Malware Analysis Report

2024-12-07 22:25

Sample ID 240407-bpjmyagh9x
Target b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
SHA256 b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c

Threat Level: Known bad

The file b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

Detects executables packed with SmartAssembly

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

NirSoft MailPassView

NirSoft WebBrowserPassView

Detects executables built or packed with MPress PE compressor

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Nirsoft

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 01:19

Reported

2024-04-07 01:21

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

Signatures

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2768 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2768 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mmznklFQRO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mmznklFQRO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3E4.tmp"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

Network

N/A

Files

memory/2768-1-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2768-0-0x0000000000190000-0x0000000000276000-memory.dmp

memory/2768-2-0x0000000000840000-0x0000000000880000-memory.dmp

memory/2768-3-0x0000000002160000-0x0000000002170000-memory.dmp

memory/2768-4-0x0000000002180000-0x000000000218C000-memory.dmp

memory/2768-5-0x0000000005CE0000-0x0000000005DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB3E4.tmp

MD5 6c705e91f16cdb2fd712bf7003abde9f
SHA1 a7ea29c2f30eb234f5c10864ca21899b26c66b96
SHA256 349f09687eceada81757d8025f9c19734c827937c01d53300354f47036b1555b
SHA512 7086ad8f49f82be7dc4702a55a7d4805a8205ead965745e84535db20b400b32220927a2616bc11f53e609d73d0adbd7cc6d9064d5d1cd4f1cef7be8cf7522232

memory/2768-11-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2768-14-0x0000000000840000-0x0000000000880000-memory.dmp

memory/2768-16-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/2448-15-0x000000006EAD0000-0x000000006F07B000-memory.dmp

memory/2448-17-0x0000000002910000-0x0000000002950000-memory.dmp

memory/2448-18-0x0000000002910000-0x0000000002950000-memory.dmp

memory/2448-19-0x000000006EAD0000-0x000000006F07B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 01:19

Reported

2024-04-07 01:21

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2344 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe
PID 2264 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mmznklFQRO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mmznklFQRO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

"C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\zqfietqgzrlnjbvzzlfomzpjqfiizc"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkkaxlbzvzdslhrdiwsqpebsztajandrbq"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkkaxlbzvzdslhrdiwsqpebsztajandrbq"

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe

C:\Users\Admin\AppData\Local\Temp\b1f7d2a6fee6eb162c9e154b565ee6fe95c6e03fa15bef35d8c14663b844087c.exe /stext "C:\Users\Admin\AppData\Local\Temp\mfqtye"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/2344-1-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/2344-0-0x0000000000780000-0x0000000000866000-memory.dmp

memory/2344-2-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/2344-3-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/2344-4-0x0000000005580000-0x0000000005590000-memory.dmp

memory/2344-5-0x0000000005300000-0x000000000530A000-memory.dmp

memory/2344-6-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/2344-7-0x0000000005690000-0x000000000569C000-memory.dmp

memory/2344-8-0x0000000006760000-0x0000000006820000-memory.dmp

memory/2344-9-0x000000000A3F0000-0x000000000A48C000-memory.dmp

memory/2404-14-0x00000000026C0000-0x00000000026F6000-memory.dmp

memory/2404-15-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/2344-17-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/2404-20-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/2264-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2344-29-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/2264-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2404-28-0x0000000005100000-0x0000000005122000-memory.dmp

memory/2264-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2404-43-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/2264-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2404-36-0x0000000005940000-0x00000000059A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bqfyk0b.k5x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp

MD5 a8c13f3b0891b057b07a872aee2912bb
SHA1 03bbc10839cac8842229be92796ce7594430df59
SHA256 0b999e341a279d23531884b08fa1f2f0112be315f22f2142aef625079603dde6
SHA512 a21777036a2ce5fc40ac12e17bd731bde2cc0e7e741764dbdc840c3cd86fac571789f1d019c8d31a41e7319749a9cbf12219d9bd4af7aa1c019f7aa60fe757c3

memory/2404-16-0x00000000051A0000-0x00000000057C8000-memory.dmp

memory/2404-18-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/2404-46-0x0000000005B90000-0x0000000005EE4000-memory.dmp

memory/2404-47-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/2404-48-0x0000000006000000-0x000000000604C000-memory.dmp

memory/2404-49-0x000000007F630000-0x000000007F640000-memory.dmp

memory/2404-50-0x0000000006F80000-0x0000000006FB2000-memory.dmp

memory/2404-51-0x0000000071690000-0x00000000716DC000-memory.dmp

memory/2404-61-0x0000000006580000-0x000000000659E000-memory.dmp

memory/2404-62-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/2404-63-0x0000000006FC0000-0x0000000007063000-memory.dmp

memory/2404-64-0x0000000007930000-0x0000000007FAA000-memory.dmp

memory/2404-66-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/2264-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2404-68-0x0000000007360000-0x000000000736A000-memory.dmp

memory/2404-69-0x0000000007560000-0x00000000075F6000-memory.dmp

memory/2264-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2404-72-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/2264-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2404-75-0x0000000007520000-0x000000000752E000-memory.dmp

memory/2404-76-0x0000000007530000-0x0000000007544000-memory.dmp

memory/2404-77-0x0000000007620000-0x000000000763A000-memory.dmp

memory/2404-78-0x0000000007600000-0x0000000007608000-memory.dmp

memory/2404-81-0x0000000074EA0000-0x0000000075650000-memory.dmp

memory/3196-83-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4912-85-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3196-86-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3188-90-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4912-91-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3196-89-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3188-98-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3188-102-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4912-101-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3188-100-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4912-97-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3196-104-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqfietqgzrlnjbvzzlfomzpjqfiizc

MD5 63a3d218b0d233efc9806729feba705a
SHA1 3cda6c59e0b8115d8538c8ff0d94a49294d516ac
SHA256 66ceb453b5931baa8d942d514cc1dcc41a24ab59313c0621daa9920bd0566bfd
SHA512 d0cfb106b57a4e90523c194d073a131bc65461d8e792b0be51aef89aa413dded53c2aba723fc677f68b1211411a0e105b5771cafa045d3e11d54db578577b683

memory/2264-106-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2264-110-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2264-111-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2264-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-112-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2264-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-118-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7d90dc9c95df0395d3c4e5e79df27ad1
SHA1 40b6b86a6c6aa1c14fbce5f2ae1c1b19da2dbd8d
SHA256 4892b764a09236e56c8628203e4b623f428d164c55f6d2c6fda92e7d5683a45c
SHA512 c6696723060b429292469af31346638b89394b81b9afcf3041d956f081693ebdee5dbc62f113e1c2255f7e03871aafbc198d6606d5b57cac2bcdde57317787c0

memory/2264-122-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2264-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-136-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-143-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2264-144-0x0000000000400000-0x0000000000482000-memory.dmp