Malware Analysis Report

2024-12-07 22:41

Sample ID 240723-hyetnstcne
Target doc_00394039424.exe
SHA256 f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
Tags
remcos 2404 collection execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054

Threat Level: Known bad

The file doc_00394039424.exe was found to be: Known bad.

Malicious Activity Summary

remcos 2404 collection execution persistence rat spyware stealer

Remcos

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 07:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 07:08

Reported

2024-07-23 07:09

Platform

win10v2004-20240709-en

Max time kernel

57s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3236 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 3236 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe
PID 32 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 32 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 32 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1948 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1824 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1824 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1824 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 1824 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1824 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe

"C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp"

C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe

"C:\Users\Admin\AppData\Local\Temp\doc_00394039424.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AZjibU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE94.tmp"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\sbeeutuxpkbbgljmjdlxohmevj"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\dwjwvleqdstgrrfytoxyruhnwxmqt"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\dwjwvleqdstgrrfytoxyruhnwxmqt"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nqopvdpsralltxtckykaczbefedruxhqk"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 107.173.4.16:2404 tcp
US 8.8.8.8:53 16.4.173.107.in-addr.arpa udp
US 107.173.4.16:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp

Files

memory/3236-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/3236-1-0x0000000000680000-0x0000000000764000-memory.dmp

memory/3236-2-0x00000000055A0000-0x0000000005B44000-memory.dmp

memory/3236-3-0x0000000005090000-0x0000000005122000-memory.dmp

memory/3236-4-0x0000000005030000-0x000000000503A000-memory.dmp

memory/3236-5-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/3236-6-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/3236-7-0x0000000005300000-0x0000000005310000-memory.dmp

memory/3236-8-0x0000000005590000-0x000000000559E000-memory.dmp

memory/3236-9-0x0000000006380000-0x0000000006440000-memory.dmp

memory/4744-14-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

memory/4744-15-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4744-17-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4744-16-0x0000000005510000-0x0000000005B38000-memory.dmp

memory/4744-18-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4744-20-0x0000000005CF0000-0x0000000005D56000-memory.dmp

memory/4744-19-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/4744-28-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/4340-27-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4744-40-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/32-39-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 e34683e560b0c2a5cddcffe98956ea62
SHA1 89a3dc3e4b06a8c4bd94bffc48adac82e620d910
SHA256 f377f9ebb865d686833a830718e6d4eb3898a20e87b0b89e26436c10496c5054
SHA512 4bf4a8fef3b740ba3e6a04bedaaa90970a60b72fc950d53de6e2bf597d89d5d399f9258f9f8088f0ea6304bfa219c5537271c9df59c463893d9589370a27ebff

memory/4340-42-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/3236-49-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/32-41-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp

MD5 166923428686b614a2fc9030a06e9da4
SHA1 ee3993fdffe5d11f0ac7a3422ef3fedd28a03ee6
SHA256 c2491db4cdb9e806c60ee47a115fb15c444513480d6fc866412652f7f88bb89f
SHA512 25397ba66054ff5d6ad1615feb0a58c2807d87f250474f11b744da824f665f96b47dfbbb1509e5685a1c24a15de5e8e6643d29caf6473906f0e8f5bca8fcc2fc

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_muo1wn41.qyp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4744-99-0x0000000006490000-0x00000000064DC000-memory.dmp

memory/4744-98-0x0000000006440000-0x000000000645E000-memory.dmp

memory/4744-111-0x0000000070690000-0x00000000706DC000-memory.dmp

memory/4744-110-0x0000000006A20000-0x0000000006A52000-memory.dmp

memory/4744-121-0x0000000007410000-0x000000000742E000-memory.dmp

memory/4744-122-0x0000000007640000-0x00000000076E3000-memory.dmp

memory/4340-123-0x0000000070690000-0x00000000706DC000-memory.dmp

memory/4340-133-0x0000000007630000-0x0000000007CAA000-memory.dmp

memory/4744-134-0x0000000007770000-0x000000000778A000-memory.dmp

memory/4744-135-0x00000000077E0000-0x00000000077EA000-memory.dmp

memory/4744-136-0x00000000079F0000-0x0000000007A86000-memory.dmp

memory/4340-137-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/4340-138-0x0000000007220000-0x000000000722E000-memory.dmp

memory/4744-139-0x00000000079B0000-0x00000000079C4000-memory.dmp

memory/4340-140-0x0000000007330000-0x000000000734A000-memory.dmp

memory/4340-141-0x0000000007310000-0x0000000007318000-memory.dmp

memory/4744-145-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4340-144-0x0000000074450000-0x0000000074C00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/5080-158-0x0000000006060000-0x00000000063B4000-memory.dmp

memory/1824-165-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-162-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1540-166-0x0000000000A50000-0x0000000000B34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab63e7116c4ed149d6ee04238fa31964
SHA1 a67369f5f7622c48d97528ca478756d2172e8b6f
SHA256 19fd08b9dff9e4e654c13c693d8257dbe1cd595fa49801e74dc7dec14cb8ccd6
SHA512 c3678334adcb0fa5357fed0522f81c714dff74f05b5963b524037980616f52b8027f2675bc0012f371602117bf64e67ab93b4ee9bae11d0b56b684534edace32

memory/5080-178-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

memory/1824-179-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-180-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-181-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-182-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5080-183-0x0000000074CE0000-0x0000000074D2C000-memory.dmp

memory/5080-193-0x0000000007770000-0x0000000007813000-memory.dmp

memory/3488-194-0x0000000074CE0000-0x0000000074D2C000-memory.dmp

memory/1824-205-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5080-206-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

memory/5080-207-0x0000000007AF0000-0x0000000007B04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ed4bd0d8aa160368486a32d54be957f0
SHA1 7786b8dddade7ce53296e55c7a25c64b0c6605d8
SHA256 a18ff4a181d1dfe57a596510c8b1bf3c411c5c0f7102de3b98ab3d2f73fc16c3
SHA512 81be809f46084cb1d1c7888f0b1992a79a4ae078fae0343f1a0add597ba0ff3577aaefe399f24b17900f34e3be6540566d2513675f39a4bf6629b81c1b5b2973

memory/1824-211-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-212-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4376-219-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2540-225-0x0000000000400000-0x0000000000424000-memory.dmp

memory/320-220-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2540-224-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2540-222-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4376-221-0x0000000000400000-0x0000000000462000-memory.dmp

memory/320-215-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4376-217-0x0000000000400000-0x0000000000462000-memory.dmp

memory/320-213-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sbeeutuxpkbbgljmjdlxohmevj

MD5 1d22632ab7786a15873206bd9aeaaf47
SHA1 f982816e813cfdd43ad3339fa6ca7bf2425651e7
SHA256 c26d371c3209dea4e8cb298ab279746f0209643a1ef95ff627e2cfe193be838b
SHA512 456ee2bf5faefb56b5c9864ecb340293412c0ab50d47ff8ead5b0db88f3e61e74278a46063d4b816e1143020344add8bfd8f6baac142d984693e0d7be72e4ae0

memory/1824-231-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1824-235-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1824-234-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1824-236-0x0000000000400000-0x0000000000482000-memory.dmp