Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 04:41

General

  • Target

    662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe

  • Size

    983KB

  • MD5

    662d5ab8f03c44205c00e9f12e99105a

  • SHA1

    df86b024cd1d3135a0056c32c5e682420b4301ad

  • SHA256

    c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00

  • SHA512

    abcec11083f1895767d4a880cef5c03be189f29246062eb45c54bb020e7d51cda84c192bfb285f3e751a2249e731d087eec29cf7db8acf1a485ade93fc040a9f

  • SSDEEP

    24576:Emy2FtwvxuN4HtOOpmF4zH5YOMGk6pbKneG9tK:TXFQINIOOpJzH515gQ

Malware Config

Extracted

Family

remcos

Version

3.0.2 Pro

Botnet

FEB

C2

194.5.98.202:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-8W5M5B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              "{path}"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                  8⤵
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2272
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2
                    9⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1676
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406549 /prefetch:2
                    9⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2336
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406578 /prefetch:2
                    9⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2904
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:865300 /prefetch:2
                    9⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:552
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                7⤵
                  PID:1956
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  7⤵
                    PID:1624
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    7⤵
                      PID:2512
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      7⤵
                        PID:2508
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\SysWOW64\svchost.exe
                        7⤵
                          PID:1644

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

              Filesize

              579B

              MD5

              f55da450a5fb287e1e0f0dcc965756ca

              SHA1

              7e04de896a3e666d00e687d33ffad93be83d349e

              SHA256

              31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

              SHA512

              19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

              Filesize

              252B

              MD5

              249c247590e12274a18e318cc65526ab

              SHA1

              9eef61ab2d68b7a20c688356c237f6fd42c7fb72

              SHA256

              f36ceb72d6a2839a43b53e02d27416b1d586756e1025bec11a7b9b3cae45c04b

              SHA512

              4dea66630d64bac019a08e40748e252a0d1f9c7c401fced9bef546b14f52c85b14e7bb8ed9020d0128afc3266eb8cc03d0765462e005d95a02b4cada738ce033

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              c434e0d1eb4bc20ec3656433d8ff0c35

              SHA1

              72f547eb955ecbf2c393d9192806dc1af4549cec

              SHA256

              4dfbc67eb51e0ae1441dee100aa9999781e7e11447f3b705db7ecc540d377a42

              SHA512

              076b6a7bdda0364b478d5f0882c4e76806af3627f9ad53bf42262e090663c51ecb85d0f432dc6e9ae19ef3e69bad71e20c06179d96725968c6057dc90448ec93

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              8f011c30c39f3cb80b42ebbb46296f9f

              SHA1

              4a39963a1c481a626f33a446d620abbc08091061

              SHA256

              b31c79bcc28def5f292fe91025364383177d801a5de1fdbc03bd105db8610bbe

              SHA512

              02f4e2e29f23870cefcbb43a76d0205d7ec029bea120e432da298811949c62a01f95c07ce18a8af4ce0034f8881c27e0dc2fcf2dbb1366938004ce79af256dc2

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              f0447b0e083d0446389de81fe9c75223

              SHA1

              8bf845344ef2b90f46fa4d4893ac4601a097a3b1

              SHA256

              3724adc93c4b7117f718052379db5c97c4422acfdd3617a90cc3e2a333572500

              SHA512

              ee3007910d1202892903f54f846b652ce0b2f90245a45852ac6239b2cef90887718cdd7f092ef53d27f059dbaafc0f45d21e45512f382016d5a6acfb8cf44136

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              1d47a5882050dd22be05beeed867bb63

              SHA1

              f47c7f8aa7b08ef6618726f42852f9812d4ad78c

              SHA256

              f722fce50d9aa3f75da96146b3df69c9b6c1d3c68174b4beca57498427ec4abc

              SHA512

              abcef40ffaccf8d378572d99370fca8eedd1a93da056af18ebca61e7b7cfd3808150f5673de5487da00050d27b3d84ca2f36bc05ad6897b2dab27dcd47856890

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              0ab1663acfd0baa41ee06e11877e71e2

              SHA1

              cbbab49d62b48d19dc9c3b375457f524bccd13d8

              SHA256

              a102ed72b66e96ca5ee191aa622f1e2a57c274abbae861ea84428b52ef35ffe7

              SHA512

              8e11f995a6864c7587945157c962e0edb725d62ca98c62b2de3b8cbc82492a66ca5c78af0499dd316ebd61d72dd971b2a099a820feefe48c90f92517546a93f7

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              8ae0ce8e5e9202ec0c353db342bcdf9e

              SHA1

              b57fd9b2dd1e005dbacf90904ea20be950d4bcf4

              SHA256

              4fea6bc26792b5815527c84dedb7eceea4f9dde328301f459855d15e6e780d6a

              SHA512

              d343c083e7077739ca2852437ee203d2e9593fa544ed49038a3b555949fda238bee97a6fd309e7558896162703cada0ff1a0744d547c6f1a7f76480809cd7e9c

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              ad0d87e01ab5d72d8c925dc49c68b102

              SHA1

              47ea5204cd85e15287e55b915fa488dab860fab9

              SHA256

              557b535af434e2a20a06f1e95f35b5874108f486f17dce790267e44a34fa762a

              SHA512

              4832889f527796018b15f3560b90bd90c6f68110dc8794e9c6aa36027a8fc448d9df08e22c34de17afcf70fa0eb19c6a80450f79976e9dd524138cdce016012b

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              f5ee8230bde58b8883be7655a5dd6cab

              SHA1

              ef9aa0870d01956673e44a833ed6804110b6b609

              SHA256

              3535df9df142363c999d0e660f81481f5e7cfdcac8648683325b46b88ea69f3d

              SHA512

              ee8aac2a1544b2da21fd28704b9b622b7b68ad75fffe27d8b9bc91f3d90e19dd415c311ae530c29c1a0a53f58beceebf389fe7d2f8b4549679900d6bf79824fc

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              3fcc589f9687068e08a09e448d39edbc

              SHA1

              79ed4d90ad0806bceeda68f167554ecef3022b9f

              SHA256

              aa87f95194a1ad49d126dc719ed803f1925fec3d19ad541f4b06a1578f6aea5b

              SHA512

              b07990b336536eba3d28f40b80ee40bbbbe7986e45a47525283eb7ec5f110c799a00b98016533e878e62efdf56b885897471b87b77b0eaf88a4300dcfee9bdb9

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              3b3397d8515173fbd1fa6cca4d9da4c5

              SHA1

              a35fbf93879d27c0d1b018e172f24b757a866edc

              SHA256

              850961b7c43491c3a145ca4c0580320afcd0643cb021227b0f1189dcbe920d8b

              SHA512

              dfb2abb11ab38ee99c077322727284f8016560dc61a361d728e087c40f1e6a6ec8a5abda7ba998f0fc7775d98661f1aba7be53dacca46a0cc675f5c6611b41f4

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              0b325c3dc148472a4035d6202552de6b

              SHA1

              7cde61b971b9e99315ebc143e8c59b86e4090d42

              SHA256

              13b7a103f9ea197f624c83afb32ad0636c6a62ba697f9de8ec7178a345efa7b1

              SHA512

              f56908357ac6358dbfc8d06f195590a2046e28846cb0b6c609068fe6e1ffd0144b1e358aac48fe8378e1706afab860149844cb3dc0c852cb199afa8302c60963

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              7b34ab27d07fdad166aaec764a6a54d4

              SHA1

              0927e1fc806ccf054f492d7230ed645cc179dd83

              SHA256

              a9fe33369054491c1a8fd1126a5faf663a49b0090c19e24e1cb1f6151639d49b

              SHA512

              c0e2daaac2c2dff013e53f00d43a2489df2688be733c775e6717b3000e86b7c6f7df75349069d6cd3edbc6ecb022f9b33df147165594eb015a259bbff42afd49

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              ab9c820991457166fe9a9f7f78715f3c

              SHA1

              0e88297fa00c2f61fab86bffa6c4e0ae9624d4c9

              SHA256

              82f991f1e803147fe4fe054d468bcdfc63df12d5d21b13490b2c95fa6d34c5ba

              SHA512

              38920c38ba27657d9d833693a368737ecebf57bc72a097d0c608582aef260367b3ef4757552006ebe61089c03091f4c6d87a11ecf9012aa090592acd431603ba

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              152799227cfcb85b2b09564b726bf1ef

              SHA1

              484c62ce2fb3a9b4af3bd21fe371beb31d2b5556

              SHA256

              ca9a4725d5ceeed78c87f8e75512b73700965cbfd66e749dd1763dce70628ec4

              SHA512

              e8fbaf2da584d6ccb9e082aa61c927b790c30a958c976c7b1c14eae554ecd9067d7b46d06a3d148641aefa5821a1f5131109c859a1bdd23dfb9844c9c19e6ee7

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              c7a9f29b619066b42cdc3a8435009709

              SHA1

              2ba4ac9d9082d78bf8c9da94a04faa17ba58882b

              SHA256

              043036a6a668ebbcce79c41f362a27e7c69bf324be28d2c45e5934193f77ef26

              SHA512

              c9e9919f9872c70368eed33aa9b909d13c02e358f53375b4f1b8377a07b7c288d9e5913829fe3a8979599017f1bb589ba0c3c4974a786e19d24a368acb60bb52

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              5141578743dfbf306bbd840fba7dcdc9

              SHA1

              7758ae71a58a999b1eb4539de248e83c32ad91ee

              SHA256

              bbcb81711b52653ea1d2221114cd87524f9799258313b28a89f1f73dcb1d8d6b

              SHA512

              0d8531afc9cccb82b372f7ca84d6ad66b6386e18bd72965ab44592d284d7cbe8b4135144c04659c6895d747def1e6be6289e67f5a077d84495c948a1817a5b1f

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              d75d0d44781b27dd4bffd2c3b0581438

              SHA1

              c402faae21208b94c827df0b7c1e64eda9446c79

              SHA256

              d795a4a5de575688b756ae3008359972ced8c9e76ba2ededa80f5badc4f56593

              SHA512

              3bfc7bc4a2ab18cd26a3ca780623a7a5058428471d64fc27bdd3c7c970062adbdfacc65f2493dacbe76f39ec0517b5b776b58fa26f0b800f2d6e2136409f7f6a

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              4fab14ed5b077cb174f34a3416c27826

              SHA1

              618f56fefe0af6905f6aada69f6318f0e1d7a6fa

              SHA256

              ef4e43f4ba8c4cf50e2469f1fcaf9c6f434615bbb0354b42c80121b8828eb0d6

              SHA512

              351aff473db07ddf32c7abd37f6e2b2d6030a4e289531a38185b8043b7c5e34f18f061872f31875db00757964b9ec99bcdcc2b043dacd5cbb38d4688706eb5ed

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              ac7d478a0aea649da3aaf6cf8d65d6d4

              SHA1

              2b803e2cc02166cee7f72f664964810868513fa0

              SHA256

              bcc8ccd680b813095f5f739119308fbf6929055cf5ef74540334b7063354ccf8

              SHA512

              71fdf1a6e4a948df9937e2cf13d635fa7a3ce181e8b4c65146593586fb17f73393843f291e8d31e8b47a0d51b92f4b2e0bf03bca4b255d7e4cbb40720418b06a

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              820205bcd02a35b0fba8de4e43a05336

              SHA1

              6aa189eb9098eeb8e991bbc393b1497516a640be

              SHA256

              90b31aa0c4d9e7aad73dc2d4e68f59880b3d995420958039974b275fe7aca301

              SHA512

              1f63f27549f975377ec544717b521d704f8cd8b1435f2d30b2faf92174a50a4dff6d36e695aeb7050252a437d3dd2fbf97ee80513fc2a721b73e8ed26588ac55

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              0f824290e272d83a92148fc7b22592b6

              SHA1

              05b0d0bdcb5c0e9c9b229b341e7935c7b4a95e94

              SHA256

              44d7dfedf6de5235e0b1dbbc58f06285de02144e16fa54601479bc0ace92ef49

              SHA512

              f879b5c6c260466ba293201c984e67ae739c717c8c37313e11210bfd84d1e6e9d0e5d629d74f70fcf432cbb3cae9d3150d830ca2b05569b248d92f55153b479b

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              c1111a9f723bb89bf7742aec577cbf39

              SHA1

              67f1817aa40d886f438788048a7b561f3304e620

              SHA256

              8bbd58ce8279658c9caec20faacfce2cba3fbd5fd16733424df09e51853d1131

              SHA512

              c9a564309e3843310531ca59519659c644bad1d1413a521e006b10749f3fd8881e65d439a6bb4348b083223447fd1a863132394740344f68434e1a4d34001d1f

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              6b72b97ffb663d2b66eee3f8b4728c87

              SHA1

              85b55c359a8d7b3209161b8398059972f9a736c2

              SHA256

              2b38046d2e6140a22bafd64d2408e18e58ef4d9aad526405c73edbfcbdb0b3f5

              SHA512

              9123c834e351e91e339e314830d5421a507db3a515278504130bf721e5e65cce9bc0f84a81ecccbe6825b0cc125ec8c32248165ec7387ea2c68b245e7ff683ab

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              342B

              MD5

              43823000539720ae909d577f33e14844

              SHA1

              4ca550da44fb9c232ddb5ce0311f00bb3b298c89

              SHA256

              a793649b08d5ffa2afa18806397c30999e7026b524382c8d12f4223fa21f1023

              SHA512

              20e1bfd997a40deb1d6b33f1fb67a3bbad8ccbb14c8d94cf8dbf05194f5e5eb38f030f0d81a60bc0a96b5871247467a4127e352e93a4a95f432f36d9ad8d4671

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\green_shield[1]

              Filesize

              810B

              MD5

              c6452b941907e0f0865ca7cf9e59b97d

              SHA1

              f9a2c03d1be04b53f2301d3d984d73bf27985081

              SHA256

              1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

              SHA512

              beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\invalidcert[1]

              Filesize

              4KB

              MD5

              a5d6ba8403d720f2085365c16cebebef

              SHA1

              487dcb1af9d7be778032159f5c0bc0d25a1bf683

              SHA256

              59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

              SHA512

              6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\background_gradient_red[1]

              Filesize

              868B

              MD5

              337038e78cf3c521402fc7352bdd5ea6

              SHA1

              017eaf48983c31ae36b5de5de4db36bf953b3136

              SHA256

              fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

              SHA512

              0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\httpErrorPagesScripts[1]

              Filesize

              8KB

              MD5

              3f57b781cb3ef114dd0b665151571b7b

              SHA1

              ce6a63f996df3a1cccb81720e21204b825e0238c

              SHA256

              46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

              SHA512

              8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\red_shield_48[1]

              Filesize

              4KB

              MD5

              7c588d6bb88d85c7040c6ffef8d753ec

              SHA1

              7fdd217323d2dcc4a25b024eafd09ae34da3bfef

              SHA256

              5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

              SHA512

              0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\ErrorPageTemplate[1]

              Filesize

              2KB

              MD5

              f4fe1cb77e758e1ba56b8a8ec20417c5

              SHA1

              f4eda06901edb98633a686b11d02f4925f827bf0

              SHA256

              8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

              SHA512

              62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\red_shield[1]

              Filesize

              810B

              MD5

              006def2acbd0d2487dffc287b27654d6

              SHA1

              c95647a113afc5241bdb313f911bf338b9aeffdc

              SHA256

              4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

              SHA512

              9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\down[1]

              Filesize

              748B

              MD5

              c4f558c4c8b56858f15c09037cd6625a

              SHA1

              ee497cc061d6a7a59bb66defea65f9a8145ba240

              SHA256

              39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

              SHA512

              d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\errorPageStrings[1]

              Filesize

              2KB

              MD5

              e3e4a98353f119b80b323302f26b78fa

              SHA1

              20ee35a370cdd3a8a7d04b506410300fd0a6a864

              SHA256

              9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

              SHA512

              d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\invalidcert[1]

              Filesize

              2KB

              MD5

              8ce0833cca8957bda3ad7e4fe051e1dc

              SHA1

              e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

              SHA256

              f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

              SHA512

              283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

            • C:\Users\Admin\AppData\Local\Temp\Cab626D.tmp

              Filesize

              70KB

              MD5

              49aebf8cbd62d92ac215b2923fb1b9f5

              SHA1

              1723be06719828dda65ad804298d0431f6aff976

              SHA256

              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

              SHA512

              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            • C:\Users\Admin\AppData\Local\Temp\Tar62DF.tmp

              Filesize

              181KB

              MD5

              4ea6026cf93ec6338144661bf1202cd1

              SHA1

              a1dec9044f750ad887935a01430bf49322fbdcb7

              SHA256

              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

              SHA512

              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            • C:\Users\Admin\AppData\Local\Temp\install.vbs

              Filesize

              418B

              MD5

              ff449f6f7bc5e2d800eb30e2d2c56611

              SHA1

              93419ea805b9ce35a766e5c56db50d54c2d3f94b

              SHA256

              655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

              SHA512

              02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

            • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

              Filesize

              74B

              MD5

              87993169a53f81478d99d27c80d10ec6

              SHA1

              9d604010cdf802e33f4a8c829020aae1f773aa69

              SHA256

              52386728f96280c03ec92b8312ee2c1c9d5e24954820ef388ccc7795ca45be77

              SHA512

              74f74f06c748c99adf92466bd1ad7621044655929e6caa3a6aa6bcd2b00c3d8ead94b312f0f6ef66001c9503ded1ef2a44c0d32def7b9b6b5e734e06c2e13db5

            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

              Filesize

              983KB

              MD5

              662d5ab8f03c44205c00e9f12e99105a

              SHA1

              df86b024cd1d3135a0056c32c5e682420b4301ad

              SHA256

              c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00

              SHA512

              abcec11083f1895767d4a880cef5c03be189f29246062eb45c54bb020e7d51cda84c192bfb285f3e751a2249e731d087eec29cf7db8acf1a485ade93fc040a9f

            • memory/1956-82-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/1956-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/1956-83-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2364-5-0x0000000074B90000-0x000000007527E000-memory.dmp

              Filesize

              6.9MB

            • memory/2364-6-0x0000000007FC0000-0x000000000808C000-memory.dmp

              Filesize

              816KB

            • memory/2364-1-0x0000000000EB0000-0x0000000000FAC000-memory.dmp

              Filesize

              1008KB

            • memory/2364-2-0x0000000074B90000-0x000000007527E000-memory.dmp

              Filesize

              6.9MB

            • memory/2364-3-0x00000000006D0000-0x00000000006D8000-memory.dmp

              Filesize

              32KB

            • memory/2364-4-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

              Filesize

              4KB

            • memory/2364-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

              Filesize

              4KB

            • memory/2364-25-0x0000000074B90000-0x000000007527E000-memory.dmp

              Filesize

              6.9MB

            • memory/2548-57-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2548-58-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2548-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2548-54-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2548-53-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2624-33-0x00000000012E0000-0x00000000013DC000-memory.dmp

              Filesize

              1008KB

            • memory/2696-9-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-16-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-7-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-11-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-12-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-19-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-13-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-14-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-21-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-22-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-15-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-28-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2696-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2796-70-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2796-71-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2796-69-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2796-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2796-66-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2796-64-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2796-62-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB

            • memory/2796-60-0x0000000000400000-0x00000000004FC000-memory.dmp

              Filesize

              1008KB