Malware Analysis Report

2024-12-07 22:43

Sample ID 240723-fa8ezaydpq
Target 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118
SHA256 c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00
Tags
remcos feb persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00

Threat Level: Known bad

The file 662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos feb persistence rat

Remcos

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 04:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 04:41

Reported

2024-07-23 05:34

Platform

win7-20240708-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28BEFB61-48B5-11EF-A5E5-DEC97E11E4FF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60edcff3c1dcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000014c43bf10dd00ad3a40cd6ba7e428b4ff41cc5d23ff432d39961666d33c3ac3000000000e80000000020000200000008232e5a1c9ba0dc9cf2f0d323c9ebc0c6bc314020ee3640c6252bb900d8d9f1090000000a996d9d4dec2f54e9aa078c634c604cf5f1aff189b0d2699425a8dfe874341ca2908bab96813cf3990f974adab8dbf896a458791ac17bdccf2c65c87c3188992b4ce492f06be77146fa0697c198b14c2705365b1bb46fbca55c61419671a77738b590a64b3c786c9fcba09e51cf1c16193f0b3746cb9700d7c7ef923ef6b115d238602c527e3f319a16b18dc082b3d4640000000ca28e6554129ea6a0b6c5796f7586655c77fc9e1f5578613af1cf50d833a0325e246edc6b96e48d648968f956b976e9e2ae09db25c9e8fa514ada333626aa637 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000b9f867c0bb0c24e6d55b4ebce683adf27f221f17427896b8b343814e8ba0915a000000000e8000000002000020000000d68d00e85ed6ab3c0b07bd1aba36802356ab4ce06e9284d2a8137312e9b18ddb200000008221ac0752a7d77d1b477be3f6117c49d893668c5738288afd556139fb41797f40000000fa6eca1967f137682fb747a40e50102ff55655dc350233b1af2840549887e77bd54ec0a2bcffcd80b4566089e732bdbbe9d80820bb2ee77c884bc1d0de05f2aa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2364 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2696 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2696 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2696 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2696 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2684 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2360 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2360 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2360 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2624 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2796 wrote to memory of 2272 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2272 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2272 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2272 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2272 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2272 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2272 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2272 wrote to memory of 1676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 2548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"{path}"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406549 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406578 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:865300 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Network

Country Destination Domain Proto
NO 194.5.98.202:2404 tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NO 194.5.98.202:2404 tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
NO 194.5.98.202:2404 tcp

Files

memory/2364-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/2364-1-0x0000000000EB0000-0x0000000000FAC000-memory.dmp

memory/2364-2-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/2364-3-0x00000000006D0000-0x00000000006D8000-memory.dmp

memory/2364-4-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/2364-5-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/2364-6-0x0000000007FC0000-0x000000000808C000-memory.dmp

memory/2696-7-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-19-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-16-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-15-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-22-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-21-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-13-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2364-25-0x0000000074B90000-0x000000007527E000-memory.dmp

memory/2696-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2696-9-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 ff449f6f7bc5e2d800eb30e2d2c56611
SHA1 93419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256 655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA512 02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

memory/2696-28-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 662d5ab8f03c44205c00e9f12e99105a
SHA1 df86b024cd1d3135a0056c32c5e682420b4301ad
SHA256 c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00
SHA512 abcec11083f1895767d4a880cef5c03be189f29246062eb45c54bb020e7d51cda84c192bfb285f3e751a2249e731d087eec29cf7db8acf1a485ade93fc040a9f

memory/2624-33-0x00000000012E0000-0x00000000013DC000-memory.dmp

memory/2548-53-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2796-71-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2796-70-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2796-69-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2548-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2548-57-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2548-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2796-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2796-66-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2796-64-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2796-62-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2796-60-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2548-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1956-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1956-82-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1956-83-0x0000000000400000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab626D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar62DF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c434e0d1eb4bc20ec3656433d8ff0c35
SHA1 72f547eb955ecbf2c393d9192806dc1af4549cec
SHA256 4dfbc67eb51e0ae1441dee100aa9999781e7e11447f3b705db7ecc540d377a42
SHA512 076b6a7bdda0364b478d5f0882c4e76806af3627f9ad53bf42262e090663c51ecb85d0f432dc6e9ae19ef3e69bad71e20c06179d96725968c6057dc90448ec93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0447b0e083d0446389de81fe9c75223
SHA1 8bf845344ef2b90f46fa4d4893ac4601a097a3b1
SHA256 3724adc93c4b7117f718052379db5c97c4422acfdd3617a90cc3e2a333572500
SHA512 ee3007910d1202892903f54f846b652ce0b2f90245a45852ac6239b2cef90887718cdd7f092ef53d27f059dbaafc0f45d21e45512f382016d5a6acfb8cf44136

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ab1663acfd0baa41ee06e11877e71e2
SHA1 cbbab49d62b48d19dc9c3b375457f524bccd13d8
SHA256 a102ed72b66e96ca5ee191aa622f1e2a57c274abbae861ea84428b52ef35ffe7
SHA512 8e11f995a6864c7587945157c962e0edb725d62ca98c62b2de3b8cbc82492a66ca5c78af0499dd316ebd61d72dd971b2a099a820feefe48c90f92517546a93f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad0d87e01ab5d72d8c925dc49c68b102
SHA1 47ea5204cd85e15287e55b915fa488dab860fab9
SHA256 557b535af434e2a20a06f1e95f35b5874108f486f17dce790267e44a34fa762a
SHA512 4832889f527796018b15f3560b90bd90c6f68110dc8794e9c6aa36027a8fc448d9df08e22c34de17afcf70fa0eb19c6a80450f79976e9dd524138cdce016012b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5ee8230bde58b8883be7655a5dd6cab
SHA1 ef9aa0870d01956673e44a833ed6804110b6b609
SHA256 3535df9df142363c999d0e660f81481f5e7cfdcac8648683325b46b88ea69f3d
SHA512 ee8aac2a1544b2da21fd28704b9b622b7b68ad75fffe27d8b9bc91f3d90e19dd415c311ae530c29c1a0a53f58beceebf389fe7d2f8b4549679900d6bf79824fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fcc589f9687068e08a09e448d39edbc
SHA1 79ed4d90ad0806bceeda68f167554ecef3022b9f
SHA256 aa87f95194a1ad49d126dc719ed803f1925fec3d19ad541f4b06a1578f6aea5b
SHA512 b07990b336536eba3d28f40b80ee40bbbbe7986e45a47525283eb7ec5f110c799a00b98016533e878e62efdf56b885897471b87b77b0eaf88a4300dcfee9bdb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b3397d8515173fbd1fa6cca4d9da4c5
SHA1 a35fbf93879d27c0d1b018e172f24b757a866edc
SHA256 850961b7c43491c3a145ca4c0580320afcd0643cb021227b0f1189dcbe920d8b
SHA512 dfb2abb11ab38ee99c077322727284f8016560dc61a361d728e087c40f1e6a6ec8a5abda7ba998f0fc7775d98661f1aba7be53dacca46a0cc675f5c6611b41f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 249c247590e12274a18e318cc65526ab
SHA1 9eef61ab2d68b7a20c688356c237f6fd42c7fb72
SHA256 f36ceb72d6a2839a43b53e02d27416b1d586756e1025bec11a7b9b3cae45c04b
SHA512 4dea66630d64bac019a08e40748e252a0d1f9c7c401fced9bef546b14f52c85b14e7bb8ed9020d0128afc3266eb8cc03d0765462e005d95a02b4cada738ce033

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b325c3dc148472a4035d6202552de6b
SHA1 7cde61b971b9e99315ebc143e8c59b86e4090d42
SHA256 13b7a103f9ea197f624c83afb32ad0636c6a62ba697f9de8ec7178a345efa7b1
SHA512 f56908357ac6358dbfc8d06f195590a2046e28846cb0b6c609068fe6e1ffd0144b1e358aac48fe8378e1706afab860149844cb3dc0c852cb199afa8302c60963

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b34ab27d07fdad166aaec764a6a54d4
SHA1 0927e1fc806ccf054f492d7230ed645cc179dd83
SHA256 a9fe33369054491c1a8fd1126a5faf663a49b0090c19e24e1cb1f6151639d49b
SHA512 c0e2daaac2c2dff013e53f00d43a2489df2688be733c775e6717b3000e86b7c6f7df75349069d6cd3edbc6ecb022f9b33df147165594eb015a259bbff42afd49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab9c820991457166fe9a9f7f78715f3c
SHA1 0e88297fa00c2f61fab86bffa6c4e0ae9624d4c9
SHA256 82f991f1e803147fe4fe054d468bcdfc63df12d5d21b13490b2c95fa6d34c5ba
SHA512 38920c38ba27657d9d833693a368737ecebf57bc72a097d0c608582aef260367b3ef4757552006ebe61089c03091f4c6d87a11ecf9012aa090592acd431603ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 152799227cfcb85b2b09564b726bf1ef
SHA1 484c62ce2fb3a9b4af3bd21fe371beb31d2b5556
SHA256 ca9a4725d5ceeed78c87f8e75512b73700965cbfd66e749dd1763dce70628ec4
SHA512 e8fbaf2da584d6ccb9e082aa61c927b790c30a958c976c7b1c14eae554ecd9067d7b46d06a3d148641aefa5821a1f5131109c859a1bdd23dfb9844c9c19e6ee7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7a9f29b619066b42cdc3a8435009709
SHA1 2ba4ac9d9082d78bf8c9da94a04faa17ba58882b
SHA256 043036a6a668ebbcce79c41f362a27e7c69bf324be28d2c45e5934193f77ef26
SHA512 c9e9919f9872c70368eed33aa9b909d13c02e358f53375b4f1b8377a07b7c288d9e5913829fe3a8979599017f1bb589ba0c3c4974a786e19d24a368acb60bb52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5141578743dfbf306bbd840fba7dcdc9
SHA1 7758ae71a58a999b1eb4539de248e83c32ad91ee
SHA256 bbcb81711b52653ea1d2221114cd87524f9799258313b28a89f1f73dcb1d8d6b
SHA512 0d8531afc9cccb82b372f7ca84d6ad66b6386e18bd72965ab44592d284d7cbe8b4135144c04659c6895d747def1e6be6289e67f5a077d84495c948a1817a5b1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d75d0d44781b27dd4bffd2c3b0581438
SHA1 c402faae21208b94c827df0b7c1e64eda9446c79
SHA256 d795a4a5de575688b756ae3008359972ced8c9e76ba2ededa80f5badc4f56593
SHA512 3bfc7bc4a2ab18cd26a3ca780623a7a5058428471d64fc27bdd3c7c970062adbdfacc65f2493dacbe76f39ec0517b5b776b58fa26f0b800f2d6e2136409f7f6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fab14ed5b077cb174f34a3416c27826
SHA1 618f56fefe0af6905f6aada69f6318f0e1d7a6fa
SHA256 ef4e43f4ba8c4cf50e2469f1fcaf9c6f434615bbb0354b42c80121b8828eb0d6
SHA512 351aff473db07ddf32c7abd37f6e2b2d6030a4e289531a38185b8043b7c5e34f18f061872f31875db00757964b9ec99bcdcc2b043dacd5cbb38d4688706eb5ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac7d478a0aea649da3aaf6cf8d65d6d4
SHA1 2b803e2cc02166cee7f72f664964810868513fa0
SHA256 bcc8ccd680b813095f5f739119308fbf6929055cf5ef74540334b7063354ccf8
SHA512 71fdf1a6e4a948df9937e2cf13d635fa7a3ce181e8b4c65146593586fb17f73393843f291e8d31e8b47a0d51b92f4b2e0bf03bca4b255d7e4cbb40720418b06a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 820205bcd02a35b0fba8de4e43a05336
SHA1 6aa189eb9098eeb8e991bbc393b1497516a640be
SHA256 90b31aa0c4d9e7aad73dc2d4e68f59880b3d995420958039974b275fe7aca301
SHA512 1f63f27549f975377ec544717b521d704f8cd8b1435f2d30b2faf92174a50a4dff6d36e695aeb7050252a437d3dd2fbf97ee80513fc2a721b73e8ed26588ac55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f824290e272d83a92148fc7b22592b6
SHA1 05b0d0bdcb5c0e9c9b229b341e7935c7b4a95e94
SHA256 44d7dfedf6de5235e0b1dbbc58f06285de02144e16fa54601479bc0ace92ef49
SHA512 f879b5c6c260466ba293201c984e67ae739c717c8c37313e11210bfd84d1e6e9d0e5d629d74f70fcf432cbb3cae9d3150d830ca2b05569b248d92f55153b479b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1111a9f723bb89bf7742aec577cbf39
SHA1 67f1817aa40d886f438788048a7b561f3304e620
SHA256 8bbd58ce8279658c9caec20faacfce2cba3fbd5fd16733424df09e51853d1131
SHA512 c9a564309e3843310531ca59519659c644bad1d1413a521e006b10749f3fd8881e65d439a6bb4348b083223447fd1a863132394740344f68434e1a4d34001d1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b72b97ffb663d2b66eee3f8b4728c87
SHA1 85b55c359a8d7b3209161b8398059972f9a736c2
SHA256 2b38046d2e6140a22bafd64d2408e18e58ef4d9aad526405c73edbfcbdb0b3f5
SHA512 9123c834e351e91e339e314830d5421a507db3a515278504130bf721e5e65cce9bc0f84a81ecccbe6825b0cc125ec8c32248165ec7387ea2c68b245e7ff683ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43823000539720ae909d577f33e14844
SHA1 4ca550da44fb9c232ddb5ce0311f00bb3b298c89
SHA256 a793649b08d5ffa2afa18806397c30999e7026b524382c8d12f4223fa21f1023
SHA512 20e1bfd997a40deb1d6b33f1fb67a3bbad8ccbb14c8d94cf8dbf05194f5e5eb38f030f0d81a60bc0a96b5871247467a4127e352e93a4a95f432f36d9ad8d4671

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f011c30c39f3cb80b42ebbb46296f9f
SHA1 4a39963a1c481a626f33a446d620abbc08091061
SHA256 b31c79bcc28def5f292fe91025364383177d801a5de1fdbc03bd105db8610bbe
SHA512 02f4e2e29f23870cefcbb43a76d0205d7ec029bea120e432da298811949c62a01f95c07ce18a8af4ce0034f8881c27e0dc2fcf2dbb1366938004ce79af256dc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d47a5882050dd22be05beeed867bb63
SHA1 f47c7f8aa7b08ef6618726f42852f9812d4ad78c
SHA256 f722fce50d9aa3f75da96146b3df69c9b6c1d3c68174b4beca57498427ec4abc
SHA512 abcef40ffaccf8d378572d99370fca8eedd1a93da056af18ebca61e7b7cfd3808150f5673de5487da00050d27b3d84ca2f36bc05ad6897b2dab27dcd47856890

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 87993169a53f81478d99d27c80d10ec6
SHA1 9d604010cdf802e33f4a8c829020aae1f773aa69
SHA256 52386728f96280c03ec92b8312ee2c1c9d5e24954820ef388ccc7795ca45be77
SHA512 74f74f06c748c99adf92466bd1ad7621044655929e6caa3a6aa6bcd2b00c3d8ead94b312f0f6ef66001c9503ded1ef2a44c0d32def7b9b6b5e734e06c2e13db5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ae0ce8e5e9202ec0c353db342bcdf9e
SHA1 b57fd9b2dd1e005dbacf90904ea20be950d4bcf4
SHA256 4fea6bc26792b5815527c84dedb7eceea4f9dde328301f459855d15e6e780d6a
SHA512 d343c083e7077739ca2852437ee203d2e9593fa544ed49038a3b555949fda238bee97a6fd309e7558896162703cada0ff1a0744d547c6f1a7f76480809cd7e9c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWSOWPAF\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XY2E4O3P\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUF3ZB4A\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 04:41

Reported

2024-07-23 05:33

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 2752 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe
PID 3384 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3384 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3384 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3284 wrote to memory of 1752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 1752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 1752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 1752 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 1752 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3788 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 4268 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4268 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe
PID 4268 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\662d5ab8f03c44205c00e9f12e99105a_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"{path}"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NO 194.5.98.202:2404 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
NO 194.5.98.202:2404 tcp
NO 194.5.98.202:2404 tcp

Files

memory/2752-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

memory/2752-1-0x0000000000320000-0x000000000041C000-memory.dmp

memory/2752-2-0x0000000005430000-0x00000000059D4000-memory.dmp

memory/2752-3-0x0000000004DD0000-0x0000000004E62000-memory.dmp

memory/2752-5-0x0000000004F80000-0x0000000004F8A000-memory.dmp

memory/2752-4-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2752-6-0x0000000007750000-0x00000000077EC000-memory.dmp

memory/2752-7-0x0000000005410000-0x0000000005418000-memory.dmp

memory/2752-8-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

memory/2752-9-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2752-10-0x00000000078F0000-0x00000000079BC000-memory.dmp

memory/3384-12-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3384-11-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3384-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3384-17-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2752-18-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/3384-21-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 ff449f6f7bc5e2d800eb30e2d2c56611
SHA1 93419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256 655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA512 02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 662d5ab8f03c44205c00e9f12e99105a
SHA1 df86b024cd1d3135a0056c32c5e682420b4301ad
SHA256 c684c19f26ab739c326667fc6c0ad1d6288846b22da744940e7865bbde25dd00
SHA512 abcec11083f1895767d4a880cef5c03be189f29246062eb45c54bb020e7d51cda84c192bfb285f3e751a2249e731d087eec29cf7db8acf1a485ade93fc040a9f

memory/4268-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4268-29-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4268-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4268-36-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\remcos\logs.dat

MD5 e17c3d0d2a74f37e7059fe9ec92828eb
SHA1 117755fe80bdd12a1b30404cabd9d2a53697fa65
SHA256 ca6b7f1592aa05fd670629f4e18c0cdb7cc3e09f06b4abef918f917e3267928a
SHA512 2c9fc2b51f425bf58862a2be389b999992c2f7f3e3c9740d3adf0f74f199af27d0f22d297eed6e70b7b9694e6b883d615ff781ccd82a2421cbe20b0f8c0fe0dc