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-167-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-174-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4992-175-0x0000000000400000-0x0000000000482000-memory.dmp