Malware Analysis Report

2024-12-07 22:34

Sample ID 240417-p2pllsfg93
Target 236bc65986ff48de23f84a3e09aa61e36de2c952b11ff51e0264496f024c6574
SHA256 236bc65986ff48de23f84a3e09aa61e36de2c952b11ff51e0264496f024c6574
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

236bc65986ff48de23f84a3e09aa61e36de2c952b11ff51e0264496f024c6574

Threat Level: Known bad

The file 236bc65986ff48de23f84a3e09aa61e36de2c952b11ff51e0264496f024c6574 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 12:49

Reported

2024-04-17 12:52

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 1664 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 1664 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 1664 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 1664 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2432 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

"C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kdkZYZHUWsaYyc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kdkZYZHUWsaYyc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp498E.tmp"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

"C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\efym"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\efym"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\oheepbh"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\zcjxptsyni"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1664-0-0x00000000002C0000-0x00000000003A6000-memory.dmp

memory/1664-1-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/1664-2-0x0000000004640000-0x0000000004680000-memory.dmp

memory/1664-3-0x00000000005B0000-0x00000000005C0000-memory.dmp

memory/1664-4-0x0000000000610000-0x000000000061C000-memory.dmp

memory/1664-5-0x0000000007C50000-0x0000000007D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp498E.tmp

MD5 77ffbc96b103cd338a11b5aeaac5988f
SHA1 2b254c8b68cb5454d4e0eab48711c882f51b9dec
SHA256 7def1b06e6cac7d66a83fde2aa0a56de1be638ed4c544a7bf87a2b285934ede4
SHA512 f30ac719796d463f2d61a838e8d7d79890dc8ae31de587a4a40d4287846d04578502bcf31476adbf8e1aba19405b83006d5580fe9156eabc6d2f835b27726b8d

memory/2432-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2432-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-36-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2636-34-0x000000006EAA0000-0x000000006F04B000-memory.dmp

memory/2636-38-0x000000006EAA0000-0x000000006F04B000-memory.dmp

memory/2432-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1664-33-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2432-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-41-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2636-39-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2432-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-45-0x000000006EAA0000-0x000000006F04B000-memory.dmp

memory/2432-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1564-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1564-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1496-60-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1564-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1496-66-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2168-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1496-69-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2168-71-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2168-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2168-72-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2168-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1564-79-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\efym

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1496-82-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2432-83-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2432-86-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2432-87-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2432-88-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2432-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-92-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 4c723a10ec88627ebb86bd71e02a352c
SHA1 b5b9b8aec3acf151d223af9c75509dd60f6a5381
SHA256 ca44b4c09c34dd90f08e0a879b5e9f0d73a815f5147e3ccc110b96ea961ee860
SHA512 b715a9252d1ced6418c9a1725fc63203e62f801c12c5d2c47e5eeed2c836e9346bbfd0f41767e8cd133d6193dd8a1c166def6cc217fe63c43ae81c592a3fce8d

memory/2432-97-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2432-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2432-118-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 12:49

Reported

2024-04-17 12:52

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4408 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 4408 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 4408 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Windows\SysWOW64\schtasks.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 4408 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe
PID 2472 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

"C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kdkZYZHUWsaYyc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kdkZYZHUWsaYyc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E5A.tmp"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

"C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\plzqbrtmmylmhjxsaomw"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\plzqbrtmmylmhjxsaomw"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnmjcjefagdykptwjzhpcinu"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhrudcohoovduvhitktrfnzddeh"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhrudcohoovduvhitktrfnzddeh"

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe

C:\Users\Admin\AppData\Local\Temp\da86da7fc086aa8262222feed9f4cd4df4c4538e77d90a7c160b1c794f298b92.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhrudcohoovduvhitktrfnzddeh"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 34.57.70.146.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4408-1-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4408-0-0x0000000000BE0000-0x0000000000CC6000-memory.dmp

memory/4408-2-0x0000000005D10000-0x00000000062B4000-memory.dmp

memory/4408-3-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/4408-4-0x0000000005740000-0x0000000005750000-memory.dmp

memory/4408-5-0x00000000056C0000-0x00000000056CA000-memory.dmp

memory/4408-6-0x0000000005950000-0x0000000005960000-memory.dmp

memory/4408-7-0x0000000005D00000-0x0000000005D0C000-memory.dmp

memory/4408-8-0x00000000080F0000-0x00000000081B0000-memory.dmp

memory/4408-9-0x000000000A880000-0x000000000A91C000-memory.dmp

memory/4148-14-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

memory/4148-16-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4148-17-0x0000000005850000-0x0000000005E78000-memory.dmp

memory/4148-21-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/2472-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4408-28-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4148-30-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/4148-32-0x00000000060D0000-0x0000000006136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnvbl3ox.a3f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2472-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4148-44-0x0000000006240000-0x0000000006594000-memory.dmp

memory/2472-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4148-26-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/4408-23-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4148-47-0x00000000066B0000-0x00000000066CE000-memory.dmp

memory/4148-48-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/2472-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4148-18-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/2472-19-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6E5A.tmp

MD5 fe73cb2a3b7e28d32be0e84c62372896
SHA1 c3585ffceedcbdd529d5d48ff2e2023a163222f3
SHA256 e49ffad6f9472cd5334515b90ee00666c97d1c21cdafb5d76ddc37a5376434ff
SHA512 d32fa44708a893bab07be6dd175704c749e8f66675b6717b5b0ace4e7ecfa253200db55c58efb13ab05f6325e3f1750154f2844e5ca780b3c873e284047c8ba7

memory/4148-49-0x000000007F900000-0x000000007F910000-memory.dmp

memory/4148-50-0x0000000007880000-0x00000000078B2000-memory.dmp

memory/4148-63-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/4148-64-0x00000000078C0000-0x0000000007963000-memory.dmp

memory/4148-62-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/4148-61-0x0000000006CA0000-0x0000000006CBE000-memory.dmp

memory/4148-51-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/4148-65-0x0000000008040000-0x00000000086BA000-memory.dmp

memory/4148-66-0x00000000079F0000-0x0000000007A0A000-memory.dmp

memory/4148-67-0x0000000007A60000-0x0000000007A6A000-memory.dmp

memory/4148-68-0x0000000007C70000-0x0000000007D06000-memory.dmp

memory/4148-69-0x0000000007BF0000-0x0000000007C01000-memory.dmp

memory/4148-70-0x0000000007C20000-0x0000000007C2E000-memory.dmp

memory/4148-71-0x0000000007C30000-0x0000000007C44000-memory.dmp

memory/4148-72-0x0000000007D30000-0x0000000007D4A000-memory.dmp

memory/4148-73-0x0000000007D10000-0x0000000007D18000-memory.dmp

memory/4148-76-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/2472-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1232-92-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1232-96-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1232-100-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4316-106-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4380-99-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4380-107-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4316-97-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2472-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4380-112-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4316-111-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4380-110-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4380-108-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4316-93-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1232-114-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2472-116-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\plzqbrtmmylmhjxsaomw

MD5 1b569d3543316abb59c472fde02e3317
SHA1 c4ea1f4ae0d1247036816d574f6240a952812720
SHA256 ede1b7223b5618dbe5982916444e09ac23db2cea8d7245359bf6bcbe33b34568
SHA512 1276a4bd1720630c67ba3ba6993dfbc13191bcd6d53f1ba417deb895476276fe6f6c163b1ab22e7ac86178412b4dce870f3eeb3cd267af8afbaed60fd9355136

memory/2472-120-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2472-122-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2472-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-119-0x0000000010000000-0x0000000010019000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 8f52a632c1bbf4910675e05259b5e8a1
SHA1 6d63b205df94f161f51fcd6a6509d94f3925b71a
SHA256 ac9c5dc504248e026d0ee7bc98a61a4d98146e0640156bdd092aeffa38569085
SHA512 11b1ad773cd1ae2c785ed73100d2c7ab0da1d9eba250c9d3058518ef3082ecc790cec41d604714d0f14a7986c25ce32f020f9baad1b7441a4c241e3fe2cdcfe5

memory/2472-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2472-147-0x0000000000400000-0x0000000000482000-memory.dmp