Analysis Overview
SHA256
13bef39270529e1df4aa7e4e9847921b142c24e2cba831e59ff3b7129dcf9755
Threat Level: Known bad
The file Latest Remcos + Crypter.zip was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
VMProtect packed file
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-06 03:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-06 03:19
Reported
2024-10-06 03:23
Platform
win11-20240802-en
Max time kernel
218s
Max time network
219s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 1924 | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
| PID 1620 set thread context of 0 | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1737" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "937" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "692" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\1\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 = 6e003100000000006555d66210004352595054457e310000560009000400efbe46599c1a46599c1a2e00000011ab0200000001000000000000000000000000000000000000004300720079007000740065007200200046006f0072002000520065006d0063006f007300000018000000 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "444" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\NodeSlot = "10" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "92" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "90" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Latest Remcos + Crypter.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Latest Remcos + Crypter.zip"
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe
"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe"
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Desktop/Latest Remcos + Crypter/Remcos 2022 Edition/Remcos 2022.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe
"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe"
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe"
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe
"C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rips0cdv\rips0cdv.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xetcrbm5\xetcrbm5.cmdline"
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.56:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 51.104.15.252:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| GB | 92.123.128.161:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 199.59.243.227:80 | breakingsec02.co.nf | tcp |
| US | 199.59.243.227:80 | breakingsec02.co.nf | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| GB | 216.58.201.100:80 | www.google.com | tcp |
| N/A | 127.0.0.1:5940 | tcp | |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
Files
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos 2022.exe
| MD5 | efc159c7cf75545997f8c6af52d3e802 |
| SHA1 | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256 | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| SHA512 | d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d |
memory/1636-22-0x0000000000170000-0x000000000131E000-memory.dmp
memory/1636-23-0x0000000005E00000-0x0000000005E9C000-memory.dmp
memory/1636-24-0x000000000D4B0000-0x000000000E632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
| MD5 | c3c21fa4c2186deb641455482ab0d3aa |
| SHA1 | 2f4b49e8383e073ccb965943ce970de403412567 |
| SHA256 | 4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9 |
| SHA512 | 31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7 |
memory/1468-41-0x00000000030D0000-0x00000000030D1000-memory.dmp
memory/1468-40-0x00000000030C0000-0x00000000030C1000-memory.dmp
memory/1468-39-0x00000000030B0000-0x00000000030B1000-memory.dmp
memory/1468-43-0x00000000049A0000-0x00000000049A1000-memory.dmp
memory/1468-42-0x00000000030E0000-0x00000000030E1000-memory.dmp
memory/1468-38-0x0000000003080000-0x0000000003081000-memory.dmp
memory/1468-37-0x0000000003070000-0x0000000003071000-memory.dmp
memory/1468-36-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
memory/1468-44-0x0000000000400000-0x0000000002991000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2022 Edition\Remcos_Settings.ini
| MD5 | a3468935e33e361cf94f4721ed4cb66d |
| SHA1 | c3b19ca8382534b2179940cabede8c6c952a9c06 |
| SHA256 | b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d |
| SHA512 | c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a |
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | d10a3cfcc08aae3a7234498f213cf89e |
| SHA1 | ccae4469a3a05fcb6e7af33019ca5357e5406dda |
| SHA256 | 0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06 |
| SHA512 | 90a4a68b45113360d732ccac7698c74aa550c05d9883d287b808982800fce1a24abf69cf06b0f017babd647cafd3ca10aa894c59e6dab8ba1ff34c639bdf6427 |
memory/1924-54-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1924-57-0x0000000005D70000-0x0000000006316000-memory.dmp
memory/1924-60-0x0000000005950000-0x00000000059E2000-memory.dmp
memory/1924-61-0x0000000005920000-0x000000000592A000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos Loader.exe
| MD5 | 75792b5b38edd028d13eef62c0d828e6 |
| SHA1 | 9a84ec696d0bd14d1ceb16fd68d48bab9a42351e |
| SHA256 | b7f82678830c34db745a16d5551386f15ff28fda563f10c6903f6471a58e243e |
| SHA512 | 2665982e2e7ccf1d86d523aafa66aa9c48e4c17377f59bcd77472bc9cde2bcb9b85fccd54eff79aeae33ef9683bc05d0fb2d9e2f01759bd3e51c8875ebef4c21 |
memory/4668-113-0x0000000001100000-0x0000000001101000-memory.dmp
memory/4668-116-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
memory/4668-115-0x0000000002D80000-0x0000000002D81000-memory.dmp
memory/4668-114-0x0000000002D70000-0x0000000002D71000-memory.dmp
memory/4668-118-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
memory/4668-117-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
memory/4668-119-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/4668-120-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/4668-121-0x00000000007A0000-0x0000000000B41000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\remcos.exe
| MD5 | ed1e424ea6f625968a334377e8ac629f |
| SHA1 | ad00cc58a59a3d5b78d6603a1d09378e5dbd1647 |
| SHA256 | 1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991 |
| SHA512 | 5119b6ac8c1becda5b59a4802fc96828d338ba2d2767e5521bc226bf04b6637c1925b0cc1b0cf560540b1399730f695c55de23665e59d0683eb07d32939b8094 |
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\REMCOSAuthHooks.dll
| MD5 | a329f92ad3b9311af3130dbde81155ce |
| SHA1 | 36f3ae74eb18049e37868f1e42b7e66a294d9494 |
| SHA256 | d695a2ee6fcae64f4d8c4387a0a4c4aae05d08ce44a52598984673b890d02f27 |
| SHA512 | a82f51c112c610e90252d41d108f178e1f8fb6ee98f391e354d871966e9a61637b063fdb1e5934f1af70f055effebc4325151aa256137c63a40b70affd850438 |
memory/1620-129-0x0000000070C70000-0x0000000070DB0000-memory.dmp
memory/1620-130-0x0000000075380000-0x00000000755D2000-memory.dmp
memory/1620-4068-0x00000000758B0000-0x0000000075A5C000-memory.dmp
memory/1620-6285-0x0000000075D30000-0x0000000075DAC000-memory.dmp
memory/3156-13516-0x0000000007750000-0x0000000007767000-memory.dmp
memory/1620-13524-0x0000000001B50000-0x0000000001B51000-memory.dmp
memory/1620-13523-0x0000000001B40000-0x0000000001B41000-memory.dmp
memory/1620-13522-0x0000000001B30000-0x0000000001B31000-memory.dmp
memory/1620-13521-0x0000000001B20000-0x0000000001B21000-memory.dmp
memory/1620-13520-0x0000000001B10000-0x0000000001B11000-memory.dmp
memory/1620-13519-0x0000000001AE0000-0x0000000001AE1000-memory.dmp
memory/1620-13518-0x0000000001AD0000-0x0000000001AD1000-memory.dmp
memory/1620-13517-0x0000000001AC0000-0x0000000001AC1000-memory.dmp
memory/1620-13525-0x0000000000400000-0x0000000001ABE000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\stub.exe
| MD5 | da1e93a422532cd049b5196506e1e781 |
| SHA1 | 77cb395da3ea4aa00e47b2ee7a5c909c13e2830e |
| SHA256 | 0bb714a4138668fe4b729cfec8b412e64eeff3565e84395c04eeba513350a10a |
| SHA512 | b660e2cf34271b203f4c3871887c1c913770a15596c17de121752930ff49727f36b3012d7fe1655099117d5f20e5bb0c82d7bae8f705c8fd8fea79d38930a4aa |
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Acordx.exe
| MD5 | 7a9202505d38a8230c163d700327cd6a |
| SHA1 | 4e91c173f2d30519c9de67022cc1f066b4c343a9 |
| SHA256 | a8eabc62975c12e675af49535fa43e574048b05fded046c327ad2e7642b8f9b5 |
| SHA512 | 6d1da1101d157b4f453741a191af293c86c738c2c9aa9e4ac3f30e9983d24a668db3df1d65c16315093e7c88ab67da425db0de3957b08f88c39aed67886d80dc |
memory/1620-13529-0x0000000070C70000-0x0000000070DB0000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos_Settings.ini
| MD5 | 902927c48d191e30067d84a53158e2ba |
| SHA1 | 95dd6d3508790b98d1a576f0b2057bdcc2099247 |
| SHA256 | b408602c7d2107d819b18d47cbc196a307ab6435bbc819173f300e76573e616c |
| SHA512 | 328af5e697278b2c8150534162c330b11e9cc3024ee676cf9321a248701d99322cc1341694904d0ca5c6898e74e39419cd36765499d6992934075b08276c8eeb |
memory/1620-13570-0x0000000070C70000-0x0000000070DB0000-memory.dmp
memory/1620-13571-0x00000000073B0000-0x00000000073BA000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Remcos 2021 Edition\Remcos_Settings.ini
| MD5 | c801886614e4e29c7bd67e8cbaece748 |
| SHA1 | 44736122b5a44f0618a6d7db742dd1b493e9a4f4 |
| SHA256 | f5d7be50ad347e304379192adf41c88b6b96321d0a65c76efb1cd09e076195d2 |
| SHA512 | b6713656340d55a3c821f8b11d4395cf18d3d6d1a6189c22068b0ffd137d3d7437f96655218269619b424f466f4a4f38c715d892356f673bb68031bb996cbf33 |
memory/1620-13610-0x0000000070C70000-0x0000000070DB0000-memory.dmp
memory/1620-13611-0x00000000073B0000-0x00000000073BA000-memory.dmp
memory/10112-13613-0x00000000007B0000-0x00000000008F2000-memory.dmp
memory/10112-13614-0x0000000002C40000-0x0000000002C46000-memory.dmp
memory/10112-13615-0x0000000007890000-0x0000000007A92000-memory.dmp
memory/10112-13616-0x00000000012D0000-0x00000000012D6000-memory.dmp
C:\Users\Admin\Desktop\Latest Remcos + Crypter\Crypter For Remcos\Guna.UI.dll
| MD5 | 8673eae95d67e5eb19f0eca3111408e8 |
| SHA1 | ad3e1ce93782537ffd3cd9e0bb9d30ae22d40ddb |
| SHA256 | 576d2de2c9ef5bc1ea9bdd73ae8f408004260037c3b72227eed27e995166276d |
| SHA512 | 65c4eadf448a643f45fa9a0d91497bb25af404c41a3a32686d9e99ba4f4e50783d73f5b13d5df505cc62c465be300746d84a2eaa8000531893cd0b19d6436239 |
memory/10112-13621-0x00000000069C0000-0x0000000006A26000-memory.dmp
memory/10112-13620-0x0000000006630000-0x000000000674A000-memory.dmp
memory/10112-13622-0x0000000006950000-0x00000000069B6000-memory.dmp
memory/10112-13623-0x0000000006AF0000-0x0000000006BAA000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.cmdline
| MD5 | 3ef838fbce89107c5560ad62a536a638 |
| SHA1 | 2c1df780433aed2ddb259162ac69030b4d95aa21 |
| SHA256 | ce63fa5e58ae9dd39a0e72aa553d5666b5c796851bd66a073a3d3d8637884bac |
| SHA512 | 5c3e966cb601c3b87388a1ac11a0f4347e676dde770ad5a92c0a3ef6311862b42b33d6032e39676cd640e8c62b562c586111e70b760af453cb22220a53f1ab8a |
\??\c:\Users\Admin\AppData\Local\Temp\rotjreyv\rotjreyv.0.cs
| MD5 | 47bd5edc806dc3a829350339432b864d |
| SHA1 | f8077c241387230b90b88d49433a14eccbc0d972 |
| SHA256 | a69e0e1f5a2b3111c1441a634ecb938f463a1b4d619fdccd72867bbf75bcac8f |
| SHA512 | 4858407777df696b69f51c7bc52be8bbee3f56f14a0cc24483b4eccf09162db4de17949f4ca7ca65a9083d953bb8189ab78e2ba16e9e9f4537172e74347860d5 |
\??\c:\Users\Admin\AppData\Local\Temp\rips0cdv\rips0cdv.cmdline
| MD5 | fc0123957188c6972c62b61c80eda2f6 |
| SHA1 | 96d1c9b15d958c38570ce3e340b6c9b69ef66dfb |
| SHA256 | 2617e733239a36a217fde169018c0cf95c6716d05ef275dff5d4c16020aa3911 |
| SHA512 | 66493ed3ecf52a6a540ecf4728a9142b5065f0dd577ef143645e7c361f6057d6557d69a39fc5f1251cd9b7fd33f9271f9c0a8e137efd0422b86ddd5502f90450 |
\??\c:\Users\Admin\AppData\Local\Temp\xetcrbm5\xetcrbm5.cmdline
| MD5 | f1e012579bd2df17f56f1278d42e9bee |
| SHA1 | 8954f29ed81cabaaa0c58bbf5fa3e8816759f9d9 |
| SHA256 | 68db0a534ed43bc3f94b9c30379d39da39acdbc5ac2f441f79638bc0f8c5cbb9 |
| SHA512 | c037ff274e613c35ddb5cda9b647e268fee07fd683507f3e7d4998742f3e86672893562c99fd9da31731b97afee1065588ac135b49e6bcdeb34d488b5d9c5c2f |