Malware Analysis Report

2025-04-03 14:27

Sample ID 241217-cmaspaxkey
Target 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
SHA256 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
Tags
discovery guloader remcos remotehost collection downloader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53

Threat Level: Known bad

The file 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader remcos remotehost collection downloader rat spyware stealer

Guloader family

Remcos

Remcos family

Guloader,Cloudeye

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 02:11

Reported

2024-12-17 02:13

Platform

win7-20240729-en

Max time kernel

15s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-17 02:11

Reported

2024-12-17 02:13

Platform

win10v2004-20241007-en

Max time kernel

97s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 3272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 3272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 3272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 02:11

Reported

2024-12-17 02:13

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2108 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2108 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2108 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2108 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 2108 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 824 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\yedbjfft"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzitkxqnclu"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbomlqboytmtxg"

Network

Country Destination Domain Proto
US 66.63.187.30:80 66.63.187.30 tcp
US 162.251.122.87:2404 tcp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsjBC60.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nstBD8A.tmp

MD5 5b2357aa9ee8d93ebc8fea2a7da01fda
SHA1 3a5bb5ceeeb26ee649ce9c8fa1c47e45d8c8f00a
SHA256 f2b723416cc41c59b870a8fbbe8ecab3cd0cf2298902649a50668b1b88e6e835
SHA512 03d9cbca3d09de197530779f90b8864da4a34aa50a7dc87fdd964ac53a5a6a73f543fe5727fc2df29b9cf5b3646b1ffc60b90883148c1989fdbcee5658582fe2

C:\Users\Admin\AppData\Local\Temp\nsyBC70.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsoBE08.tmp

MD5 24c65563d17054b07c6135e87a53cffd
SHA1 4765777312bf6c4c7272e61b4dbbce3202bb2d68
SHA256 e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce
SHA512 f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f

C:\Users\Admin\AppData\Local\Temp\nstBD8A.tmp

MD5 33714fd37d9159cf4911fe47896b9e69
SHA1 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA256 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512 e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

C:\Users\Admin\AppData\Local\Temp\nsdBE18.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/2108-577-0x0000000003DF0000-0x0000000004C79000-memory.dmp

memory/2108-578-0x0000000077AB1000-0x0000000077BB2000-memory.dmp

memory/2108-579-0x0000000077AB0000-0x0000000077C59000-memory.dmp

memory/2108-580-0x0000000003DF0000-0x0000000004C79000-memory.dmp

memory/824-581-0x0000000077AB0000-0x0000000077C59000-memory.dmp

memory/2108-582-0x0000000003DF0000-0x0000000004C79000-memory.dmp

memory/824-583-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-584-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1004-589-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1984-602-0x0000000000400000-0x0000000000424000-memory.dmp

memory/612-593-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1984-603-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1004-592-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1004-591-0x0000000000400000-0x0000000000478000-memory.dmp

memory/612-601-0x0000000000400000-0x0000000000462000-memory.dmp

memory/612-600-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1004-599-0x0000000077AB0000-0x0000000077C59000-memory.dmp

memory/1984-598-0x0000000000400000-0x0000000000424000-memory.dmp

memory/612-597-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1984-596-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1984-595-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1004-594-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1004-611-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yedbjfft

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/824-618-0x0000000031F00000-0x0000000031F19000-memory.dmp

memory/824-617-0x0000000031F00000-0x0000000031F19000-memory.dmp

memory/824-614-0x0000000031F00000-0x0000000031F19000-memory.dmp

memory/612-619-0x0000000000400000-0x0000000000462000-memory.dmp

memory/824-621-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-624-0x0000000000480000-0x00000000014E2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 6bc00224ba03e285df5e30c501463803
SHA1 61fda1c1cf15227e35283f3f746bb203e4d19137
SHA256 cf425e31b41a2dd76d747a216f658da4803c58b1b66205951d37e1190325d6e7
SHA512 7cce6068b336a9c95bc73b145e95983fbf32eb53a41135d6d06daf77b8eb8edf42b8de12538a8ae275fd0516818214a9b3ed52da424003aba796131d33fa1167

memory/824-627-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-630-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-633-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-636-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-639-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-642-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-645-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-648-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-651-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/824-654-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 02:11

Reported

2024-12-17 02:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4904 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4904 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4904 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 4904 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe
PID 3588 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

"C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\yfhkeefakebbcudbhqpr"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\bzuufxqtymtgfbrfybbteew"

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe

C:\Users\Admin\AppData\Local\Temp\1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbznfpavuullppojhmouprjlkt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 66.63.187.30:80 66.63.187.30 tcp
US 8.8.8.8:53 30.187.63.66.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 87.122.251.162.in-addr.arpa udp
US 162.251.122.87:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp

MD5 9111ba1d1ceb4b7f775d74730aac363e
SHA1 c0af4968c775735be12419b60b257ed4359cb9b2
SHA256 0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91
SHA512 836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf

C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp

MD5 763ec4bcf1080106283ac75cc79cfdc5
SHA1 e916ad8ee0d278848350e957be6e99f8916c9f0e
SHA256 e9f76c3dcf61068c71c8748639c37793963e1929aca11eed3c2caed692bd17ff
SHA512 52273017ba7559aee2f73498b1d277517d2c163ab9eb6891a838664dd4b6ce3a576ae05116deecf502e8494522ce31209dffd2ab68462a75fb841592c83381d2

C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp

MD5 2598d3e10bec5798f73f49de505a8514
SHA1 4431b20a112e277250649a917f846a6627870a60
SHA256 08643cfe1a514214ae4175809b7eadbc0bff209e07adf091e91748dccf9ca874
SHA512 83687d6fb3238184b92f04cc70e54ede282d56e34f67781db6c4dfd9529cab30ba15d9ca3059b68f9d82eb87a8d6432e80ba0779d1438c1df861b0bb30905f24

C:\Users\Admin\AppData\Local\Temp\nsy8242.tmp

MD5 16d513397f3c1f8334e8f3e4fc49828f
SHA1 4ee15afca81ca6a13af4e38240099b730d6931f0
SHA256 d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA512 4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

C:\Users\Admin\AppData\Local\Temp\nst82B0.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp

MD5 d0c16d35895f4a76cb4fa85fc11c6842
SHA1 61d36c5b3fd3f0772608359b7ed9890b0474aee0
SHA256 d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59
SHA512 3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951

C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp

MD5 34d32f9b446e46883ec3157794403748
SHA1 e797e81a28e395ea751871b21e638e43d62d0f61
SHA256 a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e
SHA512 48b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1

C:\Users\Admin\AppData\Local\Temp\nsj82C1.tmp

MD5 5d04a35d3950677049c7a0cf17e37125
SHA1 cafdd49a953864f83d387774b39b2657a253470f
SHA256 a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512 c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

C:\Users\Admin\AppData\Local\Temp\nsy831F.tmp

MD5 cc98cdbdb6e4571f9dbef3d7ef0cecb6
SHA1 0c6c945dacb7dc9269bb8659e61b6bd44e03b5f4
SHA256 fdd17f70c2c855ed3b81bf41d2dbff3a0d85a7f7b019f04c569f897188e0d3b3
SHA512 83a41e73d62f77faf633e3fc5fb4f0ee4984881dc7ed5bbfcd73be815c89a606349cb0adf5de1552cfd0ca0ff3d7bd9c2332658586e582158e53777e2fcfba4c

C:\Users\Admin\AppData\Local\Temp\nsy831F.tmp

MD5 42d0d094fb9cf401430cd1377e6128db
SHA1 48b6b6a975ecb92b8fbbd7fc6a5f9aa858d9ad51
SHA256 1bce2e52c57c18758a9de5f51c9bec29fa42ab4881d269baa78c92a6c5fe9ab1
SHA512 63ee2eefa05e5113f69c4d60e4fa56651b2aa522b8b2e7f06b4fa2761486a12aa9fbd040cd921cd9169dbbf6e4850071445093461d7e0e7507e1bddd8e14c45a

C:\Users\Admin\AppData\Local\Temp\nsy831F.tmp

MD5 33714fd37d9159cf4911fe47896b9e69
SHA1 77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611
SHA256 8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2
SHA512 e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

C:\Users\Admin\AppData\Local\Temp\nso837E.tmp

MD5 cda05fedfd1133dfc6439e441829b6ba
SHA1 e0dfbcfe83a13922d365506312212928871f9c0b
SHA256 27fad7aa07fb564d9f9e0cbaf6515fe34bb0f8647cd200fee1eaad0167523099
SHA512 1180a5fac7c9c8ce445b5966b45bda7d38bb65d2ae2b1bb096d01e09476622bb0bf745dfed3104cd7b5da766322653bb14720b3394e2cb87950191a66b94efaf

C:\Users\Admin\AppData\Local\Temp\nso837E.tmp

MD5 1a069d3d8cca839a3c2f44a0e833d67c
SHA1 2bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf
SHA256 0c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309
SHA512 970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2

C:\Users\Admin\AppData\Local\Temp\nso837E.tmp

MD5 bcc2d4708d4557cd6dfb4ca08164719c
SHA1 5158b5fb3bcd9238e69352fb94a039ec90eddf86
SHA256 b029fc5e9252f17e84ef53c084ba0d67a0931fa02eb9e5a13bba202a008d7553
SHA512 8f179a8895d1afe69d2ef5583eb63a1821ee94a0c30cd7c8cbb3ce40165bd1c0c5d30ea4156b81000e37c1ea71c57d34e059cd658e22056c4e06788badad54b2

C:\Users\Admin\AppData\Local\Temp\nso837E.tmp

MD5 24c65563d17054b07c6135e87a53cffd
SHA1 4765777312bf6c4c7272e61b4dbbce3202bb2d68
SHA256 e145085a50e8790798362058aa0b197b97b8ae38a54ff47ee89fd00dec4f47ce
SHA512 f6419106a5e5d864da20840817f473556140fc982e271380c3eed2a5be03c2dc68fb69ab1b2ba5698dec4ca477377e53c589f9b280faf436dd94767e5d0cb15f

C:\Users\Admin\AppData\Local\Temp\nse83DD.tmp

MD5 38f296e431f9e889c855110f746a1a1f
SHA1 a1f2212648b7d681e10a295ca270ec6ef9c7cb2a
SHA256 89870b6b02e2247d1e10942aceede7bf4adeb820bae945b77d0e2c5f5669e514
SHA512 a074bd4debd9aa11fc50c3ab1cd5b1aaf365931d790600818ea51a58bfca6ea17feb872a1a11dfd8542cd5e1798bdf171e4305e81e4a409a0253db31c84b91e9

C:\Users\Admin\AppData\Local\Temp\nse83DD.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/4904-575-0x0000000004A10000-0x0000000005899000-memory.dmp

memory/4904-576-0x00000000771E1000-0x0000000077301000-memory.dmp

memory/4904-578-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4904-577-0x0000000004A10000-0x0000000005899000-memory.dmp

memory/3588-580-0x00000000016E0000-0x0000000002569000-memory.dmp

memory/4904-579-0x0000000004A10000-0x0000000005899000-memory.dmp

memory/3588-581-0x0000000077268000-0x0000000077269000-memory.dmp

memory/3588-582-0x0000000077285000-0x0000000077286000-memory.dmp

memory/3588-583-0x00000000016E0000-0x0000000002569000-memory.dmp

memory/3588-585-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-588-0x00000000771E1000-0x0000000077301000-memory.dmp

memory/3588-590-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2320-592-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2320-595-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2156-600-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2680-609-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2680-607-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2680-603-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2680-602-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2320-601-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2156-599-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2320-598-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2156-597-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2156-594-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2320-613-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3588-616-0x0000000033560000-0x0000000033579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yfhkeefakebbcudbhqpr

MD5 562a58578d6d04c7fb6bda581c57c03c
SHA1 12ab2b88624d01da0c5f5d1441aa21cbc276c5f5
SHA256 ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8
SHA512 3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

memory/3588-620-0x0000000033560000-0x0000000033579000-memory.dmp

memory/3588-619-0x0000000033560000-0x0000000033579000-memory.dmp

memory/3588-622-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-625-0x0000000000480000-0x00000000016D4000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 00a5bc06b6782f43ea05b4570a73e122
SHA1 c27f90513a3bebf470bfc9bf2313dfd7ed27f220
SHA256 4265a812c897bae42aa52b3f3f1e0fafa8cffd75484f46fe0ec72d27f04b66f2
SHA512 b2b30e785d6135ee32062b0f632096316301b9293d08d8af833c1d1d78a1a75e2521278fd5e96d986ffade0b73326058069d038c44c1f0a0808d219891951c03

memory/3588-628-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-631-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-634-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-637-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-640-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-643-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-646-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-649-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-652-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/3588-655-0x0000000000480000-0x00000000016D4000-memory.dmp