Malware Analysis Report

2024-12-07 22:30

Sample ID 240404-fmxt1afh58
Target b059b572153661934aa9881a49b6dc7b_JaffaCakes118
SHA256 08120955ca4cdc89e7c6ab767ed3a302e2e07755d2fd3e792b2677003130982a
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08120955ca4cdc89e7c6ab767ed3a302e2e07755d2fd3e792b2677003130982a

Threat Level: Known bad

The file b059b572153661934aa9881a49b6dc7b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 04:59

Reported

2024-04-04 05:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 2156 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JHKmcvbVuiFhA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp143C.tmp"

C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp

Files

memory/2156-0-0x0000000000D10000-0x0000000000DD2000-memory.dmp

memory/2156-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/2156-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

memory/2156-3-0x0000000000520000-0x000000000052E000-memory.dmp

memory/2156-4-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/2156-5-0x0000000004D20000-0x0000000004D60000-memory.dmp

memory/2156-6-0x0000000006070000-0x000000000610C000-memory.dmp

memory/2904-12-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-14-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-16-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-18-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-26-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-32-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-38-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-37-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2156-35-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/2904-34-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-33-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-30-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2904-24-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-22-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-20-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2904-43-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 505cf4d6bd7b53e37af35a0ea4af5f4b
SHA1 1e9b49a28f83542eb9b32fce1dedd52d3b238453
SHA256 efe4d9e55fc9532fab16586695e53406b318e84a9a5c40ca3f38a0032ff440bb
SHA512 c3b1e4fb739e311e4380936fc63b272fa88b6783c0779484544648c8fd0e6146319b6d4b1bdc38de72af95391e5a3e4bc40fc7586eb856388ea9e7c27b2df39a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 04:59

Reported

2024-04-04 05:02

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe
PID 4116 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JHKmcvbVuiFhA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16B0.tmp"

C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b059b572153661934aa9881a49b6dc7b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 225.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp
US 8.8.8.8:53 remman5.ddns.net udp
US 8.8.8.8:53 remman6.ddns.net udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 remman1.ddns.net udp
US 8.8.8.8:53 remman2.ddns.net udp
US 8.8.8.8:53 remman3.ddns.net udp
US 8.8.8.8:53 remman4.ddns.net udp

Files

memory/4116-0-0x0000000000F00000-0x0000000000FC2000-memory.dmp

memory/4116-1-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/4116-2-0x0000000005EC0000-0x0000000006464000-memory.dmp

memory/4116-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/4116-4-0x0000000005C20000-0x0000000005C30000-memory.dmp

memory/4116-5-0x0000000005990000-0x000000000599A000-memory.dmp

memory/4116-6-0x0000000006F40000-0x0000000006FDC000-memory.dmp

memory/4116-7-0x0000000006EA0000-0x0000000006EAE000-memory.dmp

memory/4116-8-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/4116-9-0x0000000005C20000-0x0000000005C30000-memory.dmp

memory/4116-10-0x000000000ABF0000-0x000000000AC8C000-memory.dmp

memory/2196-16-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2196-18-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2196-20-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2196-24-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2196-23-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4116-22-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/2196-17-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2196-29-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 7be6d0e68d691bbfcfb8a05919ad6f86
SHA1 8b91cb69a17a7f7914dfb2f5f8f53109dc82cf65
SHA256 0a9a215f573aaed43d4859f3b786f0020daea4a01bfd4dec6486a2737b29c0fa
SHA512 5fc3f3525818b5adbe880c39ee8fa18967d68add861cc3b160a812a91ae998de2b1af8a36f81a38fe744f6f1c9c908883e48ca368e4f8b23171fd5c342bda124