Malware Analysis Report

2024-12-07 22:31

Sample ID 240411-h4x77see26
Target Payment Invoice.exe
SHA256 b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da

Threat Level: Known bad

The file Payment Invoice.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 07:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 07:18

Reported

2024-04-11 07:20

Platform

win7-20240221-en

Max time kernel

153s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 2244 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bignight.net udp
US 146.70.57.34:3363 bignight.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2244-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2244-0-0x0000000001070000-0x000000000115A000-memory.dmp

memory/2244-2-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/2244-3-0x0000000000820000-0x0000000000838000-memory.dmp

memory/2244-4-0x0000000000800000-0x0000000000808000-memory.dmp

memory/2244-5-0x0000000000850000-0x000000000085C000-memory.dmp

memory/2244-6-0x0000000005BE0000-0x0000000005CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp

MD5 6d346c0718007e5f75cfe3a6f5f9242e
SHA1 dc250231e6871c410919a1c3026a5cd3f8dcfb23
SHA256 cd80f6c7787f5abbcf702c28706328b0a96fec8f2986293f3d288f4292a26fad
SHA512 9101aad66fb3009547353a7d8d602ca8a0e8a56b7ab960791152071bc2fe84d6ef2ae7310ec521fb55e05071f19cf177f8410b301fba2d8f5b0afd2f37051ad0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AL500X42SL2V262XP3TH.temp

MD5 bfba2c49dbd50ad686105d08e50fb0f5
SHA1 36c9e72d750fa3f3da730daaec2ce13a7bc8a0eb
SHA256 358a47d83aff1461dc2a66d820e2bd9b2465bc2b309309d11bafe138a7a07001
SHA512 fc75c739d668ea33e29859964c73c1d24d004e2df44397fe114a6c6b3c1c527352f241bd8b72b40087765ac24667ca1cec81a5fab2f6d1a49c99d8bdf9073f71

memory/2836-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2836-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2244-34-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2836-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-39-0x000000006F700000-0x000000006FCAB000-memory.dmp

memory/2836-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2464-40-0x000000006F700000-0x000000006FCAB000-memory.dmp

memory/2532-41-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2464-42-0x0000000002540000-0x0000000002580000-memory.dmp

memory/2532-43-0x000000006F700000-0x000000006FCAB000-memory.dmp

memory/2464-44-0x000000006F700000-0x000000006FCAB000-memory.dmp

memory/2836-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2532-46-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2836-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2464-49-0x000000006F700000-0x000000006FCAB000-memory.dmp

memory/2532-48-0x000000006F700000-0x000000006FCAB000-memory.dmp

memory/2836-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2836-98-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 f929b1b386e2634f5c3fb5e71729ff91
SHA1 351b9e86b966097bc4e7756422291ad258e1f4e3
SHA256 f64611daf3a98268bbde707ddbb5d30e8890e0a6f182a96191893558844a8866
SHA512 38aa8ce999e1ac1c9514b7401b75e8d6a99a2cfc6a872a93ed481cc2f9a8762eb71999b75a59ab6648485b4f810eb68335950664b9e56593b7b7814bba83aabd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 07:18

Reported

2024-04-11 07:20

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1504 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
PID 1504 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD66.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 bignight.net udp
US 146.70.57.34:3363 bignight.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
GB 13.105.221.15:443 tcp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/1504-0-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/1504-1-0x0000000000850000-0x000000000093A000-memory.dmp

memory/1504-2-0x0000000005820000-0x0000000005DC4000-memory.dmp

memory/1504-3-0x0000000005320000-0x00000000053B2000-memory.dmp

memory/1504-4-0x0000000005310000-0x0000000005320000-memory.dmp

memory/1504-5-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/1504-6-0x0000000005800000-0x0000000005818000-memory.dmp

memory/1504-7-0x00000000056C0000-0x00000000056C8000-memory.dmp

memory/1504-8-0x0000000004CC0000-0x0000000004CCC000-memory.dmp

memory/1504-9-0x0000000006750000-0x0000000006810000-memory.dmp

memory/1504-10-0x0000000007050000-0x00000000070EC000-memory.dmp

memory/2592-15-0x0000000002660000-0x0000000002696000-memory.dmp

memory/2592-16-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/2592-18-0x00000000053B0000-0x00000000059D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAD66.tmp

MD5 5e938be1bd5e559c039129dc238b6b35
SHA1 145b5bbc769c648dbb4d6b6b64362283e7112514
SHA256 266b53775f176f8637fc6bfbb12b07f30acf1203f6ef9fc20f1607160e06fc8f
SHA512 cb1db4f8eb1aebddacaac7ab26d4af7781950c74303125ed20d3ebb71119253e0bcaee625208e061379a5142d42ed7da089be0a671be6312247842449d2be27e

memory/3004-21-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/2592-19-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/2592-17-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/3212-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3004-22-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3212-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1504-27-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3212-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3004-37-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/3212-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2592-44-0x0000000005B10000-0x0000000005E64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fp5vqkrc.4jj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3004-32-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/3212-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2592-28-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

memory/3004-55-0x0000000006240000-0x000000000625E000-memory.dmp

memory/3004-56-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/3212-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3004-60-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/2592-61-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/3212-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3004-67-0x0000000071130000-0x000000007117C000-memory.dmp

memory/3212-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3004-80-0x00000000067F0000-0x000000000680E000-memory.dmp

memory/2592-78-0x0000000071130000-0x000000007117C000-memory.dmp

memory/3004-90-0x0000000007430000-0x00000000074D3000-memory.dmp

memory/3004-69-0x000000007F240000-0x000000007F250000-memory.dmp

memory/2592-66-0x00000000065A0000-0x00000000065D2000-memory.dmp

memory/2592-65-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

memory/2592-91-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/2592-92-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/3004-93-0x00000000075C0000-0x00000000075CA000-memory.dmp

memory/3004-96-0x00000000077D0000-0x0000000007866000-memory.dmp

memory/2592-97-0x00000000074C0000-0x00000000074D1000-memory.dmp

memory/2592-99-0x00000000074F0000-0x00000000074FE000-memory.dmp

memory/3004-100-0x0000000007790000-0x00000000077A4000-memory.dmp

memory/3212-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3004-103-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/3004-104-0x0000000007870000-0x0000000007878000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21691b46ec7280ab878c8a462eb56662
SHA1 fab9858e3323b0d868d78ee3eea6cb5f0b733edc
SHA256 5751a0cd193b831630a7c7a68be525518628e4358a4f190f8903b118fb45f6bf
SHA512 ed86ff9b84269b75388941e803f741ca70e9272c85314593c87720c2e7f4fcf782e3bafe261db1d06e093bacff142f7226934dc24a2455587aa369b2269f7dcd

memory/3004-110-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/2592-111-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3212-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-127-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-140-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-143-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-151-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3212-152-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 f1eea92b9c6392e39bdd2e8e5e9d1216
SHA1 e153ad0d3f9365a9c5e3c8439044d3c7b492704c
SHA256 602200ce7b992cdb538593335deb53c2eca1f9550c913d79daaeec4c216b3a59
SHA512 c43829d28008a9eaed2759edbf6e90b846aedc0d88b72cd9e80dc0dfe808c5fc365b0a008540629debd51b4f20898d13c70a408960496e1153f101fcbd818854