Malware Analysis Report

2025-01-02 03:13

Sample ID 240405-qp9lpadg83
Target SecuriteInfo.com.Win32.PWSX-gen.22684.1131
SHA256 8f02ecb26530c0a13b7f00020ebca144fc271fe36a5caaba1f4b3270e8e0023c
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f02ecb26530c0a13b7f00020ebca144fc271fe36a5caaba1f4b3270e8e0023c

Threat Level: Known bad

The file SecuriteInfo.com.Win32.PWSX-gen.22684.1131 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 13:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 13:27

Reported

2024-04-05 13:29

Platform

win7-20240215-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2480 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 2512 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tzRVJJzEigd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzRVJJzEigd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\pnuacjnzacyosynethhdgv"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\pnuacjnzacyosynethhdgv"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\pnuacjnzacyosynethhdgv"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\zhzldtytwkqtdmjiksuxricdr"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\jbfddmiuktiyfsxmtdhyumwuaiqz"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\jbfddmiuktiyfsxmtdhyumwuaiqz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2480-0-0x00000000000E0000-0x00000000001C6000-memory.dmp

memory/2480-1-0x0000000074990000-0x000000007507E000-memory.dmp

memory/2480-2-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/2480-3-0x0000000001DE0000-0x0000000001DF0000-memory.dmp

memory/2480-4-0x0000000001E00000-0x0000000001E0C000-memory.dmp

memory/2480-5-0x00000000053D0000-0x0000000005490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp

MD5 79a4a5a45db38f8e96e531d444c9070c
SHA1 78cf2a96ebd585946c8eaa5b7d5b9d36fa1fdf1e
SHA256 c994a716c0a32494b68296b70d6d0470c1a18b172e8e278cda0c2016371d964d
SHA512 603e1999333319f2709b1a8858dc2d19bb2693b812d34be3440ae6f86a64b4d318e2b34a8712ff5f50e76205c8b9bea05830eaae7452fbff0351c2d019f288c4

memory/2512-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2512-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2480-34-0x0000000074990000-0x000000007507E000-memory.dmp

memory/2512-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2648-40-0x000000006ED60000-0x000000006F30B000-memory.dmp

memory/2648-42-0x000000006ED60000-0x000000006F30B000-memory.dmp

memory/2512-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2648-44-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

memory/2648-46-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

memory/2512-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2648-47-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

memory/2648-48-0x000000006ED60000-0x000000006F30B000-memory.dmp

memory/2512-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-61-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-64-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2624-65-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2624-68-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2624-70-0x0000000000400000-0x0000000000462000-memory.dmp

memory/788-71-0x0000000000400000-0x0000000000424000-memory.dmp

memory/788-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/788-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/788-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/788-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/788-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2836-81-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pnuacjnzacyosynethhdgv

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2624-84-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2512-85-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2512-88-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2512-89-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2512-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-91-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2512-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-95-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 bcd9f0bfac3a73334fdc2c98dab2c631
SHA1 6235d0b03a20f8e97582698a9873bef70ba146c0
SHA256 0aedf622b657b180f7a81210e393562ff92133e341f27f78ae97fd48f623564e
SHA512 ee8e1c097e1c453ebe864915374ffac8972431f6030ec9a8bb77ca109e2bd1bd2314a9da3eefaf768d7956482fc4015f65a51df21c708c44a6c8ae12a8505ba8

memory/2512-100-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2512-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2512-121-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 13:27

Reported

2024-04-05 13:29

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3632 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3632 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 3632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 3632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Windows\SysWOW64\schtasks.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 3632 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe
PID 5000 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tzRVJJzEigd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzRVJJzEigd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\agzmcpnsxw"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\cjefcixtlecew"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndkpdainhmujghgt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3632-0-0x0000000000350000-0x0000000000436000-memory.dmp

memory/3632-1-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/3632-2-0x00000000053C0000-0x0000000005964000-memory.dmp

memory/3632-3-0x0000000004EB0000-0x0000000004F42000-memory.dmp

memory/3632-4-0x0000000005030000-0x0000000005040000-memory.dmp

memory/3632-5-0x0000000004E30000-0x0000000004E3A000-memory.dmp

memory/3632-6-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/3632-7-0x0000000004FA0000-0x0000000004FAC000-memory.dmp

memory/3632-8-0x00000000062F0000-0x00000000063B0000-memory.dmp

memory/3632-9-0x0000000008C00000-0x0000000008C9C000-memory.dmp

memory/5052-14-0x0000000003020000-0x0000000003056000-memory.dmp

memory/5052-15-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/5052-17-0x0000000005AD0000-0x00000000060F8000-memory.dmp

memory/5052-18-0x0000000003010000-0x0000000003020000-memory.dmp

memory/5052-16-0x0000000003010000-0x0000000003020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp

MD5 c567c7dd1a597624134396b135b65f51
SHA1 78e50c84fedeac86247852b6cd008d4c3dc76d87
SHA256 25067e1ee2b6184ab7b4d8c36bf4bd860ea34e51ae3ba6e8c76284b028590837
SHA512 a28d7ee19734f67ae4726e9545aa08ae23da6bf7c1735a2c181b46106294434fc96e3a7c478405b2db9c40d2d4b5f9d6badbf6ea858af8a19b835bc0ac0c9b21

memory/5052-20-0x0000000005920000-0x0000000005942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3m5gqjx.caz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5052-31-0x00000000063D0000-0x0000000006436000-memory.dmp

memory/5000-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-21-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/5000-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-34-0x0000000006570000-0x00000000068C4000-memory.dmp

memory/5000-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3632-38-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/5000-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-40-0x00000000068F0000-0x000000000690E000-memory.dmp

memory/5000-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-42-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/5000-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-47-0x000000007F420000-0x000000007F430000-memory.dmp

memory/5052-48-0x0000000007AA0000-0x0000000007AD2000-memory.dmp

memory/5052-49-0x0000000075990000-0x00000000759DC000-memory.dmp

memory/5052-60-0x0000000003010000-0x0000000003020000-memory.dmp

memory/5052-59-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

memory/5052-62-0x0000000007AE0000-0x0000000007B83000-memory.dmp

memory/5052-61-0x0000000003010000-0x0000000003020000-memory.dmp

memory/5052-63-0x0000000008260000-0x00000000088DA000-memory.dmp

memory/5052-64-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/5052-65-0x0000000007C90000-0x0000000007C9A000-memory.dmp

memory/5052-66-0x0000000007EA0000-0x0000000007F36000-memory.dmp

memory/5052-67-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/5000-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-70-0x0000000007E50000-0x0000000007E5E000-memory.dmp

memory/5052-71-0x0000000007E60000-0x0000000007E74000-memory.dmp

memory/5052-72-0x0000000007F60000-0x0000000007F7A000-memory.dmp

memory/5052-73-0x0000000007F40000-0x0000000007F48000-memory.dmp

memory/5000-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5052-78-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/5000-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2460-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/432-84-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2460-87-0x0000000000400000-0x0000000000478000-memory.dmp

memory/432-92-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2460-91-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2916-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/432-88-0x0000000000400000-0x0000000000462000-memory.dmp

memory/432-98-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2916-97-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2916-100-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2916-101-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2460-103-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agzmcpnsxw

MD5 ec0cf9ff722f9a9259c3338972c40886
SHA1 31bad5285affb58c5ebe0569bbdb9bd1deab245c
SHA256 30190665467845aed54732c31c7e385368c10acb595cffdd7ca9523fff051a19
SHA512 bdfaf9576db431d3c4d14e0ea5deafce661fceda6d5123a6f4b84d50a576dd1ccf4202091dc0b55bed665dd45b4e30d2a797bda6015b06f5771064f9bab32d1a

memory/5000-105-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5000-109-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5000-108-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5000-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-112-0x0000000010000000-0x0000000010019000-memory.dmp

memory/5000-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-114-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 914941031d78aacb68642c8525691e08
SHA1 867a3a0114180935912f600c65a4f4991399afa4
SHA256 714294417ed1d67d0e8e213f73f4cc1e76868fc078ad2d279acc53ca116c3974
SHA512 fd20c0df49263a3fd754584c288ec2d5a6d33d809a0f3d570b308414b8e3ff324e34f653eb89e792af0d8f08a0f67d35ad2acc9719fcff33671bc1cb4f474b7f

memory/5000-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-147-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5000-148-0x0000000000400000-0x0000000000482000-memory.dmp