Malware Analysis Report

2025-01-02 03:35

Sample ID 240510-ww6q9sdg76
Target Chibldacfsxzsf.exe
SHA256 49d61c568a1fc02a955bee79f81f4474d39a878b83072c12c0a8a1352659e1c0
Tags
remcos kc file collection persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49d61c568a1fc02a955bee79f81f4474d39a878b83072c12c0a8a1352659e1c0

Threat Level: Known bad

The file Chibldacfsxzsf.exe was found to be: Known bad.

Malicious Activity Summary

remcos kc file collection persistence rat spyware stealer

Remcos

Nirsoft

NirSoft MailPassView

NirSoft WebBrowserPassView

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Script User-Agent

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 18:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 18:17

Reported

2024-05-10 18:20

Platform

win10-20240404-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Public\Libraries\cadlbihC.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chibldac = "C:\\Users\\Public\\Chibldac.url" C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3484 set thread context of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 set thread context of 3900 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 set thread context of 2544 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 set thread context of 4072 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Windows\SysWOW64\extrac32.exe
PID 3484 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Windows\SysWOW64\extrac32.exe
PID 3484 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Windows\SysWOW64\extrac32.exe
PID 3484 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3484 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3484 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3484 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3484 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 3900 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 3900 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 3900 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 2544 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 2544 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 2544 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 4072 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 4072 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3440 wrote to memory of 4072 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif

Processes

C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe

"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\\Users\\Public\\Libraries\\Chibldac.PIF

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\rigvjimsxjdzunlblmeoaxchvbnni"

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\cklokbxulrvexbhfcxrqlkxqehxojcuh"

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\meqg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp
US 13.107.137.11:443 onedrive.live.com tcp
US 8.8.8.8:53 11.137.107.13.in-addr.arpa udp
US 8.8.8.8:53 p1hpaw.by.files.1drv.com udp
US 13.107.42.12:443 p1hpaw.by.files.1drv.com tcp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
PL 91.223.3.151:4508 tcp
PL 91.223.3.151:4508 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 151.3.223.91.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/3484-0-0x0000000000860000-0x0000000000861000-memory.dmp

memory/3484-1-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/3440-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-19-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Public\Libraries\cadlbihC.pif

MD5 c116d3604ceafe7057d77ff27552c215
SHA1 452b14432fb5758b46f2897aeccd89f7c82a727d
SHA256 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA512 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

memory/3440-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2544-28-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3900-26-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-36-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4072-40-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2544-39-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4072-37-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4072-34-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2544-33-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2544-47-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3900-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2544-31-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3900-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3900-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3440-56-0x00000000332E0000-0x00000000332F9000-memory.dmp

memory/3440-55-0x00000000332E0000-0x00000000332F9000-memory.dmp

memory/3440-52-0x00000000332E0000-0x00000000332F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rigvjimsxjdzunlblmeoaxchvbnni

MD5 cb998c648b6f4ad55a89eb482aac3598
SHA1 0965844779ba17661d18e216289ae0422777b689
SHA256 ea32319f2bc8d294d729b82a946fb2a0eedf37902a04c01efb5a75efbecdb395
SHA512 97dedfbc8ad9b6149a8e044669efb69539ba9f738b032aa2408e759dd16b86f86d9364af2f229c2fad70c8ede6a42767c5f112a2eb7452de6334ac2b34dc4124

memory/3440-57-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-64-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-65-0x0000000000400000-0x0000000001400000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 eb8c1a99928aed30e20731b21b7877fd
SHA1 197beb7513c5716a461a18d0b5d8fd77f699f6ba
SHA256 e4dc7124c508dc471cf452b017f2994cf46813ae563c97c51bd2f7d6e5bb883b
SHA512 efa8034445409ab87ac3396677978298df5c3d2fd84a47e0d95d137325549020d445cbf74974170e8aea5b3d20eb79aaa209e9656fc36190a35fc9c61f9cc830

memory/3440-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-75-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-76-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-87-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-86-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-97-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-98-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3440-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3440-104-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 18:17

Reported

2024-05-10 18:20

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Public\Libraries\cadlbihC.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chibldac = "C:\\Users\\Public\\Chibldac.url" C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1524 set thread context of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 set thread context of 4168 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 set thread context of 4172 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 set thread context of 1376 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\cadlbihC.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Windows\SysWOW64\extrac32.exe
PID 1524 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Windows\SysWOW64\extrac32.exe
PID 1524 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Windows\SysWOW64\extrac32.exe
PID 1524 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 1524 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 1524 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 1524 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 1524 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 4168 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 4168 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 4168 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 4172 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 4172 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 4172 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 1376 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 1376 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif
PID 3572 wrote to memory of 1376 N/A C:\Users\Public\Libraries\cadlbihC.pif C:\Users\Public\Libraries\cadlbihC.pif

Processes

C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe

"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\\Users\\Public\\Libraries\\Chibldac.PIF

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\hfzneiqeillzpbjsctxbmpbixl"

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\rhexeabgwtddahxwmwkdptwrfrjtg"

C:\Users\Public\Libraries\cadlbihC.pif

C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\ubkqftmzkcvqcvtadhwwagiiggtchkxq"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp
US 13.107.137.11:443 onedrive.live.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 p1hpaw.by.files.1drv.com udp
US 13.107.42.12:443 p1hpaw.by.files.1drv.com tcp
US 8.8.8.8:53 11.137.107.13.in-addr.arpa udp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
PL 91.223.3.151:4508 tcp
PL 91.223.3.151:4508 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 151.3.223.91.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1524-0-0x0000000002290000-0x0000000002291000-memory.dmp

memory/1524-1-0x0000000000400000-0x00000000004E8000-memory.dmp

C:\Users\Public\Libraries\cadlbihC.pif

MD5 c116d3604ceafe7057d77ff27552c215
SHA1 452b14432fb5758b46f2897aeccd89f7c82a727d
SHA256 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA512 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

memory/3572-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-13-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-19-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4172-35-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1376-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4172-41-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1376-45-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4168-40-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1376-39-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1376-43-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4168-31-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1376-36-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4172-29-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4168-34-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4172-33-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4168-26-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4168-51-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3572-54-0x000000004B100000-0x000000004B119000-memory.dmp

memory/3572-58-0x000000004B100000-0x000000004B119000-memory.dmp

memory/3572-57-0x000000004B100000-0x000000004B119000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hfzneiqeillzpbjsctxbmpbixl

MD5 788d7419b32411807cc6753cbbccecbe
SHA1 761b99a1e5bc168f525181d78cff3f6ed82daa14
SHA256 76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b
SHA512 3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4

memory/3572-59-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-65-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-66-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-67-0x0000000000400000-0x0000000001400000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 f108f146496b6ed78c42a3737a6a4f50
SHA1 67ba5913d87d31f73639cc07ef0bbf9004e1c2cb
SHA256 c9294bd32ce4712fda8ec5e2ccd7279c46e8ca38fba0b8e49c9a3b1b58d8fea8
SHA512 60de58535eed0fa5cdc1e6c7f2dc6b382b1ffa2acc461712ffc1529d796e8f6d24cda3aa52ecf5c3ef4dad952330d58023aa5b85dffebeecfe2b5fe1a36f4e4f

memory/3572-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-77-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-78-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-89-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-88-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-99-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-100-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3572-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3572-106-0x0000000000400000-0x0000000000482000-memory.dmp