Analysis Overview
SHA256
b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da
Threat Level: Known bad
The file Payment Invoice.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 07:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 07:18
Reported
2024-04-11 07:20
Platform
win7-20240221-en
Max time kernel
153s
Max time network
167s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2244 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bignight.net | udp |
| US | 146.70.57.34:3363 | bignight.net | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2244-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2244-0-0x0000000001070000-0x000000000115A000-memory.dmp
memory/2244-2-0x0000000000D80000-0x0000000000DC0000-memory.dmp
memory/2244-3-0x0000000000820000-0x0000000000838000-memory.dmp
memory/2244-4-0x0000000000800000-0x0000000000808000-memory.dmp
memory/2244-5-0x0000000000850000-0x000000000085C000-memory.dmp
memory/2244-6-0x0000000005BE0000-0x0000000005CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp
| MD5 | 6d346c0718007e5f75cfe3a6f5f9242e |
| SHA1 | dc250231e6871c410919a1c3026a5cd3f8dcfb23 |
| SHA256 | cd80f6c7787f5abbcf702c28706328b0a96fec8f2986293f3d288f4292a26fad |
| SHA512 | 9101aad66fb3009547353a7d8d602ca8a0e8a56b7ab960791152071bc2fe84d6ef2ae7310ec521fb55e05071f19cf177f8410b301fba2d8f5b0afd2f37051ad0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AL500X42SL2V262XP3TH.temp
| MD5 | bfba2c49dbd50ad686105d08e50fb0f5 |
| SHA1 | 36c9e72d750fa3f3da730daaec2ce13a7bc8a0eb |
| SHA256 | 358a47d83aff1461dc2a66d820e2bd9b2465bc2b309309d11bafe138a7a07001 |
| SHA512 | fc75c739d668ea33e29859964c73c1d24d004e2df44397fe114a6c6b3c1c527352f241bd8b72b40087765ac24667ca1cec81a5fab2f6d1a49c99d8bdf9073f71 |
memory/2836-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2836-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2244-34-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2836-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2532-39-0x000000006F700000-0x000000006FCAB000-memory.dmp
memory/2836-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2464-40-0x000000006F700000-0x000000006FCAB000-memory.dmp
memory/2532-41-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/2464-42-0x0000000002540000-0x0000000002580000-memory.dmp
memory/2532-43-0x000000006F700000-0x000000006FCAB000-memory.dmp
memory/2464-44-0x000000006F700000-0x000000006FCAB000-memory.dmp
memory/2836-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2532-46-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/2836-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2464-49-0x000000006F700000-0x000000006FCAB000-memory.dmp
memory/2532-48-0x000000006F700000-0x000000006FCAB000-memory.dmp
memory/2836-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2836-98-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | f929b1b386e2634f5c3fb5e71729ff91 |
| SHA1 | 351b9e86b966097bc4e7756422291ad258e1f4e3 |
| SHA256 | f64611daf3a98268bbde707ddbb5d30e8890e0a6f182a96191893558844a8866 |
| SHA512 | 38aa8ce999e1ac1c9514b7401b75e8d6a99a2cfc6a872a93ed481cc2f9a8762eb71999b75a59ab6648485b4f810eb68335950664b9e56593b7b7814bba83aabd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 07:18
Reported
2024-04-11 07:20
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1504 set thread context of 3212 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD66.tmp"
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | bignight.net | udp |
| US | 146.70.57.34:3363 | bignight.net | tcp |
| US | 8.8.8.8:53 | 34.57.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| GB | 13.105.221.15:443 | tcp | |
| GB | 13.105.221.15:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/1504-0-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/1504-1-0x0000000000850000-0x000000000093A000-memory.dmp
memory/1504-2-0x0000000005820000-0x0000000005DC4000-memory.dmp
memory/1504-3-0x0000000005320000-0x00000000053B2000-memory.dmp
memory/1504-4-0x0000000005310000-0x0000000005320000-memory.dmp
memory/1504-5-0x00000000053F0000-0x00000000053FA000-memory.dmp
memory/1504-6-0x0000000005800000-0x0000000005818000-memory.dmp
memory/1504-7-0x00000000056C0000-0x00000000056C8000-memory.dmp
memory/1504-8-0x0000000004CC0000-0x0000000004CCC000-memory.dmp
memory/1504-9-0x0000000006750000-0x0000000006810000-memory.dmp
memory/1504-10-0x0000000007050000-0x00000000070EC000-memory.dmp
memory/2592-15-0x0000000002660000-0x0000000002696000-memory.dmp
memory/2592-16-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/2592-18-0x00000000053B0000-0x00000000059D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAD66.tmp
| MD5 | 5e938be1bd5e559c039129dc238b6b35 |
| SHA1 | 145b5bbc769c648dbb4d6b6b64362283e7112514 |
| SHA256 | 266b53775f176f8637fc6bfbb12b07f30acf1203f6ef9fc20f1607160e06fc8f |
| SHA512 | cb1db4f8eb1aebddacaac7ab26d4af7781950c74303125ed20d3ebb71119253e0bcaee625208e061379a5142d42ed7da089be0a671be6312247842449d2be27e |
memory/3004-21-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/2592-19-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/2592-17-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/3212-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3004-22-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/3212-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1504-27-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/3212-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3004-37-0x0000000005BA0000-0x0000000005C06000-memory.dmp
memory/3212-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2592-44-0x0000000005B10000-0x0000000005E64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fp5vqkrc.4jj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3004-32-0x0000000005B30000-0x0000000005B96000-memory.dmp
memory/3212-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2592-28-0x0000000004FD0000-0x0000000004FF2000-memory.dmp
memory/3004-55-0x0000000006240000-0x000000000625E000-memory.dmp
memory/3004-56-0x0000000006580000-0x00000000065CC000-memory.dmp
memory/3212-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3004-60-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/2592-61-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/3212-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3004-67-0x0000000071130000-0x000000007117C000-memory.dmp
memory/3212-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3004-80-0x00000000067F0000-0x000000000680E000-memory.dmp
memory/2592-78-0x0000000071130000-0x000000007117C000-memory.dmp
memory/3004-90-0x0000000007430000-0x00000000074D3000-memory.dmp
memory/3004-69-0x000000007F240000-0x000000007F250000-memory.dmp
memory/2592-66-0x00000000065A0000-0x00000000065D2000-memory.dmp
memory/2592-65-0x000000007F5D0000-0x000000007F5E0000-memory.dmp
memory/2592-91-0x0000000007900000-0x0000000007F7A000-memory.dmp
memory/2592-92-0x00000000072C0000-0x00000000072DA000-memory.dmp
memory/3004-93-0x00000000075C0000-0x00000000075CA000-memory.dmp
memory/3004-96-0x00000000077D0000-0x0000000007866000-memory.dmp
memory/2592-97-0x00000000074C0000-0x00000000074D1000-memory.dmp
memory/2592-99-0x00000000074F0000-0x00000000074FE000-memory.dmp
memory/3004-100-0x0000000007790000-0x00000000077A4000-memory.dmp
memory/3212-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3004-103-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/3004-104-0x0000000007870000-0x0000000007878000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21691b46ec7280ab878c8a462eb56662 |
| SHA1 | fab9858e3323b0d868d78ee3eea6cb5f0b733edc |
| SHA256 | 5751a0cd193b831630a7c7a68be525518628e4358a4f190f8903b118fb45f6bf |
| SHA512 | ed86ff9b84269b75388941e803f741ca70e9272c85314593c87720c2e7f4fcf782e3bafe261db1d06e093bacff142f7226934dc24a2455587aa369b2269f7dcd |
memory/3004-110-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/2592-111-0x0000000074E80000-0x0000000075630000-memory.dmp
memory/3212-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-118-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-119-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-123-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-124-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-126-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-125-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-127-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-128-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-138-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-139-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-140-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-143-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-144-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-151-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3212-152-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | f1eea92b9c6392e39bdd2e8e5e9d1216 |
| SHA1 | e153ad0d3f9365a9c5e3c8439044d3c7b492704c |
| SHA256 | 602200ce7b992cdb538593335deb53c2eca1f9550c913d79daaeec4c216b3a59 |
| SHA512 | c43829d28008a9eaed2759edbf6e90b846aedc0d88b72cd9e80dc0dfe808c5fc365b0a008540629debd51b4f20898d13c70a408960496e1153f101fcbd818854 |