njrat | 13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755

Analysis

max time kernel
218s
max time network
219s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-10-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Latest Remcos + Crypter.zip
Size

31.9MB
MD5

0bda1e6247a58f3eca5eed3d111ffa88
SHA1

03102f5ebf71d2db33f5a869142ebce9b8f6ecf8
SHA256

13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755
SHA512

b475188892d952324416e33604eb0f57457075e74aeeb4975fa4275ca2a72a846cca604529fe053a02b0b04156c0cd3c862caaf4da35fd754ea5b09108951ece
SSDEEP

786432:0kr3y08vKrqKC+jvQWCvbTzR2xEVANyEWQD93MV:0wClGC+MWAbTcSA8EWQR3W

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4192	netsh.exe

Executes dropped EXE 6 IoCs

pid	Process
1636	Remcos 2022.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1924	taskhost.exe
4668	Remcos Loader.exe
1620	remcos.exe
10112	Acordx.exe

Loads dropped DLL 3 IoCs

pid	Process
1620	remcos.exe
10112	Acordx.exe
10112	Acordx.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000100000002ab17-111.dat	vmprotect
behavioral1/memory/4668-121-0x00000000007A0000-0x0000000000B41000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
1468	Remcos Professional Cracked By Alcatraz3222.exe
4668	Remcos Loader.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1924	1636	Remcos 2022.exe	94
PID 1620 set thread context of 0	1620	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos 2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acordx.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Acordx.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1737"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Acordx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	Acordx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Acordx.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Acordx.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "937"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "692"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Acordx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\1\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Acordx.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 = 6e003100000000006555d66210004352595054457e310000560009000400efbe46599c1a46599c1a2e00000011ab0200000001000000000000000000000000000000000000004300720079007000740065007200200046006f0072002000520065006d0063006f007300000018000000	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0	Acordx.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "444"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\NodeSlot = "10"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "92"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = ffffffff	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Acordx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "90"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = ffffffff	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	Remcos 2022.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1636	Remcos 2022.exe
1636	Remcos 2022.exe
1636	Remcos 2022.exe
4668	Remcos Loader.exe
4668	Remcos Loader.exe
4668	Remcos Loader.exe
4668	Remcos Loader.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1620	remcos.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe
1924	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4948	7zFM.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1620	remcos.exe
3156	Explorer.EXE
1924	taskhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4948	7zFM.exe
Token: 35	4948	7zFM.exe
Token: SeSecurityPrivilege	4948	7zFM.exe
Token: SeDebugPrivilege	1636	Remcos 2022.exe
Token: SeDebugPrivilege	1924	taskhost.exe
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: SeDebugPrivilege	1620	remcos.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe
Token: 33	1924	taskhost.exe
Token: SeIncBasePriorityPrivilege	1924	taskhost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4948	7zFM.exe
4948	7zFM.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1620	remcos.exe
1620	remcos.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1468	Remcos Professional Cracked By Alcatraz3222.exe
1468	Remcos Professional Cracked By Alcatraz3222.exe
1620	remcos.exe
1620	remcos.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1468	Remcos Professional Cracked By Alcatraz3222.exe
1620	remcos.exe
3156	Explorer.EXE
10112	Acordx.exe
10112	Acordx.exe
10112	Acordx.exe
10112	Acordx.exe
10112	Acordx.exe
10112	Acordx.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1468	1636	Remcos 2022.exe	86
PID 1636 wrote to memory of 1468	1636	Remcos 2022.exe	86
PID 1636 wrote to memory of 1468	1636	Remcos 2022.exe	86
PID 1636 wrote to memory of 1960	1636	Remcos 2022.exe	87
PID 1636 wrote to memory of 1960	1636	Remcos 2022.exe	87
PID 1636 wrote to memory of 1960	1636	Remcos 2022.exe	87
PID 1636 wrote to memory of 968	1636	Remcos 2022.exe	89
PID 1636 wrote to memory of 968	1636	Remcos 2022.exe	89
PID 1636 wrote to memory of 968	1636	Remcos 2022.exe	89
PID 968 wrote to memory of 3180	968	cmd.exe	91
PID 968 wrote to memory of 3180	968	cmd.exe	91
PID 968 wrote to memory of 3180	968	cmd.exe	91
PID 1636 wrote to memory of 1008	1636	Remcos 2022.exe	92
PID 1636 wrote to memory of 1008	1636	Remcos 2022.exe	92
PID 1636 wrote to memory of 1008	1636	Remcos 2022.exe	92
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1636 wrote to memory of 1924	1636	Remcos 2022.exe	94
PID 1924 wrote to memory of 4192	1924	taskhost.exe	95
PID 1924 wrote to memory of 4192	1924	taskhost.exe	95
PID 1924 wrote to memory of 4192	1924	taskhost.exe	95
PID 4668 wrote to memory of 1620	4668	Remcos Loader.exe	99
PID 4668 wrote to memory of 1620	4668	Remcos Loader.exe	99
PID 4668 wrote to memory of 1620	4668	Remcos Loader.exe	99
PID 4668 wrote to memory of 1620	4668	Remcos Loader.exe	99
PID 1620 wrote to memory of 3156	1620	remcos.exe	52
PID 1620 wrote to memory of 3156	1620	remcos.exe	52
PID 1620 wrote to memory of 3156	1620	remcos.exe	52
PID 3156 wrote to memory of 10112	3156	Explorer.EXE	102
PID 3156 wrote to memory of 10112	3156	Explorer.EXE	102
PID 3156 wrote to memory of 10112	3156	Explorer.EXE	102
PID 10112 wrote to memory of 5640	10112	Acordx.exe	103
PID 10112 wrote to memory of 5640	10112	Acordx.exe	103
PID 10112 wrote to memory of 5640	10112	Acordx.exe	103
PID 10112 wrote to memory of 14420	10112	Acordx.exe	105
PID 10112 wrote to memory of 14420	10112	Acordx.exe	105
PID 10112 wrote to memory of 14420	10112	Acordx.exe	105
PID 10112 wrote to memory of 14560	10112	Acordx.exe	107
PID 10112 wrote to memory of 14560	10112	Acordx.exe	107
PID 10112 wrote to memory of 14560	10112	Acordx.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Latest Remcos + Crypter.zip"
  2⤵
  PID:5084
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Latest Remcos + Crypter.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4948
- C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe
  "C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
    "C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Desktop/Latest Remcos + Crypter/Remcos 2022 Edition/Remcos 2022.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4192
- C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe
  "C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
    "C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
- C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe
  "C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:10112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rips0cdv\rips0cdv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xetcrbm5\xetcrbm5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
256KB

MD5
d10a3cfcc08aae3a7234498f213cf89e

SHA1
ccae4469a3a05fcb6e7af33019ca5357e5406dda

SHA256
0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06

SHA512
90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe

Filesize
1.2MB

MD5
7a9202505d38a8230c163d700327cd6a

SHA1
4e91c173f2d30519c9de67022cc1f066b4c343a9

SHA256
a8eabc62975c12e675af49535fa43e574048b05fded046c327ad2e7642b8f9b5

SHA512
6d1da1101d157b4f453741a191af293c86c738c2c9aa9e4ac3f30e9983d24a668db3df1d65c16315093e7c88ab67da425db0de3957b08f88c39aed67886d80dc

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Guna.UI.dll

Filesize
1.1MB

MD5
8673eae95d67e5eb19f0eca3111408e8

SHA1
ad3e1ce93782537ffd3cd9e0bb9d30ae22d40ddb

SHA256
576d2de2c9ef5bc1ea9bdd73ae8f408004260037c3b72227eed27e995166276d

SHA512
65c4eadf448a643f45fa9a0d91497bb25af404c41a3a32686d9e99ba4f4e50783d73f5b13d5df505cc62c465be300746d84a2eaa8000531893cd0b19d6436239

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\stub.exe

Filesize
1.3MB

MD5
da1e93a422532cd049b5196506e1e781

SHA1
77cb395da3ea4aa00e47b2ee7a5c909c13e2830e

SHA256
0bb714a4138668fe4b729cfec8b412e64eeff3565e84395c04eeba513350a10a

SHA512
b660e2cf34271b203f4c3871887c1c913770a15596c17de121752930ff49727f36b3012d7fe1655099117d5f20e5bb0c82d7bae8f705c8fd8fea79d38930a4aa

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\REMCOSAuthHooks.dll

Filesize
1.2MB

MD5
a329f92ad3b9311af3130dbde81155ce

SHA1
36f3ae74eb18049e37868f1e42b7e66a294d9494

SHA256
d695a2ee6fcae64f4d8c4387a0a4c4aae05d08ce44a52598984673b890d02f27

SHA512
a82f51c112c610e90252d41d108f178e1f8fb6ee98f391e354d871966e9a61637b063fdb1e5934f1af70f055effebc4325151aa256137c63a40b70affd850438

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe

Filesize
1.8MB

MD5
75792b5b38edd028d13eef62c0d828e6

SHA1
9a84ec696d0bd14d1ceb16fd68d48bab9a42351e

SHA256
b7f82678830c34db745a16d5551386f15ff28fda563f10c6903f6471a58e243e

SHA512
2665982e2e7ccf1d86d523aafa66aa9c48e4c17377f59bcd77472bc9cde2bcb9b85fccd54eff79aeae33ef9683bc05d0fb2d9e2f01759bd3e51c8875ebef4c21

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos_Settings.ini

Filesize
32B

MD5
902927c48d191e30067d84a53158e2ba

SHA1
95dd6d3508790b98d1a576f0b2057bdcc2099247

SHA256
b408602c7d2107d819b18d47cbc196a307ab6435bbc819173f300e76573e616c

SHA512
328af5e697278b2c8150534162c330b11e9cc3024ee676cf9321a248701d99322cc1341694904d0ca5c6898e74e39419cd36765499d6992934075b08276c8eeb

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos_Settings.ini

Filesize
641B

MD5
c801886614e4e29c7bd67e8cbaece748

SHA1
44736122b5a44f0618a6d7db742dd1b493e9a4f4

SHA256
f5d7be50ad347e304379192adf41c88b6b96321d0a65c76efb1cd09e076195d2

SHA512
b6713656340d55a3c821f8b11d4395cf18d3d6d1a6189c22068b0ffd137d3d7437f96655218269619b424f466f4a4f38c715d892356f673bb68031bb996cbf33

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe

Filesize
9.9MB

MD5
ed1e424ea6f625968a334377e8ac629f

SHA1
ad00cc58a59a3d5b78d6603a1d09378e5dbd1647

SHA256
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991

SHA512
5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe

Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos_Settings.ini

Filesize
881B

MD5
a3468935e33e361cf94f4721ed4cb66d

SHA1
c3b19ca8382534b2179940cabede8c6c952a9c06

SHA256
b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d

SHA512
c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rips0cdv\rips0cdv.cmdline

Filesize
471B

MD5
fc0123957188c6972c62b61c80eda2f6

SHA1
96d1c9b15d958c38570ce3e340b6c9b69ef66dfb

SHA256
2617e733239a36a217fde169018c0cf95c6716d05ef275dff5d4c16020aa3911

SHA512
66493ed3ecf52a6a540ecf4728a9142b5065f0dd577ef143645e7c361f6057d6557d69a39fc5f1251cd9b7fd33f9271f9c0a8e137efd0422b86ddd5502f90450

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.0.cs

Filesize
970B

MD5
47bd5edc806dc3a829350339432b864d

SHA1
f8077c241387230b90b88d49433a14eccbc0d972

SHA256
a69e0e1f5a2b3111c1441a634ecb938f463a1b4d619fdccd72867bbf75bcac8f

SHA512
4858407777df696b69f51c7bc52be8bbee3f56f14a0cc24483b4eccf09162db4de17949f4ca7ca65a9083d953bb8189ab78e2ba16e9e9f4537172e74347860d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.cmdline

Filesize
471B

MD5
3ef838fbce89107c5560ad62a536a638

SHA1
2c1df780433aed2ddb259162ac69030b4d95aa21

SHA256
ce63fa5e58ae9dd39a0e72aa553d5666b5c796851bd66a073a3d3d8637884bac

SHA512
5c3e966cb601c3b87388a1ac11a0f4347e676dde770ad5a92c0a3ef6311862b42b33d6032e39676cd640e8c62b562c586111e70b760af453cb22220a53f1ab8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xetcrbm5\xetcrbm5.cmdline

Filesize
471B

MD5
f1e012579bd2df17f56f1278d42e9bee

SHA1
8954f29ed81cabaaa0c58bbf5fa3e8816759f9d9

SHA256
68db0a534ed43bc3f94b9c30379d39da39acdbc5ac2f441f79638bc0f8c5cbb9

SHA512
c037ff274e613c35ddb5cda9b647e268fee07fd683507f3e7d4998742f3e86672893562c99fd9da31731b97afee1065588ac135b49e6bcdeb34d488b5d9c5c2f

Download Submit
memory/1468-40-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1468-44-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/1468-36-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1468-37-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/1468-38-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1468-42-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/1468-43-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1468-39-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1468-41-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1620-13570-0x0000000070C70000-0x0000000070DB0000-memory.dmp

Filesize
1.2MB

Download
memory/1620-13523-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/1620-13529-0x0000000070C70000-0x0000000070DB0000-memory.dmp

Filesize
1.2MB

Download
memory/1620-13610-0x0000000070C70000-0x0000000070DB0000-memory.dmp

Filesize
1.2MB

Download
memory/1620-13611-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/1620-13525-0x0000000000400000-0x0000000001ABE000-memory.dmp

Filesize
22.7MB

Download
memory/1620-13517-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/1620-129-0x0000000070C70000-0x0000000070DB0000-memory.dmp

Filesize
1.2MB

Download
memory/1620-130-0x0000000075380000-0x00000000755D2000-memory.dmp

Filesize
2.3MB

Download
memory/1620-4068-0x00000000758B0000-0x0000000075A5C000-memory.dmp

Filesize
1.7MB

Download
memory/1620-6285-0x0000000075D30000-0x0000000075DAC000-memory.dmp

Filesize
496KB

Download
memory/1620-13518-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

Filesize
4KB

Download
memory/1620-13524-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1620-13571-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/1620-13522-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download
memory/1620-13521-0x0000000001B20000-0x0000000001B21000-memory.dmp

Filesize
4KB

Download
memory/1620-13520-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/1620-13519-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

Filesize
4KB

Download
memory/1636-24-0x000000000D4B0000-0x000000000E632000-memory.dmp

Filesize
17.5MB

Download
memory/1636-23-0x0000000005E00000-0x0000000005E9C000-memory.dmp

Filesize
624KB

Download
memory/1636-22-0x0000000000170000-0x000000000131E000-memory.dmp

Filesize
17.7MB

Download
memory/1924-57-0x0000000005D70000-0x0000000006316000-memory.dmp

Filesize
5.6MB

Download
memory/1924-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1924-60-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/1924-61-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3156-13516-0x0000000007750000-0x0000000007767000-memory.dmp

Filesize
92KB

Download
memory/4668-115-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/4668-118-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/4668-116-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/4668-117-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/4668-119-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-113-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/4668-120-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/4668-121-0x00000000007A0000-0x0000000000B41000-memory.dmp

Filesize
3.6MB

Download
memory/4668-114-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/10112-13614-0x0000000002C40000-0x0000000002C46000-memory.dmp

Filesize
24KB

Download
memory/10112-13620-0x0000000006630000-0x000000000674A000-memory.dmp

Filesize
1.1MB

Download
memory/10112-13622-0x0000000006950000-0x00000000069B6000-memory.dmp

Filesize
408KB

Download
memory/10112-13623-0x0000000006AF0000-0x0000000006BAA000-memory.dmp

Filesize
744KB

Download
memory/10112-13621-0x00000000069C0000-0x0000000006A26000-memory.dmp

Filesize
408KB

Download
memory/10112-13616-0x00000000012D0000-0x00000000012D6000-memory.dmp

Filesize
24KB

Download
memory/10112-13615-0x0000000007890000-0x0000000007A92000-memory.dmp

Filesize
2.0MB

Download
memory/10112-13613-0x00000000007B0000-0x00000000008F2000-memory.dmp

Filesize
1.3MB

Download