Malware Analysis Report

2025-01-02 03:19

Sample ID 240325-xvvs2sag3y
Target HUD34EDRFQ253.exe
SHA256 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb

Threat Level: Known bad

The file HUD34EDRFQ253.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 19:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 19:10

Reported

2024-03-25 19:13

Platform

win7-20231129-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 824 set thread context of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 824 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3784.tmp"

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Network

Country Destination Domain Proto
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/824-0-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/824-1-0x0000000074E70000-0x000000007555E000-memory.dmp

memory/824-2-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/824-3-0x0000000000510000-0x0000000000522000-memory.dmp

memory/824-4-0x0000000000530000-0x000000000053C000-memory.dmp

memory/824-5-0x0000000005460000-0x0000000005520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3784.tmp

MD5 b4a83abaf40c073fdf0f953a7e795b33
SHA1 bfa918a3923b0d221898e173905e7d8584940006
SHA256 03c049b5c573060c9f440a6760fca696ad0bc9a2b7042baeb355c692e89a82a7
SHA512 db8358b4de4cf877ce201c7912924af0e70cc160a2fe2757d4e7a184021d2369b400fca534d80b3ff57794a14568b101e0c3c9eb89441f5b1afdba968f160e0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d37f6198ecd57e26280a42e8241a04bd
SHA1 e3ea1a4c637d33db7729aed66b686bab4ff822b7
SHA256 c941bf6127df9a21fd91d2936ede35768eda80221addee98be8900b11df27614
SHA512 a45835ac3e45b3342464e457c5fec355c127721fe325abdc8884384981325eaaf55ee8ff785e55e4a7db694f81a91f2efd4f1955c28573452c46f1fd7cb6f558

memory/2544-19-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

memory/2612-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1716-21-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

memory/2544-23-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/1716-25-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

memory/2544-27-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

memory/2612-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1716-34-0x00000000028E0000-0x0000000002920000-memory.dmp

memory/1716-32-0x00000000028E0000-0x0000000002920000-memory.dmp

memory/1716-30-0x00000000028E0000-0x0000000002920000-memory.dmp

memory/2544-28-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/2612-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/824-42-0x0000000074E70000-0x000000007555E000-memory.dmp

memory/2612-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1716-46-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

memory/2612-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2544-45-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

memory/2612-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-60-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 e42dbb9530aea6644e3c8c2dbfecfe37
SHA1 c8bc23becc11d02d3d0137489144661d0cfe73ef
SHA256 402e564e8680914242226ab69de94c7ae0cf9ff9f359c017cb560d7f0fae545c
SHA512 07a7e4e9c20188f169304068d4e6942555d17bf2ca7b9e65d0a75672a6d672e2f92c16cab43f1e496ecae06539e5a91c01643df9fbcf2b5d120bc44878e1ae95

memory/2612-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2612-90-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 19:10

Reported

2024-03-25 19:13

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2884 set thread context of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2884 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2884 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2884 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp"

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 180.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 203.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 70.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2884-0-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2884-1-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2884-2-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/2884-3-0x0000000004F60000-0x0000000004FF2000-memory.dmp

memory/2884-4-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2884-5-0x0000000004F00000-0x0000000004F0A000-memory.dmp

memory/2884-6-0x0000000005110000-0x0000000005122000-memory.dmp

memory/2884-7-0x00000000054B0000-0x00000000054BC000-memory.dmp

memory/2884-8-0x0000000006A00000-0x0000000006AC0000-memory.dmp

memory/2884-9-0x00000000090D0000-0x000000000916C000-memory.dmp

memory/228-14-0x00000000023F0000-0x0000000002426000-memory.dmp

memory/3928-15-0x0000000005660000-0x0000000005C88000-memory.dmp

memory/228-17-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/228-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3928-18-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3928-19-0x0000000005020000-0x0000000005030000-memory.dmp

memory/3928-20-0x0000000005020000-0x0000000005030000-memory.dmp

memory/3928-22-0x0000000005470000-0x0000000005492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp

MD5 20b7cea3861996e11496924c8e136475
SHA1 74498fc7e252587a4e2f58a091c91e67ab3b8a2d
SHA256 ac47b4e2cd894b2f4f3c68442ddc9998ce533b176f0ae329a3688f7ae9f4549a
SHA512 eca8db1fe24a5dc793907452006a8e4fcfa29d9d953adb49bb626d0b22bd7700fb8c2b9df42c3c78ad4b995d827c5e702f88030d1b9d316484ecf96a962bbca6

memory/228-21-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/228-24-0x0000000005520000-0x0000000005586000-memory.dmp

memory/228-25-0x0000000005690000-0x00000000056F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i43ofdg0.skj.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3928-43-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/4828-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2884-49-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4828-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3928-56-0x0000000006520000-0x000000000653E000-memory.dmp

memory/4828-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3928-57-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

memory/228-60-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/3928-59-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/3928-58-0x0000000006B00000-0x0000000006B32000-memory.dmp

memory/228-72-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/228-62-0x000000007F250000-0x000000007F260000-memory.dmp

memory/3928-61-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/228-81-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/3928-83-0x0000000005020000-0x0000000005030000-memory.dmp

memory/3928-84-0x0000000005020000-0x0000000005030000-memory.dmp

memory/228-85-0x0000000006CC0000-0x0000000006D63000-memory.dmp

memory/3928-86-0x0000000007E90000-0x000000000850A000-memory.dmp

memory/228-87-0x0000000007010000-0x000000000702A000-memory.dmp

memory/3928-88-0x00000000078C0000-0x00000000078CA000-memory.dmp

memory/228-89-0x0000000007290000-0x0000000007326000-memory.dmp

memory/4828-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/228-91-0x0000000007210000-0x0000000007221000-memory.dmp

memory/4828-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/228-94-0x0000000007240000-0x000000000724E000-memory.dmp

memory/3928-95-0x0000000007A90000-0x0000000007AA4000-memory.dmp

memory/3928-96-0x0000000007B90000-0x0000000007BAA000-memory.dmp

memory/228-97-0x0000000007330000-0x0000000007338000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98cbf34a8e0b3d1d63cde5792baa1e4f
SHA1 229a615db77c6497560726fce34c6d132d1291a3
SHA256 6e7f3aab52fba5288defb2e82d91caf8a6317aa9dabb7d82be1edd2cbb92bbf8
SHA512 8e20b9cacc9599ccf21111c2b64c4842bb4c42445c93c023d88000a3d87afd08dcd36cad929e1be1271b483b8530a4b2e3211b24b8ac86440bf6dea898ca1ea2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/228-104-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3928-103-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4828-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-112-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 55918fcb08480f5745dda9c88843327d
SHA1 8f30ca19e0e7d21026b8e309558b19934fe5249d
SHA256 8a9a437f9c21bb1a44632abe99d8e0455f032ac5199dace1808cde8952ea03f4
SHA512 15d0c8d44523c95a403c0bc95a9f14b473fcc6570d6cc40aa45843ed92e95924eddb3e47e147f9a77970a323e08007084405f8a4d18f8d730ac6388a856be046

memory/4828-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-134-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4828-143-0x0000000000400000-0x0000000000482000-memory.dmp