Malware Analysis Report

2024-12-07 22:17

Sample ID 240809-qnxkqsvdpf
Target dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4
SHA256 dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4
Tags
remcos remotehost collection credential_access discovery execution rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4

Threat Level: Known bad

The file dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection credential_access discovery execution rat spyware stealer

Remcos

NirSoft MailPassView

NirSoft WebBrowserPassView

Credentials from Password Stores: Credentials from Web Browsers

Detected Nirsoft tools

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 13:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 13:25

Reported

2024-08-09 13:27

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 1620 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

"C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

"C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmtqpmwohkyjeiamgdhndonvlb"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmtqpmwohkyjeiamgdhndonvlb"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\dpzbqfgpvsqwgwwqxocpfbhemqayf"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\ojetrxrjjaibqckugyoqqgcvvwkzyfdu"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 212.162.149.80:2404 tcp
US 8.8.8.8:53 80.149.162.212.in-addr.arpa udp
US 212.162.149.80:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1484-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/1484-1-0x0000000000380000-0x000000000047E000-memory.dmp

memory/1484-2-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/1484-3-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/1484-4-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1484-5-0x0000000004E50000-0x0000000004E5A000-memory.dmp

memory/1484-6-0x0000000005110000-0x00000000051AC000-memory.dmp

memory/1484-7-0x0000000006640000-0x000000000665A000-memory.dmp

memory/1484-8-0x00000000060E0000-0x00000000060EE000-memory.dmp

memory/1484-9-0x00000000060F0000-0x0000000006106000-memory.dmp

memory/1484-10-0x0000000008A90000-0x0000000008B50000-memory.dmp

memory/1620-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1160-23-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/1484-22-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1160-25-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1160-24-0x0000000005670000-0x0000000005C98000-memory.dmp

memory/1160-21-0x00000000029E0000-0x0000000002A16000-memory.dmp

memory/1160-27-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/1160-28-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/1160-29-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1160-26-0x0000000005230000-0x0000000005252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1ic0eml.fue.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1160-39-0x0000000005DA0000-0x00000000060F4000-memory.dmp

memory/1620-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1160-44-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/1160-45-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/1620-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1160-48-0x00000000068F0000-0x0000000006922000-memory.dmp

memory/1160-49-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/1160-59-0x0000000006880000-0x000000000689E000-memory.dmp

memory/1160-60-0x0000000007540000-0x00000000075E3000-memory.dmp

memory/1160-61-0x0000000007C70000-0x00000000082EA000-memory.dmp

memory/1160-62-0x0000000007610000-0x000000000762A000-memory.dmp

memory/1160-63-0x0000000007680000-0x000000000768A000-memory.dmp

memory/3300-64-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3892-67-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4008-72-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4008-71-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4008-70-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3300-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3892-68-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1160-76-0x0000000007890000-0x0000000007926000-memory.dmp

memory/3892-65-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3300-66-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1160-77-0x0000000007810000-0x0000000007821000-memory.dmp

memory/1160-79-0x0000000007840000-0x000000000784E000-memory.dmp

memory/1160-80-0x0000000007850000-0x0000000007864000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bmtqpmwohkyjeiamgdhndonvlb

MD5 a7e181f6aa185be0ab0ca68b30406fe6
SHA1 58c86162658dc609615b8b6400f85c92506dfdc8
SHA256 c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2
SHA512 49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f

memory/1620-85-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1620-82-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1620-86-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1620-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1160-87-0x0000000007950000-0x000000000796A000-memory.dmp

memory/1160-89-0x0000000007930000-0x0000000007938000-memory.dmp

memory/1160-92-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1620-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-99-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 d2894141d45d792a2ea470076a6945c7
SHA1 fe909d0373fe724c0394949ee60ff59fb83ac6dc
SHA256 f880535b89497f72ebdb589ee3932bf1ac29098472cdb03753078a5dd9ac0b70
SHA512 997588e17298d07a700f2c33e5cee68f1171fe6dba8ee7496e30f7a80e280cc2f6905c12b7337d53a2fe1edcfc1d583ec6a9cde8e07d40a4641f62d3657efa41

memory/1620-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-129-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 13:25

Reported

2024-08-09 13:27

Platform

win11-20240802-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2708 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe
PID 2552 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

"C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

"C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\ictsifozcbfoujabbueoymkyqrqwyzocav"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\lxyljxz"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\lxyljxz"

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe

C:\Users\Admin\AppData\Local\Temp\dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4.exe /stext "C:\Users\Admin\AppData\Local\Temp\vzevkqkues"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 212.162.149.80:2404 tcp
US 212.162.149.80:2404 tcp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2708-0-0x000000007462E000-0x000000007462F000-memory.dmp

memory/2708-1-0x0000000000190000-0x000000000028E000-memory.dmp

memory/2708-2-0x0000000005230000-0x00000000057D6000-memory.dmp

memory/2708-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp

memory/2708-4-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

memory/2708-5-0x0000000074620000-0x0000000074DD1000-memory.dmp

memory/2708-6-0x0000000004FA0000-0x000000000503C000-memory.dmp

memory/2708-7-0x0000000005200000-0x000000000521A000-memory.dmp

memory/2708-8-0x0000000005FF0000-0x0000000005FFE000-memory.dmp

memory/2708-9-0x0000000006000000-0x0000000006016000-memory.dmp

memory/2708-10-0x0000000008970000-0x0000000008A30000-memory.dmp

memory/2552-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3688-22-0x000000007462E000-0x000000007462F000-memory.dmp

memory/3688-23-0x0000000004950000-0x0000000004986000-memory.dmp

memory/2708-21-0x0000000074620000-0x0000000074DD1000-memory.dmp

memory/3688-24-0x0000000074620000-0x0000000074DD1000-memory.dmp

memory/3688-25-0x0000000005090000-0x00000000056BA000-memory.dmp

memory/2552-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3688-26-0x0000000004F10000-0x0000000004F32000-memory.dmp

memory/3688-28-0x0000000005020000-0x0000000005086000-memory.dmp

memory/3688-29-0x0000000074620000-0x0000000074DD1000-memory.dmp

memory/3688-27-0x0000000004FB0000-0x0000000005016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atcm04iz.fx0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3688-38-0x00000000058F0000-0x0000000005C47000-memory.dmp

memory/3688-39-0x0000000005D40000-0x0000000005D5E000-memory.dmp

memory/3688-40-0x0000000005E50000-0x0000000005E9C000-memory.dmp

memory/2552-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3688-45-0x0000000006D70000-0x0000000006DA4000-memory.dmp

memory/3688-46-0x0000000070CE0000-0x0000000070D2C000-memory.dmp

memory/2552-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3688-55-0x0000000006FB0000-0x0000000006FCE000-memory.dmp

memory/3688-58-0x0000000006FD0000-0x0000000007074000-memory.dmp

memory/3688-59-0x0000000007750000-0x0000000007DCA000-memory.dmp

memory/3688-60-0x0000000007110000-0x000000000712A000-memory.dmp

memory/3688-61-0x0000000007190000-0x000000000719A000-memory.dmp

memory/3688-62-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/3688-63-0x0000000007320000-0x0000000007331000-memory.dmp

memory/3688-64-0x0000000007350000-0x000000000735E000-memory.dmp

memory/3688-65-0x0000000007360000-0x0000000007375000-memory.dmp

memory/3688-66-0x0000000007460000-0x000000000747A000-memory.dmp

memory/1040-67-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1040-68-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1040-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1636-70-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1636-75-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3704-76-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3704-77-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3704-78-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1636-71-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3688-79-0x0000000007450000-0x0000000007458000-memory.dmp

memory/3688-83-0x0000000074620000-0x0000000074DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ictsifozcbfoujabbueoymkyqrqwyzocav

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2552-85-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2552-88-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2552-89-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2552-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-96-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 18b84f61b8715c6be86fc453c31e6eb0
SHA1 d6efb1f0c6e550aed82f950c4f1d84e54c5498c0
SHA256 61a3337cb6385e49119ea3455477efa8eeca4d398ea29412d8f7dbe74a835e95
SHA512 151b222485764085a7405ce3fa5e76e96af2a6cbcb44a84a54fce11b3b7bbc43d6282b5cfda6e80fc2545a1c3a03d3371d994b3ad06c9645fdb58dfbb2aab37b

memory/2552-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2552-119-0x0000000000400000-0x0000000000482000-memory.dmp