Malware Analysis Report

2025-01-02 03:18

Sample ID 240325-xvxmmsag31
Target HUD34EDRFQ253.exe
SHA256 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb

Threat Level: Known bad

The file HUD34EDRFQ253.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 19:11

Reported

2024-03-25 19:13

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2196 set thread context of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 2196 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp"

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Network

Country Destination Domain Proto
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2196-1-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2196-0-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

memory/2196-2-0x00000000006E0000-0x0000000000720000-memory.dmp

memory/2196-3-0x0000000000490000-0x00000000004A2000-memory.dmp

memory/2196-4-0x00000000006C0000-0x00000000006CC000-memory.dmp

memory/2196-5-0x00000000053A0000-0x0000000005460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp

MD5 83851635ee08188b3f0420d6d591f4e4
SHA1 eb0a8faf737323834190b164742f2f13cd9dc34d
SHA256 dfa16844f9290cfbc771c94e73e47bdf01f623e01362b893d680bce569d02faf
SHA512 1e1604d67e82375599680040c4f86236fdbed00b2f71037190b263801152475bd382c1acec275508b18e8825b7dc8f2cf34a7a172edd96d99f0f200db862e42a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bfda54c33d5a1128b3d39878a44b97ab
SHA1 b4a4268f3625e1332cb18a37c78fd4dcb165a76e
SHA256 ef01840a2192e8908d67edc165e9deef82989cca053e26740994bc4d1335e3e3
SHA512 d9917c5e55043e80050f3156e4c59426d9aabd98849fb2f9909ddd0da433e0592a41508f58416f52e5385e9c07bc7b8e5f56c970ce7d7e00521e60b74e702c06

memory/2692-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2692-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2196-36-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/2692-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2792-42-0x000000006F090000-0x000000006F63B000-memory.dmp

memory/2684-43-0x000000006F090000-0x000000006F63B000-memory.dmp

memory/2792-44-0x000000006F090000-0x000000006F63B000-memory.dmp

memory/2684-45-0x00000000024F0000-0x0000000002530000-memory.dmp

memory/2684-46-0x00000000024F0000-0x0000000002530000-memory.dmp

memory/2684-47-0x00000000024F0000-0x0000000002530000-memory.dmp

memory/2792-48-0x0000000000570000-0x00000000005B0000-memory.dmp

memory/2684-49-0x000000006F090000-0x000000006F63B000-memory.dmp

memory/2792-50-0x000000006F090000-0x000000006F63B000-memory.dmp

memory/2692-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-56-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 c97e052fa6f9d88df2e0e5cc898330a6
SHA1 4fae70536f2f2d5e5234e4278d3b071d9f0a4db6
SHA256 3d0feebad974df89a29c7973912062bc7c51a523ff1c2ba04278c1632cd2e14c
SHA512 ea519c2402dd89498d88f80337d68686ec9c739b59c568f87ea19cd04e9baf888347bab0e283fc91272f10a083bc70ca2f6e8253b1dd128f736effe92521607c

memory/2692-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2692-85-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 19:11

Reported

2024-03-25 19:13

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1760 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6503.tmp"

C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe

"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
UA 194.147.140.180:1987 tcp
US 8.8.8.8:53 180.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/1760-0-0x0000000000B80000-0x0000000000C80000-memory.dmp

memory/1760-1-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/1760-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/1760-3-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/1760-4-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/1760-5-0x0000000005820000-0x000000000582A000-memory.dmp

memory/1760-6-0x0000000005A90000-0x0000000005AA2000-memory.dmp

memory/1760-7-0x0000000005BC0000-0x0000000005BCC000-memory.dmp

memory/1760-8-0x0000000007170000-0x0000000007230000-memory.dmp

memory/1760-9-0x0000000009840000-0x00000000098DC000-memory.dmp

memory/1948-14-0x0000000002490000-0x00000000024C6000-memory.dmp

memory/1948-16-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/2644-15-0x0000000005930000-0x0000000005F58000-memory.dmp

memory/1948-17-0x00000000025A0000-0x00000000025B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6503.tmp

MD5 48d925fe1cdd27a2030bf8577fcdd595
SHA1 50d2db3e174e4f5fe9c39f43297f1764ef9406b4
SHA256 d8584e9d9f5b27a826332ec53221c87b5cb15966d4a3b762bf7b6352a75746dc
SHA512 9ff3ba322c14450656acc61c50bb7e2b29151f2d30c589cacede9b831c44435cd4df92b8ade16b5e2de9cf10cc743c6ae40dd9089fc22ec83816231cfdd77379

memory/2644-18-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/2644-20-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/1948-23-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/2644-25-0x00000000060C0000-0x0000000006126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4horm40.s3m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2644-41-0x0000000006230000-0x0000000006584000-memory.dmp

memory/2484-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2644-24-0x0000000005F60000-0x0000000005FC6000-memory.dmp

memory/2644-22-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/1948-21-0x0000000005610000-0x0000000005632000-memory.dmp

memory/2484-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1760-49-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/2484-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-53-0x0000000005D70000-0x0000000005D8E000-memory.dmp

memory/2484-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-57-0x0000000005E00000-0x0000000005E4C000-memory.dmp

memory/2484-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1948-59-0x000000007F000000-0x000000007F010000-memory.dmp

memory/2644-61-0x0000000071630000-0x000000007167C000-memory.dmp

memory/1948-60-0x0000000071630000-0x000000007167C000-memory.dmp

memory/1948-58-0x0000000006F10000-0x0000000006F42000-memory.dmp

memory/1948-72-0x0000000006F50000-0x0000000006F6E000-memory.dmp

memory/2644-62-0x000000007F590000-0x000000007F5A0000-memory.dmp

memory/1948-82-0x0000000006F80000-0x0000000007023000-memory.dmp

memory/2644-85-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/2644-83-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/1948-81-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/1948-86-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/2644-87-0x0000000008070000-0x00000000086EA000-memory.dmp

memory/1948-88-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/1948-89-0x0000000007120000-0x000000000712A000-memory.dmp

memory/1948-90-0x0000000007330000-0x00000000073C6000-memory.dmp

memory/2644-91-0x0000000007C30000-0x0000000007C41000-memory.dmp

memory/1948-92-0x00000000072E0000-0x00000000072EE000-memory.dmp

memory/2644-93-0x0000000007C70000-0x0000000007C84000-memory.dmp

memory/1948-94-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/1948-95-0x00000000073D0000-0x00000000073D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73615911c9f05af93b2817cc94f87825
SHA1 297cc920c258e836b7f8b3f41dbb7e62b2806bca
SHA256 bac7dc6cf7582085342be734a905785d0667fdb794acdb146550a251ad768100
SHA512 60d1d9a737113fbc897f25422081bfc3ffab4616f47b2e8c7bc9c7831696196b94beb20f10c7a73e5439bb793180989aeafedc58938ce3d5da2f904db6a6707b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1948-101-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/2644-102-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/2484-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-111-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 3eac7be4cf5d826d7c43cbaab7df2fb6
SHA1 cbb70311bad8a23e7d7ab3116f109c1b50334392
SHA256 df2ad3ba2125d422008c6c839b500f0ebcf5ec3b27e62c4c1cdcc6289f8cbb80
SHA512 045aa788844960423ff24a9d131a4f52e389919f9e17902c10d9b380556c988fd175bf07000ec287a6ab6354a32e4536db94b870ad2a80fb9cb0b3cf4e4aa935

memory/2484-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-132-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2484-140-0x0000000000400000-0x0000000000482000-memory.dmp