remcos | 1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe
Size

893KB
MD5

e62c6746f84f89027d8924786fbe3280
SHA1

1b5c55ebe31f1588d0d677e81d68bb11a48be894
SHA256

1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f
SHA512

4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99
SSDEEP

12288:qBtwEru0VeNlhjfdF+/gKzfYIPI/Lj9tjAYpGo9pIt+9Hc+S2VLgxVQFt9M6sDPE:qNolhRczxILj3AVoIF2h+Cnbs7E

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

3.1.0 Pro

Botnet

RemoteHost

berryttttiere.duckdns.org:6553

asddskfjjer.duckdns.org:6553

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-Q3VG56
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2068	remcos.exe
1264	remcos.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2068 set thread context of 1264	2068	remcos.exe	39
PID 1264 set thread context of 2500	1264	remcos.exe	40
PID 1264 set thread context of 2648	1264	remcos.exe	42
PID 1264 set thread context of 1028	1264	remcos.exe	46
PID 1264 set thread context of 2868	1264	remcos.exe	48
PID 1264 set thread context of 1260	1264	remcos.exe	50
PID 1264 set thread context of 2592	1264	remcos.exe	51
PID 1264 set thread context of 2944	1264	remcos.exe	53
PID 1264 set thread context of 1620	1264	remcos.exe	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432714256"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DEAE5C1-74B9-11EF-9BF6-6AE4CEDF004B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000007328bd2d74dc11add3a4453f6df6e7edb4c58c34868dd1828f8af45ec6b22877000000000e800000000200002000000060adf7680231ee24f771093fc8ecd87a1b3c5d205e52b0346e4e88c465685b8a900000009d526f37866be869a6d90f7ce729d23c52e6c3fe0a36f6c18aa39da82c0509d2fe64ce7d21006e222c1b2d3b2ae800d42c92e194e70d7bbf8350eb94c97e40cfacb22e8259f1c228b800783043d22f1ca32b1f483242b7df2dd8049075342ce444a7b2abf1171af9656c7d27eeb07761ebd4a572353c5b1f23f377d80c23c821e1280caed04ef32939cd7a0f9adf97e2400000008208a43e78be8c1299c06a14b91fba978c26e5afde8750496ce5baa48d1d947531edf1dfff5259c1354bc5ea5bffc454545fed491d2155c26a56b6dc3176eaf7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000005c13a3258af3d21158b37f12345599113f00c5076b937a9f87ebefb08ced3d82000000000e800000000200002000000092f98602b372b16ff9e39275b32fc756312cc06e5e938fb9f109219ff0ed3e2d2000000009f9ae990397142c732196324c2c4a90fd82539cfccad60e711f3ee414c2178b40000000bc7aa14027b6a824f6b01b69c5e7952bb2c4b4942da5f196de4a25cb9b4ef6391b74dbc8db02b0c73077e662dc322d1eb0d1d5768ccdcdeaf0986188be278183	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00303e9c508db01	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe
2032	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1264	remcos.exe
2032	iexplore.exe
2032	iexplore.exe
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2836	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2836	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2836	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2836	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2896	2084	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	32
PID 2896 wrote to memory of 2196	2896	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	33
PID 2896 wrote to memory of 2196	2896	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	33
PID 2896 wrote to memory of 2196	2896	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	33
PID 2896 wrote to memory of 2196	2896	e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe	33
PID 2196 wrote to memory of 2924	2196	WScript.exe	34
PID 2196 wrote to memory of 2924	2196	WScript.exe	34
PID 2196 wrote to memory of 2924	2196	WScript.exe	34
PID 2196 wrote to memory of 2924	2196	WScript.exe	34
PID 2924 wrote to memory of 2068	2924	cmd.exe	36
PID 2924 wrote to memory of 2068	2924	cmd.exe	36
PID 2924 wrote to memory of 2068	2924	cmd.exe	36
PID 2924 wrote to memory of 2068	2924	cmd.exe	36
PID 2068 wrote to memory of 2928	2068	remcos.exe	37
PID 2068 wrote to memory of 2928	2068	remcos.exe	37
PID 2068 wrote to memory of 2928	2068	remcos.exe	37
PID 2068 wrote to memory of 2928	2068	remcos.exe	37
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 2068 wrote to memory of 1264	2068	remcos.exe	39
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 1264 wrote to memory of 2500	1264	remcos.exe	40
PID 2500 wrote to memory of 2032	2500	svchost.exe	41
PID 2500 wrote to memory of 2032	2500	svchost.exe	41
PID 2500 wrote to memory of 2032	2500	svchost.exe	41
PID 2500 wrote to memory of 2032	2500	svchost.exe	41
PID 1264 wrote to memory of 2648	1264	remcos.exe	42
PID 1264 wrote to memory of 2648	1264	remcos.exe	42
PID 1264 wrote to memory of 2648	1264	remcos.exe	42
PID 1264 wrote to memory of 2648	1264	remcos.exe	42
PID 1264 wrote to memory of 2648	1264	remcos.exe	42

C:\Users\Admin\AppData\Local\Temp\e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOqvUC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A26.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\e62c6746f84f89027d8924786fbe3280_JaffaCakes118.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOqvUC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1842.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
      - C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        8⤵
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:209942 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:406559 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:406580 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:472116 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
529f1bf64228b3df0a33a0031c36a5c4

SHA1
282cadeb70ab6e99b8f6e49ca0a971e062a5d5e9

SHA256
5abd8a9bcbe44066f9e8af8a6e6e3a0af695e6b6ff77c13bd0f9f73a775379a2

SHA512
ed87e0bd5fb6e1a59b92d9526f13f436128cfc83c82952590e261229dc8ae10345a6e2f074af8134d42cbc38f32de21adee8e2ca522531cbc548da2910dd3885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c3e12a3d91c46e2904ef6695d8aeb6d

SHA1
13f1c31f6f127036b3b530a678868cdb785eed44

SHA256
65fc78b24da639f1f237eb4a23be7694173e66e8012d334f76d238890e8aab79

SHA512
2e9269f701881d90c128ca6d86d1af00e2242d74c1bd8668161e3b91b2a7543eb0e2ddf3f5c2d722a225d0a836f215b173ca29115f5330bc53d2bce795a28000

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
441b96b3777777d0d065892d10ceaf32

SHA1
ad752d930f8e3af621e1ace313fb02702ee80051

SHA256
5df0c3470560ac94de49215d9055ea0529e286b78791439a37019ac491472621

SHA512
0e65155201ae1a12ef3520745aed9326139b56a1af37f694f3d8e597bd3e346e1328d1fd0259b212a8880b5d6c71c087436ad7ba25609b53d780f6dcac855e93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b6be7084c7580c109b3c1ebf539d938

SHA1
25968d36180ef675642009e62cd071b8177cb646

SHA256
2d04a928d46eebdcdf01110f51078d48b22ddd1282be8a74338f7637904227d6

SHA512
4ff3b8120194f646bd8605527fef3119c194659e08fc3308957ed67b9f162f4bf034fcb3bfedcbae0e1d8d95ead6f1aeaf4ddf32051aca219d38a43ce8598e50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7baca7bb5f08374b444f2a7cdc7c1b44

SHA1
79cea5657945c666c2cb45f5aac74916f36bae24

SHA256
279179212570d21f03ac11c008f78b8b2b92f2f965048955e02fdca6c47d441b

SHA512
3fedec35e553ceaeb061d84b8ffe9d1e76d38f18cf6d18233ad8668291be9e1b7c06f961c2c6b870b12fed0a4a5b6f5330c51f1e307b60006aac10a9108d6895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4d4b90d6a9292aba259f471d58479b6

SHA1
530a634a2ab5f03d66e0131c902d7679cf7990bb

SHA256
9e5629ee0493347de4593643b48fe6e4469c404b78e7dafb50302468546553ad

SHA512
35f18d2d4ebde2a657c6705c9debf1e21258314416e80ee9a5a9fb017858be5d6a9c6563222709ca144ef258844524acf0434ed755f72b6f167cd3860d0d2ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5e2316eb11534dd37d9b32f0eec9ba6

SHA1
53f629940d1f1e18ccfc3fc16d5c6beba7814bd9

SHA256
e252feac3c40a115b76e279ee7da9b6be55067a273974d9f551087f04c371d06

SHA512
6d8b4456ac0510639967a7fa00c7945c685a133cbbc30f44cc73888810c33e718ca32a6ea8082ced9ba7f3b1fb2040998b0eeee9b1bf342de6cc472c49ec555e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ba6047aaf3b6e2972d129f2ca20935f

SHA1
480117b084321736a0aec7a1d92d947a895266d4

SHA256
5aae8dd362157b92e760a0c444b4083bfd5f29514692768444633c69c0d248c4

SHA512
b35f6ef326c3cf7f62bde5cff3569f97daf45ddc16f2ac5f75d0d38e50539d1af14a89009c27415c25b47cb37527504e4e7f6da919d26a128e07834e0152728c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fedb077b36f4ce95a4c007e57f19f3b1

SHA1
234f1a451058918de767fd4dd27f234dde54ecd9

SHA256
52bf7a1d2dd930463098a45d00afd7397bca5ca122ba90f0a29621737dda1110

SHA512
ab985db192520906908a72500231c9ceecbc781e4225011ee676aef65a910b110363a0c5a89a58d261442bf90a200f542623778952e142c2e64c9bbbb6de98b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0092960643c122d1bfdf57ba34e2f6e9

SHA1
5d53edaa5765cb96359f5a6373f6863a466075e3

SHA256
d509bd227acfddee288e1506f9fc2134df83d0477b6f297ea3f30fb1a89aa53a

SHA512
4cb6d608788a09d81499b2300c25c0fb0f66d17e317225e99907ea4a7e846c09c84bea8834300eeff84e9236a6d7ff2bcfc8ae898beef015d60bc0d6889d760d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b09c15ce5e0264f1606941d7b266d3

SHA1
07691e65cccf0c6aec7ae0ce7d52606555cf02bb

SHA256
29f5b686265a0eea7c223516c874b6c7625ab5fcfbeaf0ff5ab453d3515d38b1

SHA512
bf2dcab0fef0a3b59eaa31e8f4dc90fbd5cb14e0b58a4f4defc563def9c6b8d99d97f975526bc78043cea712bbdb6abbeb9edea4fb594c5cd083274aa04dfebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f28a6dfad1e95fdfdb70df8a4d7a30e2

SHA1
02acc5a9ceb1ad7e6adece71390f2aa7c094e9a6

SHA256
400bc599f1d3139572882c7fada5441b429d986fa4c4b6d7d6fe7118f147c1cb

SHA512
0232f358f6790c20ef608ad179b805a2c853a9585a3423370dce6c068bb1da9ba8d48f7e9bb89409ddef5efe850aa5ac47ff71b2c0999f98e4e125498adc4e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
486b88f71cdf70b75dacfa4023cc32b9

SHA1
deb8b4ec28ac31ef76ca772e2e2651a327b82bc8

SHA256
48eb7fffab3a9b73299c3bd57c7aa7e64ff8648c92bf7c9b6226f9870ba0ce93

SHA512
ae59accc44ff328ec1e235736942c73b4f9f237eac1dd41d2a93bfb4ae0bf37fa27313a593b47691dc72c6f25cb5430f2bc06b2fec74efae4b36d83a652dd0d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
698657407b92fba40b99bb6fc5ae016b

SHA1
7e384f1bced127b4361ed09a70f3ed7bb5ea73fa

SHA256
95ea007703dda184b2727a3c8aadaff51138e028f52dd2629b13460951a10562

SHA512
ecad6ae47da7c30c532e8e17df5c9f32918e2bd2c65f13d35b8fd9ade30d5ae825a79332be6208502a474fc3b784dcb5efee4e5354283c18bed6eb8cc762dc36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
499467a83f8ca70345d630af6dcc50e2

SHA1
60e4611f5821677f257ca0ead62f1d5313c42a74

SHA256
7f94a795cdaef27234b6d5aa20bb8078ce52c92bdd294dcd52e5238889445002

SHA512
8b18d35d208e542a360fa911b76c7457e961149c946df709e1e6ea6e115fdfa960e4537552b20521ed2c20c74518724eef7dbe2f8bffda8b70593eb67bdabe2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59a9de1d8227c8e4ee1294decf81ccb9

SHA1
dc2ac0d339b8f413d11eb22a79f8a14b06a3c7ca

SHA256
0228eb37b25f92d6547e34d4585c3876bd11e3148336c90349a86644b075e9f7

SHA512
160efcf070540913fa6ff0e4a92a3cb0eeaa7f549c063d34e96d31c64d6dbaf43b5824983da3fda0cc653e88b0b27c3692db82cdf2f3f092ab30f1f1c878d260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
815466ba81c2972e58ac14104c75f443

SHA1
eabbaf8166c65af9f43b85b152460dfe29f20e54

SHA256
b8cd99d90ca8ab1d63719ba00ef2d40f9829cb215ed48e482d859dba1b50315c

SHA512
9adf069edfb9c4edfc51f3d70ae18ba2de40ef114449cee2dd1772e087055a9067e871cc257019555f1e1d45d88e16b0be04a39e608caa0c8add8f8817732212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40e1f29be88a3c5792ace3dc728fcbc

SHA1
5eafcb19c3073fc4d83c6872af8f7a93ad76b302

SHA256
def339ae722c8a1aa1112864c5c319d5002867854ee9e5074badb1e5cad1989f

SHA512
69c901381811a9914a948911a134527ffd8183d53b0f9d63f9e3324be929e448f9c2e4c9f322a55c5060f9fd0d76cc498e1e05f10656bd2d8118bd6bb906d7fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
761499af6697ead8d3a4f239c532cdae

SHA1
6c447436315e7dc82cfe3b384a60fc67674179b9

SHA256
111413f212f45e695c9960ce6872cba66b1fc9d5cfde29dcf34e3e5fc455cc8d

SHA512
af1b171309dacc75ce7b08f348f221b2c1a235824510120d138b29baf8c0402d92777af53cf5d2c1de1bf445bfb53067764a8bf604ddd26a2a365f60760ae30f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44fcb071ebf86267a4d77b469d7f6f9c

SHA1
ce5f70ec6c64f5929a469df2be44f6003e0c9352

SHA256
76d6addfa69834530a5683246f05a7b4cfa2e044546105d52401905051bb9114

SHA512
4646e958fcbac09996ff6cf3bc61d5f40b16121403c16e2946813e6c345e7e39af7625451a3c350439e2a7f13beb3be98caa36d47ccf6549b14df28370d15fdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df37cf6a60dcf44b4160838a40afc411

SHA1
c263f3525dcb3d5b44a9f407c61c1a21e72e137b

SHA256
40218bbfa39e17bfc17ca941444aee5694f98411ee83899ac6da846d8063870b

SHA512
ae9a70cb1df85f76cbd8aeaa902768ff5262dea4dbb5c6842550c1c3ae6845bf6acde132d74fb537a977f9d599dde347d9fb4bbb34dd3132598ca2120b63d287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
561d44c65772dc2190e990810f6a0362

SHA1
fe5d8e7c2d2967dd475769f890f4035f43a24796

SHA256
39c472afc79e4ed5c7e1564a270ef1b1c3f9fae1b5c9bc019471f26ce9d2ac1a

SHA512
ce11a70dceaef7e3098991d90f0b55823b354397308f693306ed639d02aba1d57c85bf2c7a0d9e204098519c1aa5bded4b2a04d2d7750ac123e3ab90284d38c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e3c7302756ce77ced72e3728eca0f9e

SHA1
aa52150b6c67e2de19f1d8ca804c66848b300103

SHA256
7c8cc6c40c475651f115f707cb11c5c5e0a6296bde23f88c26b46f4ee4b50aa1

SHA512
fa1f6124aa6ca2cbdd91d43c5c4399e14756bb47010c9fa07e3270b2f289b683b26f69f21d73e82916da40028ea57b13d9fd04270af6c00d93604be4d211fcb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61fb77d53d2e82cb856eab7af071c519

SHA1
69b8acaf4e27f363d1c902eb6528707b069988dc

SHA256
253f84ac5fdcc3c16755b5aced141ad9ff8565093e8c97ec3bd466308e287162

SHA512
c068589f1e817307006a5fe441a2b17743faf9c69681e4e2f8c32435f7855db4e534618a2c835e2b2e006fbf1a7ac3dc2e7fa1a7d39cea2c2ec4eddeb96a3999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89eb2405cbf83b242a569ba0151b7ef4

SHA1
ac8ed62e6ff302431ed940f0a072ed130410badd

SHA256
1c87ffba62b46838d6b25dbb7d1fe4cbff6c464a65b3921f155869af9f2e9aeb

SHA512
900baa56690bdfa0f513c1484ae820b33f873a2a3fce247463e9a60358f358c5c32d1d974e7983330e81b3a9650c41279df98e032fe6ab2b0deb54e0f28622a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a133eb41b2f8d8073dc9a2cdd380c70b

SHA1
b395115545ac5c184be8f87f49b5e26487cfc387

SHA256
cdefa2a7a9e08a291c18b699c474c5c8efefd90ba874f025bd617a80bcd1f747

SHA512
588a460b74f8b96c3f9b837ea3929d05e870bfa8a796a6a2c901051a07d5aa18c67ce77b0409cc8802f4e7855b65aaf5938a6c4c75d0f13b8310f1bca510109a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa2aee27506ef90b9c710b26e6cbdddb

SHA1
daf3c1f210ba81a5046900b4608a461ebfb6595a

SHA256
4e8fe27be00e2ffc6ed7a00cebd466ee23308afb8ed94ae5bfae3af1868ecebc

SHA512
3398d9f511573044c74d1d80391b5ae2abb5d93cafc2cb8aed2f18d8456408bdbfe6d4d332823d1600ec94d2c12c2330fe3be7525af7b79d514715ccbd2251ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12afd5a19173033090ea5c098664d067

SHA1
881b019aa249a8a36534413d40fc60e572c8282f

SHA256
ae118d361ca058d55a0d030d7cebe78a6d4f55c7d3f85feb589da4aa32ef4bed

SHA512
0cd827e8d179623e5eece18687c0a8613e1f156bcaf1b779b67080dccd52b21874dfd83349f012e181f83945b96df6bd8d85c6119044e7e336c3b4492c80ef9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eacdb54f24d96989c1bbdb2ce855292e

SHA1
b0e4a6c2d3e073e94c1212dc1e577b5e342322d6

SHA256
33d75f6dcb6b45217be1433618d481c94cd3ea4e10d103b252ba9ef51d6705de

SHA512
9da64bb7dff9dc5ee74e1bd5d37e90be82b59d109c9aeb115bc89bdcdf2423688ba82b63828729f92ec374d5980d7acfa0407e284fe4fdff32175591693a871a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e2250d751b335ebca536eebd28711cd

SHA1
c365cb50a4e42b9e4fb979696f80f62cc78bea5e

SHA256
a386c9fdc6b3d36b1e97096087aaeac158b014288309dba8fc1cd0cf22206bec

SHA512
eb8a803bfdbef669f4de0b0ab0ea3492e01676dee08307d307a55872f8ae4a7976fe54cd970d2f2a2a0547066b2942bc77df1614e1a3ac5c66827d1146dea688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac42ae9b55fe1036ca8f4630cd09963c

SHA1
669f54e901975c646fd032580a1660a8e9d1ef96

SHA256
3a9a2bd5d3c157790523f85e7df587c42bee325934ab4bddd9ba6bc79b46d1e3

SHA512
cf3c361b021bfeb784e197be135c88eecf5e8d6800d96027eefb5e5cd7bb19925deed97ca785db596537d9212c1b67ec5e21d727cdfbf85145a46270fbc8d7ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41d5b7c48b45f959eb905287ddf85917

SHA1
730385b3006c532d09e5faf824001fbff6a935f2

SHA256
1980296fbe062e7109c019d6ec1688a6168a4dd95d2bfab6dbcb269b6ba58327

SHA512
902abdac4ca3edb6b055577e866cf42f4636bb69d02ce7e963b375c959a0bfdcc71f6d4b4eb0d0ab5322e7f214f5dc9f9db3294644be75dd7b8169868e80a806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
288246aa9ae686bbf54ac3b4660f30c9

SHA1
f985b65d71aafc8743208bd0c82d63ff86a05881

SHA256
73a207bb0923d17f98ebcde79770327fdab2128e170d38cf4b25604ed215252d

SHA512
b17305a383c79e1fa7d1581f3670fa2a482a084c6e5fafd0000848bd28e6bd2280035a64afe769dd1954c81ee357b1386f9eb2b0dbe8bfd9d8e775e30f7e06da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb721b5f8f2a3c8e7af34e32512b0b9a

SHA1
d34851a228d9415fe03bf2dba4c5a1bb99bf8f08

SHA256
3d784921cd6c320dc7eb6bd780b8c6fd588259303ae9316cec64d8bdcf65baef

SHA512
41766542c09e5a5e782e6cf08a8a6803e111a544e5befc431a3ee88e72bac256e90644aa781bdf60a055c75383964fc65d40f69c473092e0380c98bf27bf319b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebf53c0658756c5975498cd656cc8e35

SHA1
47b6617334f93e6b1d30ec8c61386b57e2b34c50

SHA256
59d5f29c819f530890fac6f8273078cad016c4b2c1dae4015bcf88467b420b48

SHA512
16aa94b7431cb01d5f423dbf7ad092423753a19306c7d13096f2eb27af85b5e57b1ca80a3e0fbd4bc784d1fc474581dad31a3118c7ecc80c794c38bf5c812a1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc18a783bcc095dcccd481749e6b2ada

SHA1
f36bc91a9801cb5bd455fe49a6f4e5280dec6618

SHA256
57196fada6054c3f75af0161abda5e52705081111bf36776f071ec2f8997a0ed

SHA512
3c8907d47e379a734024dcc65d9dcbc02e67bbbbceb36e8ccf0d21a0df4fcc1ec4af2da0dcce33489520975b3cbdce9ace8a25568ea90b8d2a22ff7a1d3372ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c407c8a5232592de3aebeba99092518

SHA1
49ac3963fa22bffb9d60850c5a577bf28902ce13

SHA256
cf1ddb7f2258e3a7c33fff33b6a83af7353a433029518e09a359fa5c6a2b900a

SHA512
bb1a24f78e883f100c1ab795718f9e60d249edd4099502b0cbc04d2d5baeffcd49be3be514ae119690724425b3c879b52d3917208e6369ffa9702922324b23ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E51.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F01.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
b92d64fe5b1d1f59df4b738262aea8df

SHA1
c8fb1981759c2d9bb2ec91b705985fba5fc7af63

SHA256
fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

SHA512
2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A26.tmp

Filesize
1KB

MD5
4b54acf53224aa68d6a932d659b0e246

SHA1
af6891950a7dadc703e12e461ace2b2df72753e4

SHA256
97e3dca8e934ae0a0cbad2bf3954393bfefd8d0a3bce9c8b971f45b26699da39

SHA512
e22e9d5b7730f2d398eeb35a5dd41fb8b7f771cc103dea7d1673361bd76c1417b92f2d11c289ce24cc0180fb5d8ea17948384ca9747ab0619b2d4d17c250297a

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\logs.dat

Filesize
111B

MD5
1344789295da14e9ae1ff55f74ce237f

SHA1
28b10be6812cf332ae87cae3d8ca64e39209f679

SHA256
b218e4a79fcf8a1b43f457daddc2deb6f0d4a276236e0be75545ad9b2e9c2530

SHA512
42cc720d0098352e7dcd2c626dc7323973ad81e9e87575ffe352f73943a867dac1ad00a03f6de5b22ff27be6ae2132fb538226b1c49a892431dbd029d5eb3a54

Download Submit
\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Filesize
893KB

MD5
e62c6746f84f89027d8924786fbe3280

SHA1
1b5c55ebe31f1588d0d677e81d68bb11a48be894

SHA256
1dacdded73c4cf1270303e47ce3f12a5acdf7881eea7487231115e2be20aea5f

SHA512
4233989e6594ab17d20d2d9b7397552e652028ab99b081fde885067904d0e949e564a5d9131dcd5a4b2a2cc3573437047dc29d0bfb385e88b8685f203001cb99

Download Submit
memory/1264-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1264-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1264-69-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1264-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2068-42-0x0000000000F30000-0x0000000001016000-memory.dmp

Filesize
920KB

Download
memory/2068-43-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2084-33-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-3-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2084-6-0x0000000005D60000-0x0000000005E30000-memory.dmp

Filesize
832KB

Download
memory/2084-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2084-2-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-5-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x00000000008E0000-0x00000000009C6000-memory.dmp

Filesize
920KB

Download
memory/2500-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-72-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2500-76-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2500-81-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2500-74-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2500-78-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2500-83-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2500-82-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2896-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-34-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-30-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-38-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download