Malware Analysis Report

2024-09-22 11:34

Sample ID 230726-l1mtvabc71
Target Dhl_AWB.Tax.invoice.kr22710368.exe
SHA256 aad4730a1866a7cee5b0dbdedf286b17e597b9bf59c06bfd405f234e64f52673
Tags
guloader hawkeye remcos remotehost discovery downloader keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aad4730a1866a7cee5b0dbdedf286b17e597b9bf59c06bfd405f234e64f52673

Threat Level: Known bad

The file Dhl_AWB.Tax.invoice.kr22710368.exe was found to be: Known bad.

Malicious Activity Summary

guloader hawkeye remcos remotehost discovery downloader keylogger rat spyware stealer trojan

Remcos

HawkEye

Guloader,Cloudeye

Loads dropped DLL

Checks QEMU agent file

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-07-26 10:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 10:00

Reported

2023-07-26 10:02

Platform

win7-20230712-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe"

Signatures

Guloader,Cloudeye

downloader guloader

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2204 set thread context of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\Telescopiform\rygeannoncen.cos C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
File opened for modification C:\Windows\Fonts\notabiliteternes\shuttlecock\Arbejderungens\meringue.ini C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\dxdiag.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe

"C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe"

C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe

"C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe"

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Network

Country Destination Domain Proto
NL 194.59.218.151:80 194.59.218.151 tcp
US 193.25.214.194:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 193.25.214.194:2404 tcp
US 193.25.214.194:2404 tcp
US 193.25.214.194:2404 tcp
US 8.8.8.8:53 crl.microsoft.com udp
NL 95.101.74.197:80 crl.microsoft.com tcp
US 193.25.214.194:2404 tcp

Files

\Users\Admin\AppData\Local\Temp\nsd8FC2.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

memory/2204-63-0x0000000003090000-0x0000000005DC9000-memory.dmp

memory/2204-64-0x0000000003090000-0x0000000005DC9000-memory.dmp

memory/2204-65-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/2204-66-0x0000000076F00000-0x0000000076FD6000-memory.dmp

memory/2204-67-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2940-68-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-69-0x0000000001470000-0x00000000041A9000-memory.dmp

memory/2940-70-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/2940-71-0x0000000001470000-0x00000000041A9000-memory.dmp

memory/2940-72-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-73-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-77-0x0000000001470000-0x00000000041A9000-memory.dmp

memory/2940-78-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-83-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-84-0x0000000000400000-0x0000000001462000-memory.dmp

memory/1124-86-0x0000000000260000-0x000000000026A000-memory.dmp

memory/1124-87-0x0000000000260000-0x000000000026A000-memory.dmp

memory/1124-100-0x0000000000BA0000-0x0000000000BFC000-memory.dmp

memory/1124-101-0x0000000000BA0000-0x0000000000BFC000-memory.dmp

memory/1124-102-0x0000000000BA0000-0x0000000000BFC000-memory.dmp

memory/1124-103-0x0000000000260000-0x000000000026A000-memory.dmp

memory/2940-105-0x0000000000400000-0x0000000001462000-memory.dmp

memory/1124-107-0x0000000000260000-0x000000000026A000-memory.dmp

memory/1124-108-0x0000000000350000-0x000000000035A000-memory.dmp

memory/1124-109-0x0000000000BA0000-0x0000000000BFC000-memory.dmp

memory/1124-110-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

memory/1124-112-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 e6c73f04aa835c50c285fad4737f4fb5
SHA1 cd0e910869cbbc41b3d5647cf2f82072b732c5b4
SHA256 0eb202e282879f14f1a5f8a25546e97ae70f9158578ee541722366f9a305e02d
SHA512 98ded4d5c9ff805b94759d96d8b74701496c6c835e1b434284c560bd4bb92c59955261fa4c64d26ce0f0cd76b9edd5d4eda732f4233bd952dcd7c750de346ef2

memory/1124-113-0x0000000000260000-0x000000000026A000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 bcf77d967b000278b7920f441cfce31c
SHA1 9552b34f5917adbb1497ab37db2731123e7bb497
SHA256 288829ad1b88273d492332a75d07a83490687d8a759dae3cc5fc424447b4fa3a
SHA512 f686c6bf42cdf8216ff4ee7dc1db12dd00e82f01acb27747148ee32b97ff5d4936873d99c9b3fefaa36a0e4acdbf255b5c34cee2104d18937159314dcb0aedd0

memory/2940-117-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-121-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-122-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2940-125-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 10:00

Reported

2023-07-26 10:02

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 812 set thread context of 2912 N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\Telescopiform\rygeannoncen.cos C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A
File opened for modification C:\Windows\Fonts\notabiliteternes\shuttlecock\Arbejderungens\meringue.ini C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe

"C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe"

C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe

"C:\Users\Admin\AppData\Local\Temp\Dhl_AWB.Tax.invoice.kr22710368.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 194.59.218.151:80 194.59.218.151 tcp
US 8.8.8.8:53 151.218.59.194.in-addr.arpa udp
US 193.25.214.194:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 194.214.25.193.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 193.25.214.194:2404 tcp
US 193.25.214.194:2404 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsxFF02.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

memory/812-141-0x0000000004260000-0x0000000006F99000-memory.dmp

memory/812-142-0x0000000004260000-0x0000000006F99000-memory.dmp

memory/812-143-0x0000000077581000-0x00000000776A1000-memory.dmp

memory/812-144-0x0000000077581000-0x00000000776A1000-memory.dmp

memory/812-145-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2912-146-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2912-147-0x0000000001660000-0x0000000004399000-memory.dmp

memory/2912-148-0x0000000001660000-0x0000000004399000-memory.dmp

memory/2912-149-0x0000000077608000-0x0000000077609000-memory.dmp

memory/2912-150-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2912-154-0x0000000001660000-0x0000000004399000-memory.dmp

memory/2912-156-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2912-158-0x0000000077581000-0x00000000776A1000-memory.dmp

memory/2912-160-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2912-163-0x0000000000400000-0x0000000001654000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 79cf9889686c677870944c6b80e11b31
SHA1 042122cad17a180505f54db78f609d9fc66ded67
SHA256 db0b8f1c4aec7846635f5fd986bcd6ced0a5e1edd0e375cd72309798712bf96d
SHA512 ecbc1e6bb05acc90199823d177350c5ec11ddfc2b24415b6325850e2db330a6102a64e21070e0e3f3693de81dc9f8d0b985df396e1ec0f6d6faa2300756648bd