Analysis Overview
SHA256
49d61c568a1fc02a955bee79f81f4474d39a878b83072c12c0a8a1352659e1c0
Threat Level: Known bad
The file Chibldacfsxzsf.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 18:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 18:17
Reported
2024-05-10 18:20
Platform
win10-20240404-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chibldac = "C:\\Users\\Public\\Chibldac.url" | C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3484 set thread context of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe | C:\Users\Public\Libraries\cadlbihC.pif |
| PID 3440 set thread context of 3900 | N/A | C:\Users\Public\Libraries\cadlbihC.pif | C:\Users\Public\Libraries\cadlbihC.pif |
| PID 3440 set thread context of 2544 | N/A | C:\Users\Public\Libraries\cadlbihC.pif | C:\Users\Public\Libraries\cadlbihC.pif |
| PID 3440 set thread context of 4072 | N/A | C:\Users\Public\Libraries\cadlbihC.pif | C:\Users\Public\Libraries\cadlbihC.pif |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe
"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\\Users\\Public\\Libraries\\Chibldac.PIF
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\rigvjimsxjdzunlblmeoaxchvbnni"
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\cklokbxulrvexbhfcxrqlkxqehxojcuh"
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\meqg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | p1hpaw.by.files.1drv.com | udp |
| US | 13.107.42.12:443 | p1hpaw.by.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| PL | 91.223.3.151:4508 | tcp | |
| PL | 91.223.3.151:4508 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 151.3.223.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
memory/3484-0-0x0000000000860000-0x0000000000861000-memory.dmp
memory/3484-1-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/3440-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-15-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-14-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-19-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Public\Libraries\cadlbihC.pif
| MD5 | c116d3604ceafe7057d77ff27552c215 |
| SHA1 | 452b14432fb5758b46f2897aeccd89f7c82a727d |
| SHA256 | 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301 |
| SHA512 | 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6 |
memory/3440-21-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-20-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-23-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-25-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2544-28-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3900-26-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4072-36-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4072-40-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2544-39-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4072-37-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4072-34-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2544-33-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2544-47-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3900-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2544-31-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3900-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3900-49-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3440-56-0x00000000332E0000-0x00000000332F9000-memory.dmp
memory/3440-55-0x00000000332E0000-0x00000000332F9000-memory.dmp
memory/3440-52-0x00000000332E0000-0x00000000332F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rigvjimsxjdzunlblmeoaxchvbnni
| MD5 | cb998c648b6f4ad55a89eb482aac3598 |
| SHA1 | 0965844779ba17661d18e216289ae0422777b689 |
| SHA256 | ea32319f2bc8d294d729b82a946fb2a0eedf37902a04c01efb5a75efbecdb395 |
| SHA512 | 97dedfbc8ad9b6149a8e044669efb69539ba9f738b032aa2408e759dd16b86f86d9364af2f229c2fad70c8ede6a42767c5f112a2eb7452de6334ac2b34dc4124 |
memory/3440-57-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-64-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-65-0x0000000000400000-0x0000000001400000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | eb8c1a99928aed30e20731b21b7877fd |
| SHA1 | 197beb7513c5716a461a18d0b5d8fd77f699f6ba |
| SHA256 | e4dc7124c508dc471cf452b017f2994cf46813ae563c97c51bd2f7d6e5bb883b |
| SHA512 | efa8034445409ab87ac3396677978298df5c3d2fd84a47e0d95d137325549020d445cbf74974170e8aea5b3d20eb79aaa209e9656fc36190a35fc9c61f9cc830 |
memory/3440-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-75-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-76-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-82-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-87-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-86-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-97-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-98-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3440-101-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3440-104-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 18:17
Reported
2024-05-10 18:20
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chibldac = "C:\\Users\\Public\\Chibldac.url" | C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1524 set thread context of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe | C:\Users\Public\Libraries\cadlbihC.pif |
| PID 3572 set thread context of 4168 | N/A | C:\Users\Public\Libraries\cadlbihC.pif | C:\Users\Public\Libraries\cadlbihC.pif |
| PID 3572 set thread context of 4172 | N/A | C:\Users\Public\Libraries\cadlbihC.pif | C:\Users\Public\Libraries\cadlbihC.pif |
| PID 3572 set thread context of 1376 | N/A | C:\Users\Public\Libraries\cadlbihC.pif | C:\Users\Public\Libraries\cadlbihC.pif |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\cadlbihC.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe
"C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Chibldacfsxzsf.exe C:\\Users\\Public\\Libraries\\Chibldac.PIF
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\hfzneiqeillzpbjsctxbmpbixl"
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\rhexeabgwtddahxwmwkdptwrfrjtg"
C:\Users\Public\Libraries\cadlbihC.pif
C:\Users\Public\Libraries\cadlbihC.pif /stext "C:\Users\Admin\AppData\Local\Temp\ubkqftmzkcvqcvtadhwwagiiggtchkxq"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.74:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BE | 2.17.196.74:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | p1hpaw.by.files.1drv.com | udp |
| US | 13.107.42.12:443 | p1hpaw.by.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| PL | 91.223.3.151:4508 | tcp | |
| PL | 91.223.3.151:4508 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 151.3.223.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1524-0-0x0000000002290000-0x0000000002291000-memory.dmp
memory/1524-1-0x0000000000400000-0x00000000004E8000-memory.dmp
C:\Users\Public\Libraries\cadlbihC.pif
| MD5 | c116d3604ceafe7057d77ff27552c215 |
| SHA1 | 452b14432fb5758b46f2897aeccd89f7c82a727d |
| SHA256 | 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301 |
| SHA512 | 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6 |
memory/3572-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-15-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-13-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-19-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-21-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-20-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-23-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-25-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4172-35-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1376-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4172-41-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1376-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4168-40-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1376-39-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1376-43-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4168-31-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1376-36-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4172-29-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4168-34-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4172-33-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4168-26-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4168-51-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3572-54-0x000000004B100000-0x000000004B119000-memory.dmp
memory/3572-58-0x000000004B100000-0x000000004B119000-memory.dmp
memory/3572-57-0x000000004B100000-0x000000004B119000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hfzneiqeillzpbjsctxbmpbixl
| MD5 | 788d7419b32411807cc6753cbbccecbe |
| SHA1 | 761b99a1e5bc168f525181d78cff3f6ed82daa14 |
| SHA256 | 76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b |
| SHA512 | 3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4 |
memory/3572-59-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-66-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-67-0x0000000000400000-0x0000000001400000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | f108f146496b6ed78c42a3737a6a4f50 |
| SHA1 | 67ba5913d87d31f73639cc07ef0bbf9004e1c2cb |
| SHA256 | c9294bd32ce4712fda8ec5e2ccd7279c46e8ca38fba0b8e49c9a3b1b58d8fea8 |
| SHA512 | 60de58535eed0fa5cdc1e6c7f2dc6b382b1ffa2acc461712ffc1529d796e8f6d24cda3aa52ecf5c3ef4dad952330d58023aa5b85dffebeecfe2b5fe1a36f4e4f |
memory/3572-70-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-77-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-78-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-89-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-88-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-99-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-100-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3572-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3572-106-0x0000000000400000-0x0000000000482000-memory.dmp