Analysis Overview
SHA256
322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24
Threat Level: Known bad
The file 322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Uses the VBS compiler for execution
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 09:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 09:13
Reported
2024-08-14 09:15
Platform
win7-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2508 set thread context of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe
"C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kkUfsLDbd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kkUfsLDbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp |
Files
memory/2508-0-0x00000000749EE000-0x00000000749EF000-memory.dmp
memory/2508-1-0x00000000000F0000-0x00000000001DA000-memory.dmp
memory/2508-2-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2508-3-0x0000000000500000-0x000000000051E000-memory.dmp
memory/2508-4-0x00000000005E0000-0x00000000005F6000-memory.dmp
memory/2508-5-0x0000000005150000-0x0000000005210000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLJ0MBZFFMNB57OBTTA8.temp
| MD5 | 93320239239726a5f9871142428f2c9c |
| SHA1 | df13c2ec2957399899ab8e48bb476bd3f1386256 |
| SHA256 | c080eae6e37cec4058bef15f9c7a11406cb7f642e2a55e3a801dbeaeac54fa08 |
| SHA512 | 5711764f531c74320052d48d3a638e6a0f8581e4c8c15b9bccbd59200e88a8b1e3542286892bfd542267b09450054dd4449be314091caebeed0310c0b4f14e49 |
C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp
| MD5 | 76ec7683ca617e5ee72a45b6715cfb6e |
| SHA1 | 077f4ac8602dc52304533570e3439281255891fd |
| SHA256 | 67e56c89ac65c4b4eaa20ad0967f008d359921769be381bb84eae5a4ffd6071d |
| SHA512 | 7cab244872c07b0561d81c99a350f92bf31609b8e7a5a091c8b938e546e2371dd948ca96a89e1912f1ae2b43fdc3caa178a860b2bd46aedfd6b280841cf7b546 |
memory/2596-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2596-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2508-42-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2596-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-28-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-65-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 98b410e9034a1baab525f3ce4a0e9a2d |
| SHA1 | 7b2004e16d9cbc5330d6de462d3e4b78f15bc8d3 |
| SHA256 | 599ed3f31fd624dbd7edf11ed5df949683529fc44f15879f65a243251c399043 |
| SHA512 | e40c03c0a5b0b0da2e5e4198cae958dd7649dbd2319d87c63c6628317972bb215917b6b172325e9187011774bb0d39f04e3c5b8a7c13a1b91df4209cb99fc61a |
memory/2596-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-75-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-77-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2596-93-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 09:13
Reported
2024-08-14 09:15
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 916 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe
"C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kkUfsLDbd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kkUfsLDbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEBC7.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp | |
| US | 192.3.243.155:7643 | tcp |
Files
memory/916-0-0x000000007534E000-0x000000007534F000-memory.dmp
memory/916-1-0x0000000000260000-0x000000000034A000-memory.dmp
memory/916-2-0x0000000005200000-0x00000000057A4000-memory.dmp
memory/916-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp
memory/916-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp
memory/916-5-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/916-6-0x0000000005130000-0x000000000514E000-memory.dmp
memory/916-7-0x0000000005150000-0x0000000005166000-memory.dmp
memory/916-8-0x0000000008640000-0x0000000008700000-memory.dmp
memory/916-9-0x000000000B7A0000-0x000000000B83C000-memory.dmp
memory/2488-15-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/2488-14-0x0000000002690000-0x00000000026C6000-memory.dmp
memory/2488-17-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/2488-16-0x0000000005260000-0x0000000005888000-memory.dmp
memory/2872-18-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/2872-21-0x0000000005C10000-0x0000000005C76000-memory.dmp
memory/2872-20-0x0000000005AA0000-0x0000000005B06000-memory.dmp
memory/2872-19-0x00000000052B0000-0x00000000052D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxtrt1es.nuv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2872-32-0x0000000005C80000-0x0000000005FD4000-memory.dmp
memory/2872-33-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/2488-44-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/2872-43-0x0000000075340000-0x0000000075AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEBC7.tmp
| MD5 | c98fa3f1cb4a2790aa2f740fe5020ef4 |
| SHA1 | 12dce523086b200db697f0aa6e3505d6d3dee290 |
| SHA256 | 7655a34641a06962638bbdb5b658b8187537954b83ebf1dfe6965abbc0755476 |
| SHA512 | 38a1dc34717430a7b21bcba36642422d8a3db3d961f71da04cf023422127473baed5e5d33fddd67b0a915e39a8ede50bc437e8194616974cf8588aae623f2c4c |
memory/1212-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2872-54-0x0000000006780000-0x00000000067CC000-memory.dmp
memory/2872-53-0x0000000006260000-0x000000000627E000-memory.dmp
memory/916-55-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/1212-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2488-56-0x0000000006560000-0x0000000006592000-memory.dmp
memory/2488-57-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/2488-68-0x0000000007190000-0x0000000007233000-memory.dmp
memory/2488-67-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/2872-71-0x000000006FD70000-0x000000006FDBC000-memory.dmp
memory/2488-70-0x00000000072B0000-0x00000000072CA000-memory.dmp
memory/2488-69-0x0000000007900000-0x0000000007F7A000-memory.dmp
memory/2488-81-0x0000000007320000-0x000000000732A000-memory.dmp
memory/2872-82-0x0000000007820000-0x00000000078B6000-memory.dmp
memory/2488-83-0x00000000074B0000-0x00000000074C1000-memory.dmp
memory/2872-84-0x00000000077D0000-0x00000000077DE000-memory.dmp
memory/2872-85-0x00000000077E0000-0x00000000077F4000-memory.dmp
memory/2872-86-0x00000000078E0000-0x00000000078FA000-memory.dmp
memory/2488-87-0x00000000075D0000-0x00000000075D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2872-93-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/2488-92-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/1212-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-109-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | acdb79acdfd3d139c731e6d45e5352d8 |
| SHA1 | 5026d6930490dbd1e935f601fd9f785604a018b4 |
| SHA256 | 70b6114e144417d83ab6ae7c593819598ae89f894f0f351e06ea6fccdb33aaf5 |
| SHA512 | 5638dc5f79b816d32b6c7361ceca9c6192445dc60a3d87275f0e721bc7e6cb9c156c45caeef42b7f2e4b03b7cec1e902d323f72c23ca6b258873a0e323f38d6a |
memory/1212-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-117-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-118-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-119-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-121-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-122-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-123-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-125-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-126-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-128-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-129-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-131-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-132-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-133-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-135-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-136-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-137-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-139-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-140-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-142-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-143-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-144-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-146-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-147-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-148-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-150-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-151-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-153-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-154-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-155-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-157-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-158-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-159-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-161-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-162-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-164-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-165-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-168-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-169-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-171-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-173-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1212-174-0x0000000000400000-0x0000000000482000-memory.dmp