Malware Analysis Report

2025-06-16 01:22

Sample ID 240410-q96qjadc7w
Target New Purchase Order-030220- SMART SOURCING INC.exe
SHA256 1f3358783cef07f7a60b0530c0de90be8a1131715faaf9d841ce830d9116434b
Tags
remcos solomon rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f3358783cef07f7a60b0530c0de90be8a1131715faaf9d841ce830d9116434b

Threat Level: Known bad

The file New Purchase Order-030220- SMART SOURCING INC.exe was found to be: Known bad.

Malicious Activity Summary

remcos solomon rat

Remcos

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-10 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 13:58

Reported

2024-04-10 14:21

Platform

win10v2004-20240226-en

Max time kernel

1322s

Max time network

1328s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4216 set thread context of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4216 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe

"C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 grantadistciaret.com udp
DE 85.195.105.109:3212 grantadistciaret.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 85.195.105.109:3223 grantadistciaret.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 85.195.105.109:3212 grantadistciaret.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp

Files

memory/4216-0-0x0000028888580000-0x000002888862E000-memory.dmp

memory/4216-1-0x000002888A360000-0x000002888A3E6000-memory.dmp

memory/4216-2-0x0000028888C70000-0x0000028888C76000-memory.dmp

memory/4216-3-0x00007FF84BB00000-0x00007FF84C5C1000-memory.dmp

memory/4216-4-0x000002888A430000-0x000002888A440000-memory.dmp

memory/4216-5-0x0000028888C80000-0x0000028888C8A000-memory.dmp

memory/1300-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4216-9-0x00007FF84BB00000-0x00007FF84C5C1000-memory.dmp

memory/1300-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-23-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 9b75b0bbc861b238e9f3def6cbc4c8cf
SHA1 83b4f45842997c94bd6efbdee5c50728342439f0
SHA256 8a6330a191ed148e67a69b4c92997333a03dc32e277a48baa59a5333b254ba44
SHA512 72c9820df1f93c0ece15b84a720c53e2bbe95d2402cc96b7426abb2060cf5844602d0c86dc67edf2521ba9c077ffca2f693833360dc1e668eb2124d49f40bbc0

memory/1300-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-143-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-148-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-167-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-173-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-179-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-180-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-186-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-192-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1300-193-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 13:58

Reported

2024-04-10 14:29

Platform

win11-20240221-en

Max time kernel

1800s

Max time network

1808s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4204 set thread context of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 4204 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe

"C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grantadistciaret.com udp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp
DE 85.195.105.109:3223 grantadistciaret.com tcp
DE 85.195.105.109:3212 grantadistciaret.com tcp

Files

memory/4204-0-0x00000260CDBC0000-0x00000260CDC6E000-memory.dmp

memory/4204-1-0x00007FFB1CA40000-0x00007FFB1D502000-memory.dmp

memory/4204-2-0x00000260E8070000-0x00000260E80F6000-memory.dmp

memory/4204-3-0x00000260CE070000-0x00000260CE076000-memory.dmp

memory/4204-4-0x00000260E82A0000-0x00000260E82B0000-memory.dmp

memory/4204-5-0x00000260CE090000-0x00000260CE09A000-memory.dmp

memory/676-6-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4204-10-0x00007FFB1CA40000-0x00007FFB1D502000-memory.dmp

memory/676-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-23-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 a1269564ba4ead3b7202813b327ca586
SHA1 83211e4b9e6261f2e1bc12fd4639dd7c08e23cda
SHA256 cafccfc0d964867b3c2994d4bd038897d381eeefd5d510b880f14ba5d9a2214e
SHA512 9a37c4d73c5e5f08eb5364cb1cbac7a8da25ef284cd45a363c88401a2efb22c7737bb0b6b3c7ad5995adf12281e4f210c65b3e66d0d9fa5abff71998a3dc65a7

memory/676-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-130-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-148-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-166-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-173-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-179-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-180-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-185-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-192-0x0000000000400000-0x0000000000482000-memory.dmp

memory/676-193-0x0000000000400000-0x0000000000482000-memory.dmp