Malware Analysis Report

2024-12-07 22:23

Sample ID 240409-bqgjzahg54
Target 408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
SHA256 408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c

Threat Level: Known bad

The file 408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Nirsoft

NirSoft WebBrowserPassView

Detects executables packed with SmartAssembly

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

NirSoft MailPassView

Detects executables built or packed with MPress PE compressor

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 01:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 01:20

Reported

2024-04-09 01:23

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

Signatures

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 952 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 952 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 952 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 952 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp427C.tmp"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

Network

N/A

Files

memory/952-0-0x0000000000320000-0x000000000041C000-memory.dmp

memory/952-1-0x0000000074810000-0x0000000074EFE000-memory.dmp

memory/952-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

memory/952-3-0x0000000000440000-0x000000000045C000-memory.dmp

memory/952-4-0x0000000000420000-0x0000000000428000-memory.dmp

memory/952-5-0x00000000004A0000-0x00000000004AC000-memory.dmp

memory/952-6-0x000000000AB50000-0x000000000AC10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp427C.tmp

MD5 39dd9cba2eb7a1cec1067529acc4d695
SHA1 f42680fa081e54203b2c92814661a974d092e138
SHA256 cc7295940d22e58e83f4a8207e27514b9a9a4e266ecc476026b90d6ff3e522f3
SHA512 80c0561487fa03941005936772f42d5b07fcf023223a47b3728921242aa84d865816819f4c3d5c8457c16bff76a3fdb38503c9b1a748b81addd9a8f0b8895f34

memory/2100-14-0x000000006EBE0000-0x000000006F18B000-memory.dmp

memory/2100-15-0x0000000002A40000-0x0000000002A80000-memory.dmp

memory/2100-16-0x0000000002A40000-0x0000000002A80000-memory.dmp

memory/952-17-0x0000000074810000-0x0000000074EFE000-memory.dmp

memory/2100-18-0x000000006EBE0000-0x000000006F18B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 01:20

Reported

2024-04-09 01:23

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3616 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 3616 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 3616 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Windows\SysWOW64\schtasks.exe
PID 3616 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe
PID 744 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmduzErmJdOHa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmduzErmJdOHa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

"C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\hzzsanekhrlvbiyc"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jtnkbfomvzdidomoaga"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jtnkbfomvzdidomoaga"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\jtnkbfomvzdidomoaga"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\uvsvtyzfjhvnnuisrqmvpg"

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe

C:\Users\Admin\AppData\Local\Temp\408f6df5140e6b71b4fc5add7ae8d69f89d5aebb184081de8076e7c1972fe55c.exe /stext "C:\Users\Admin\AppData\Local\Temp\uvsvtyzfjhvnnuisrqmvpg"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2960 -ip 2960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3616-0-0x0000000000C20000-0x0000000000D1C000-memory.dmp

memory/3616-1-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/3616-2-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/3616-3-0x0000000005770000-0x0000000005802000-memory.dmp

memory/3616-4-0x0000000005990000-0x00000000059A0000-memory.dmp

memory/3616-6-0x0000000005A40000-0x0000000005ADC000-memory.dmp

memory/3616-5-0x0000000005720000-0x000000000572A000-memory.dmp

memory/3616-7-0x0000000005740000-0x000000000575C000-memory.dmp

memory/3616-8-0x0000000005760000-0x0000000005768000-memory.dmp

memory/3616-9-0x0000000005120000-0x000000000512C000-memory.dmp

memory/3616-10-0x0000000006710000-0x00000000067D0000-memory.dmp

memory/5032-16-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/5032-15-0x0000000004C80000-0x0000000004CB6000-memory.dmp

memory/5032-18-0x00000000028B0000-0x00000000028C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp

MD5 ff29b58dc4c0e72e4dae2ba191a01d3a
SHA1 629148c53d77e98c54d0d2dcf5025c02bd308c78
SHA256 015db16eac5d728c3c860d46da2b9b1e9dfa8440ba4ea0e0c2a4e0d7a9c02fa0
SHA512 adf0da02a70c7803fa2caeb0f649caf1986b6cdc85542eb350235d719237eb63238822bdf5b333256fd0f1af80a4641a21dc0bea8fb3cbf7c10956267babd9f1

memory/3616-19-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/5032-21-0x00000000028B0000-0x00000000028C0000-memory.dmp

memory/5032-20-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/744-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5032-23-0x0000000005150000-0x0000000005172000-memory.dmp

memory/744-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5032-33-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/5032-32-0x0000000005B50000-0x0000000005BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0shwy5q.b0y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/744-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3616-41-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/744-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5032-43-0x0000000005D30000-0x0000000006084000-memory.dmp

memory/744-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5032-46-0x00000000060F0000-0x000000000610E000-memory.dmp

memory/5032-47-0x0000000006250000-0x000000000629C000-memory.dmp

memory/744-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5032-50-0x000000007F9D0000-0x000000007F9E0000-memory.dmp

memory/5032-51-0x00000000067E0000-0x0000000006812000-memory.dmp

memory/5032-52-0x0000000072250000-0x000000007229C000-memory.dmp

memory/5032-63-0x00000000067A0000-0x00000000067BE000-memory.dmp

memory/5032-62-0x00000000028B0000-0x00000000028C0000-memory.dmp

memory/5032-64-0x00000000071E0000-0x0000000007283000-memory.dmp

memory/5032-65-0x0000000007B70000-0x00000000081EA000-memory.dmp

memory/5032-66-0x0000000007530000-0x000000000754A000-memory.dmp

memory/5032-67-0x00000000075A0000-0x00000000075AA000-memory.dmp

memory/5032-68-0x00000000077B0000-0x0000000007846000-memory.dmp

memory/5032-69-0x0000000007730000-0x0000000007741000-memory.dmp

memory/5032-70-0x0000000007760000-0x000000000776E000-memory.dmp

memory/5032-71-0x0000000007770000-0x0000000007784000-memory.dmp

memory/5032-72-0x0000000007870000-0x000000000788A000-memory.dmp

memory/5032-73-0x0000000007850000-0x0000000007858000-memory.dmp

memory/744-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5032-78-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/744-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4296-84-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4296-88-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4308-86-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4308-89-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4296-92-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2960-91-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4308-97-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4308-98-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4296-100-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hzzsanekhrlvbiyc

MD5 f941b9bd168d89f2e86359d2f26d9dfd
SHA1 5974ff71bf85a7a297bc8b0dc86351099d711b8f
SHA256 d0704de64af994f35974f05a3e5698e51ef2c7a31b766a86d810e210a4ceb839
SHA512 ffa54ce016718e0693b0d05b3271a970beb44ae1681213e59cc9c8c98dca7b3755f57d5bb8b3e554d597de8c2775c5bc11d9f31bf3c8ee50785a4d8dd62f3164

memory/2960-103-0x0000000000380000-0x0000000000380000-memory.dmp

memory/744-104-0x0000000010000000-0x0000000010019000-memory.dmp

memory/744-108-0x0000000010000000-0x0000000010019000-memory.dmp

memory/744-107-0x0000000010000000-0x0000000010019000-memory.dmp

memory/744-109-0x0000000010000000-0x0000000010019000-memory.dmp

memory/744-111-0x0000000010000000-0x0000000010019000-memory.dmp

memory/744-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-113-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 93da2049e4d110992b37848b69a1a93f
SHA1 3424899de529674d60d69eab7fb27d798df685b4
SHA256 f6e512291a487310b73d0f260f139df4f05a63ab29534d150e5edb6b1f202664
SHA512 46021fad1f3f46b9906c7be4c242a94685c797a4895e67cc15d161d8eeafdba95ea3b126b0a14bd5cc0427bd474bd839f31dadeaedafa36297e97908f4d563a3

memory/744-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-134-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-143-0x0000000000400000-0x0000000000482000-memory.dmp