Malware Analysis Report

2025-03-15 06:22

Sample ID 241006-dvfvca1emm
Target Latest Remcos + Crypter.zip
SHA256 13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755
Tags
njrat hacked discovery evasion persistence privilege_escalation trojan vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755

Threat Level: Known bad

The file Latest Remcos + Crypter.zip was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery evasion persistence privilege_escalation trojan vmprotect

njRAT/Bladabindi

Modifies Windows Firewall

VMProtect packed file

Loads dropped DLL

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 03:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 03:19

Reported

2024-10-06 03:23

Platform

win11-20240802-en

Max time kernel

218s

Max time network

219s

Command Line

C:\Windows\Explorer.EXE

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1620 set thread context of 0 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1737" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "937" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "692" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\1\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 = 6e003100000000006555d66210004352595054457e310000560009000400efbe46599c1a46599c1a2e00000011ab0200000001000000000000000000000000000000000000004300720079007000740065007200200046006f0072002000520065006d0063006f007300000018000000 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "444" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\NodeSlot = "10" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "92" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "90" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 1468 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
PID 1636 wrote to memory of 1468 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
PID 1636 wrote to memory of 1468 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
PID 1636 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 968 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 968 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 968 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 1008 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1008 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1008 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1636 wrote to memory of 1924 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1924 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe C:\Windows\SysWOW64\netsh.exe
PID 1924 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe C:\Windows\SysWOW64\netsh.exe
PID 1924 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe C:\Windows\SysWOW64\netsh.exe
PID 4668 wrote to memory of 1620 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
PID 4668 wrote to memory of 1620 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
PID 4668 wrote to memory of 1620 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
PID 4668 wrote to memory of 1620 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
PID 1620 wrote to memory of 3156 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe C:\Windows\Explorer.EXE
PID 1620 wrote to memory of 3156 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe C:\Windows\Explorer.EXE
PID 1620 wrote to memory of 3156 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe C:\Windows\Explorer.EXE
PID 3156 wrote to memory of 10112 N/A C:\Windows\Explorer.EXE C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe
PID 3156 wrote to memory of 10112 N/A C:\Windows\Explorer.EXE C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe
PID 3156 wrote to memory of 10112 N/A C:\Windows\Explorer.EXE C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe
PID 10112 wrote to memory of 5640 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 5640 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 5640 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 14420 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 14420 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 14420 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 14560 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 14560 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 10112 wrote to memory of 14560 N/A C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Latest Remcos + Crypter.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Latest Remcos + Crypter.zip"

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe

"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Desktop/Latest Remcos + Crypter/Remcos 2022 Edition/Remcos 2022.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe

"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe"

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe

"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe"

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe

"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rips0cdv\rips0cdv.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xetcrbm5\xetcrbm5.cmdline"

Network

Country Destination Domain Proto
GB 2.18.66.56:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 51.104.15.252:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 199.59.243.227:80 breakingsec02.co.nf tcp
US 199.59.243.227:80 breakingsec02.co.nf tcp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
GB 216.58.201.100:80 www.google.com tcp
N/A 127.0.0.1:5940 tcp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp

Files

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe

MD5 efc159c7cf75545997f8c6af52d3e802
SHA1 b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512 d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

memory/1636-22-0x0000000000170000-0x000000000131E000-memory.dmp

memory/1636-23-0x0000000005E00000-0x0000000005E9C000-memory.dmp

memory/1636-24-0x000000000D4B0000-0x000000000E632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

MD5 c3c21fa4c2186deb641455482ab0d3aa
SHA1 2f4b49e8383e073ccb965943ce970de403412567
SHA256 4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9
SHA512 31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

memory/1468-41-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/1468-40-0x00000000030C0000-0x00000000030C1000-memory.dmp

memory/1468-39-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/1468-43-0x00000000049A0000-0x00000000049A1000-memory.dmp

memory/1468-42-0x00000000030E0000-0x00000000030E1000-memory.dmp

memory/1468-38-0x0000000003080000-0x0000000003081000-memory.dmp

memory/1468-37-0x0000000003070000-0x0000000003071000-memory.dmp

memory/1468-36-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1468-44-0x0000000000400000-0x0000000002991000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos_Settings.ini

MD5 a3468935e33e361cf94f4721ed4cb66d
SHA1 c3b19ca8382534b2179940cabede8c6c952a9c06
SHA256 b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d
SHA512 c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

MD5 d10a3cfcc08aae3a7234498f213cf89e
SHA1 ccae4469a3a05fcb6e7af33019ca5357e5406dda
SHA256 0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06
SHA512 90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427

memory/1924-54-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1924-57-0x0000000005D70000-0x0000000006316000-memory.dmp

memory/1924-60-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/1924-61-0x0000000005920000-0x000000000592A000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe

MD5 75792b5b38edd028d13eef62c0d828e6
SHA1 9a84ec696d0bd14d1ceb16fd68d48bab9a42351e
SHA256 b7f82678830c34db745a16d5551386f15ff28fda563f10c6903f6471a58e243e
SHA512 2665982e2e7ccf1d86d523aafa66aa9c48e4c17377f59bcd77472bc9cde2bcb9b85fccd54eff79aeae33ef9683bc05d0fb2d9e2f01759bd3e51c8875ebef4c21

memory/4668-113-0x0000000001100000-0x0000000001101000-memory.dmp

memory/4668-116-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/4668-115-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/4668-114-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/4668-118-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/4668-117-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/4668-119-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/4668-120-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/4668-121-0x00000000007A0000-0x0000000000B41000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe

MD5 ed1e424ea6f625968a334377e8ac629f
SHA1 ad00cc58a59a3d5b78d6603a1d09378e5dbd1647
SHA256 1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991
SHA512 5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\REMCOSAuthHooks.dll

MD5 a329f92ad3b9311af3130dbde81155ce
SHA1 36f3ae74eb18049e37868f1e42b7e66a294d9494
SHA256 d695a2ee6fcae64f4d8c4387a0a4c4aae05d08ce44a52598984673b890d02f27
SHA512 a82f51c112c610e90252d41d108f178e1f8fb6ee98f391e354d871966e9a61637b063fdb1e5934f1af70f055effebc4325151aa256137c63a40b70affd850438

memory/1620-129-0x0000000070C70000-0x0000000070DB0000-memory.dmp

memory/1620-130-0x0000000075380000-0x00000000755D2000-memory.dmp

memory/1620-4068-0x00000000758B0000-0x0000000075A5C000-memory.dmp

memory/1620-6285-0x0000000075D30000-0x0000000075DAC000-memory.dmp

memory/3156-13516-0x0000000007750000-0x0000000007767000-memory.dmp

memory/1620-13524-0x0000000001B50000-0x0000000001B51000-memory.dmp

memory/1620-13523-0x0000000001B40000-0x0000000001B41000-memory.dmp

memory/1620-13522-0x0000000001B30000-0x0000000001B31000-memory.dmp

memory/1620-13521-0x0000000001B20000-0x0000000001B21000-memory.dmp

memory/1620-13520-0x0000000001B10000-0x0000000001B11000-memory.dmp

memory/1620-13519-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

memory/1620-13518-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

memory/1620-13517-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

memory/1620-13525-0x0000000000400000-0x0000000001ABE000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\stub.exe

MD5 da1e93a422532cd049b5196506e1e781
SHA1 77cb395da3ea4aa00e47b2ee7a5c909c13e2830e
SHA256 0bb714a4138668fe4b729cfec8b412e64eeff3565e84395c04eeba513350a10a
SHA512 b660e2cf34271b203f4c3871887c1c913770a15596c17de121752930ff49727f36b3012d7fe1655099117d5f20e5bb0c82d7bae8f705c8fd8fea79d38930a4aa

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe

MD5 7a9202505d38a8230c163d700327cd6a
SHA1 4e91c173f2d30519c9de67022cc1f066b4c343a9
SHA256 a8eabc62975c12e675af49535fa43e574048b05fded046c327ad2e7642b8f9b5
SHA512 6d1da1101d157b4f453741a191af293c86c738c2c9aa9e4ac3f30e9983d24a668db3df1d65c16315093e7c88ab67da425db0de3957b08f88c39aed67886d80dc

memory/1620-13529-0x0000000070C70000-0x0000000070DB0000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos_Settings.ini

MD5 902927c48d191e30067d84a53158e2ba
SHA1 95dd6d3508790b98d1a576f0b2057bdcc2099247
SHA256 b408602c7d2107d819b18d47cbc196a307ab6435bbc819173f300e76573e616c
SHA512 328af5e697278b2c8150534162c330b11e9cc3024ee676cf9321a248701d99322cc1341694904d0ca5c6898e74e39419cd36765499d6992934075b08276c8eeb

memory/1620-13570-0x0000000070C70000-0x0000000070DB0000-memory.dmp

memory/1620-13571-0x00000000073B0000-0x00000000073BA000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos_Settings.ini

MD5 c801886614e4e29c7bd67e8cbaece748
SHA1 44736122b5a44f0618a6d7db742dd1b493e9a4f4
SHA256 f5d7be50ad347e304379192adf41c88b6b96321d0a65c76efb1cd09e076195d2
SHA512 b6713656340d55a3c821f8b11d4395cf18d3d6d1a6189c22068b0ffd137d3d7437f96655218269619b424f466f4a4f38c715d892356f673bb68031bb996cbf33

memory/1620-13610-0x0000000070C70000-0x0000000070DB0000-memory.dmp

memory/1620-13611-0x00000000073B0000-0x00000000073BA000-memory.dmp

memory/10112-13613-0x00000000007B0000-0x00000000008F2000-memory.dmp

memory/10112-13614-0x0000000002C40000-0x0000000002C46000-memory.dmp

memory/10112-13615-0x0000000007890000-0x0000000007A92000-memory.dmp

memory/10112-13616-0x00000000012D0000-0x00000000012D6000-memory.dmp

C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Guna.UI.dll

MD5 8673eae95d67e5eb19f0eca3111408e8
SHA1 ad3e1ce93782537ffd3cd9e0bb9d30ae22d40ddb
SHA256 576d2de2c9ef5bc1ea9bdd73ae8f408004260037c3b72227eed27e995166276d
SHA512 65c4eadf448a643f45fa9a0d91497bb25af404c41a3a32686d9e99ba4f4e50783d73f5b13d5df505cc62c465be300746d84a2eaa8000531893cd0b19d6436239

memory/10112-13621-0x00000000069C0000-0x0000000006A26000-memory.dmp

memory/10112-13620-0x0000000006630000-0x000000000674A000-memory.dmp

memory/10112-13622-0x0000000006950000-0x00000000069B6000-memory.dmp

memory/10112-13623-0x0000000006AF0000-0x0000000006BAA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.cmdline

MD5 3ef838fbce89107c5560ad62a536a638
SHA1 2c1df780433aed2ddb259162ac69030b4d95aa21
SHA256 ce63fa5e58ae9dd39a0e72aa553d5666b5c796851bd66a073a3d3d8637884bac
SHA512 5c3e966cb601c3b87388a1ac11a0f4347e676dde770ad5a92c0a3ef6311862b42b33d6032e39676cd640e8c62b562c586111e70b760af453cb22220a53f1ab8a

\??\c:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.0.cs

MD5 47bd5edc806dc3a829350339432b864d
SHA1 f8077c241387230b90b88d49433a14eccbc0d972
SHA256 a69e0e1f5a2b3111c1441a634ecb938f463a1b4d619fdccd72867bbf75bcac8f
SHA512 4858407777df696b69f51c7bc52be8bbee3f56f14a0cc24483b4eccf09162db4de17949f4ca7ca65a9083d953bb8189ab78e2ba16e9e9f4537172e74347860d5

\??\c:\Users\Admin\AppData\Local\Temp\rips0cdv\rips0cdv.cmdline

MD5 fc0123957188c6972c62b61c80eda2f6
SHA1 96d1c9b15d958c38570ce3e340b6c9b69ef66dfb
SHA256 2617e733239a36a217fde169018c0cf95c6716d05ef275dff5d4c16020aa3911
SHA512 66493ed3ecf52a6a540ecf4728a9142b5065f0dd577ef143645e7c361f6057d6557d69a39fc5f1251cd9b7fd33f9271f9c0a8e137efd0422b86ddd5502f90450

\??\c:\Users\Admin\AppData\Local\Temp\xetcrbm5\xetcrbm5.cmdline

MD5 f1e012579bd2df17f56f1278d42e9bee
SHA1 8954f29ed81cabaaa0c58bbf5fa3e8816759f9d9
SHA256 68db0a534ed43bc3f94b9c30379d39da39acdbc5ac2f441f79638bc0f8c5cbb9
SHA512 c037ff274e613c35ddb5cda9b647e268fee07fd683507f3e7d4998742f3e86672893562c99fd9da31731b97afee1065588ac135b49e6bcdeb34d488b5d9c5c2f