Analysis Overview
SHA256
c82b6fc08bcfa1d30118384b13965df8a3136f5143680a25f7c49abefd260f24
Threat Level: Known bad
The file 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 09:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 09:59
Reported
2024-04-02 10:02
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39B6.tmp"
C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp |
Files
memory/1368-0-0x0000000000D10000-0x0000000000E10000-memory.dmp
memory/1368-1-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/1368-2-0x0000000004C20000-0x0000000004C60000-memory.dmp
memory/1368-3-0x0000000000550000-0x0000000000562000-memory.dmp
memory/1368-4-0x00000000005B0000-0x00000000005BC000-memory.dmp
memory/1368-5-0x0000000005250000-0x0000000005310000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 28ffd7314f9b701d23a819af28b05ddb |
| SHA1 | b16bb502f5c27697a870b112a5818ca85d1a6932 |
| SHA256 | 3823e3352f00fdd922d8158c7997b0dbec6fbd25471356e8c3d9959da079962f |
| SHA512 | 2b4122a0f417375c93412ea3a08b7d96b63d737a686c88bcfdf4e1dffbd77866401b3042b5524af2485a8b6fd9065e6b050ca1291b39342e46079d7ffa48a3d8 |
C:\Users\Admin\AppData\Local\Temp\tmp39B6.tmp
| MD5 | b4a83abaf40c073fdf0f953a7e795b33 |
| SHA1 | bfa918a3923b0d221898e173905e7d8584940006 |
| SHA256 | 03c049b5c573060c9f440a6760fca696ad0bc9a2b7042baeb355c692e89a82a7 |
| SHA512 | db8358b4de4cf877ce201c7912924af0e70cc160a2fe2757d4e7a184021d2369b400fca534d80b3ff57794a14568b101e0c3c9eb89441f5b1afdba968f160e0e |
memory/2624-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3008-22-0x000000006EE00000-0x000000006F3AB000-memory.dmp
memory/1428-24-0x000000006EE00000-0x000000006F3AB000-memory.dmp
memory/3008-26-0x0000000002CC0000-0x0000000002D00000-memory.dmp
memory/1428-27-0x0000000002900000-0x0000000002940000-memory.dmp
memory/1428-30-0x000000006EE00000-0x000000006F3AB000-memory.dmp
memory/3008-32-0x000000006EE00000-0x000000006F3AB000-memory.dmp
memory/2624-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3008-35-0x0000000002CC0000-0x0000000002D00000-memory.dmp
memory/2624-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3008-37-0x0000000002CC0000-0x0000000002D00000-memory.dmp
memory/1428-33-0x0000000002900000-0x0000000002940000-memory.dmp
memory/2624-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2624-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1368-46-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/2624-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1428-53-0x000000006EE00000-0x000000006F3AB000-memory.dmp
memory/3008-52-0x000000006EE00000-0x000000006F3AB000-memory.dmp
memory/2624-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-71-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-78-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 67c9d9610dfcb3f8d52c7f2869bb105f |
| SHA1 | a4d39e028f39536a317e8c90f43e31b8f1a92e80 |
| SHA256 | 46502c569edfd0fded9ca6979da9a8bb728e873670b98559d0b8f497aa7e46e1 |
| SHA512 | 26458447f6432d524ebea0cd426335fb70560c3c7de4eca77bcfc7db04cd752da79b96442ab96b5da8a11d778e98a343422c8392ee12e40df1fbecc1342a7779 |
memory/2624-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2624-102-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 09:59
Reported
2024-04-02 10:02
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4424 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80A9.tmp"
C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| UA | 194.147.140.180:1987 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| UA | 194.147.140.180:1987 | tcp | |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp | |
| UA | 194.147.140.180:1987 | tcp |
Files
memory/4424-0-0x0000000000330000-0x0000000000430000-memory.dmp
memory/4424-1-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4424-2-0x00000000054B0000-0x0000000005A54000-memory.dmp
memory/4424-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp
memory/4424-4-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/4424-5-0x0000000004EC0000-0x0000000004ECA000-memory.dmp
memory/4424-6-0x0000000004F80000-0x0000000004F92000-memory.dmp
memory/4424-7-0x0000000005070000-0x000000000507C000-memory.dmp
memory/4424-8-0x0000000006910000-0x00000000069D0000-memory.dmp
memory/4424-9-0x0000000008FE0000-0x000000000907C000-memory.dmp
memory/1084-14-0x00000000023D0000-0x0000000002406000-memory.dmp
memory/1084-15-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/1084-16-0x0000000002420000-0x0000000002430000-memory.dmp
memory/1084-17-0x0000000002420000-0x0000000002430000-memory.dmp
memory/1084-18-0x0000000004E40000-0x0000000005468000-memory.dmp
memory/3144-19-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/3144-20-0x0000000074FA0000-0x0000000075750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp80A9.tmp
| MD5 | 12fe68183b8fd9717cd220a67fc025ee |
| SHA1 | 6eb421b0149b06bc672de0ef19fda824057c016b |
| SHA256 | 2fb381ecc0096aeed3d459ce26497d1c1b6107a610f4707b39ceaaeb2052620e |
| SHA512 | 7be77b12d7cd25a05539c5a73d5ea7c669439de28de5112152bcc46c8fbd776d4f5101a143cac77aacea7a33c81287be7db7f4ad5eb86fc62e7ed413229e43ca |
memory/3144-22-0x00000000053B0000-0x00000000053D2000-memory.dmp
memory/1084-23-0x0000000005470000-0x00000000054D6000-memory.dmp
memory/3144-24-0x0000000005E50000-0x0000000005EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yspywh3u.qm4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1084-34-0x0000000005700000-0x0000000005A54000-memory.dmp
memory/2836-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4424-48-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/2836-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3144-55-0x0000000006460000-0x000000000647E000-memory.dmp
memory/3144-56-0x0000000006540000-0x000000000658C000-memory.dmp
memory/1084-58-0x0000000075800000-0x000000007584C000-memory.dmp
memory/3144-57-0x00000000073D0000-0x0000000007402000-memory.dmp
memory/3144-70-0x0000000075800000-0x000000007584C000-memory.dmp
memory/1084-69-0x0000000006ED0000-0x0000000006EEE000-memory.dmp
memory/3144-59-0x000000007F3E0000-0x000000007F3F0000-memory.dmp
memory/1084-71-0x000000007F560000-0x000000007F570000-memory.dmp
memory/1084-72-0x0000000006EF0000-0x0000000006F93000-memory.dmp
memory/1084-82-0x0000000002420000-0x0000000002430000-memory.dmp
memory/3144-83-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/1084-85-0x0000000007030000-0x000000000704A000-memory.dmp
memory/3144-84-0x0000000007DC0000-0x000000000843A000-memory.dmp
memory/3144-86-0x00000000077F0000-0x00000000077FA000-memory.dmp
memory/1084-87-0x00000000072B0000-0x0000000007346000-memory.dmp
memory/3144-88-0x0000000007980000-0x0000000007991000-memory.dmp
memory/3144-89-0x00000000079B0000-0x00000000079BE000-memory.dmp
memory/3144-90-0x00000000079C0000-0x00000000079D4000-memory.dmp
memory/3144-91-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
memory/1084-92-0x0000000007350000-0x0000000007358000-memory.dmp
memory/1084-98-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/3144-99-0x0000000074FA0000-0x0000000075750000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 52c537cd2eca799368b1b6aca0a7644c |
| SHA1 | b5c72fd4709d3fee1f615924c3adc1cc73cc61b8 |
| SHA256 | 4868e090801c2445e70b99ba64f1a04bfb1fcf9ba78bd17b444e51f9f0bab8c9 |
| SHA512 | e559bf11b0c45781843825823c9a1bab1288e124b903eccb2f95bac01f950a957f87961fd9d07d85af6ffce4024581da0b8b932104a7330098f33fd4fd906f8b |
memory/2836-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-109-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-113-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-116-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-117-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-118-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | f368a674efd898261ad2bfad148f99a4 |
| SHA1 | 04ef0ec773a4962b5d434557eed387a6b6e84f46 |
| SHA256 | de1f00553c86932dd2cb3134a0c36da4ea48a9f4802205e4cc48f15f40b3bee5 |
| SHA512 | 5ecf765499286c413e466d36c60203ebf39cc8c808580b807bc12952c91e8b5066c5b10235dcf14e82f4350ec892feaa8cafc35787f44f15139b9f2ff8f69a45 |
memory/2836-120-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-121-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-122-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-124-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-125-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-126-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-128-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-129-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-131-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-132-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-133-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-134-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-136-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-137-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-139-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-140-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-142-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-144-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-145-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-147-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-148-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-149-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-151-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-152-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-153-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-155-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-156-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-157-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-159-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-160-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-161-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-163-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-164-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-166-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-167-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-168-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-169-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-171-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-172-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-175-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-176-0x0000000000400000-0x0000000000482000-memory.dmp