njrat | hxxps://raw[.]githubusercontent[.]com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222[.]zip

Resubmissions

28-08-2022 16:20

220828-ttcpasbgbl 10

28-08-2022 16:08

220828-tk67jsbehj 10

Analysis

max time kernel
102s
max time network
104s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-08-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 6 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exetaskhost.exetaskhost.exe

pid	process
2292	Remcos Professional Cracked By Alcatraz3222.exe
3504	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe
1812	taskhost.exe
4772	taskhost.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5060 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exe

pid process

3500 Remcos Professional Cracked By Alcatraz3222.exe
3392 Remcos Professional Cracked By Alcatraz3222.exe

pid	process
5060	netsh.exe

pid	process
3500	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exe

description	pid	process	target process
PID 2292 set thread context of 1812	2292	Remcos Professional Cracked By Alcatraz3222.exe	taskhost.exe
PID 3504 set thread context of 4772	3504	Remcos Professional Cracked By Alcatraz3222.exe	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222.zip:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exe

pid	process
2292	Remcos Professional Cracked By Alcatraz3222.exe
3504	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
2292	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe
3504	Remcos Professional Cracked By Alcatraz3222.exe
2292	Remcos Professional Cracked By Alcatraz3222.exe
3504	Remcos Professional Cracked By Alcatraz3222.exe
2292	Remcos Professional Cracked By Alcatraz3222.exe
3504	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Remcos Professional Cracked By Alcatraz3222.exe

pid process

3500 Remcos Professional Cracked By Alcatraz3222.exe

pid	process
3500	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

firefox.exe7zG.exeRemcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	3440	firefox.exe
Token: SeDebugPrivilege	3440	firefox.exe
Token: SeDebugPrivilege	3440	firefox.exe
Token: SeRestorePrivilege	3348	7zG.exe
Token: 35	3348	7zG.exe
Token: SeSecurityPrivilege	3348	7zG.exe
Token: SeSecurityPrivilege	3348	7zG.exe
Token: SeDebugPrivilege	2292	Remcos Professional Cracked By Alcatraz3222.exe
Token: SeDebugPrivilege	3504	Remcos Professional Cracked By Alcatraz3222.exe
Token: SeDebugPrivilege	1812	taskhost.exe
Token: 33	1812	taskhost.exe
Token: SeIncBasePriorityPrivilege	1812	taskhost.exe
Token: 33	1812	taskhost.exe
Token: SeIncBasePriorityPrivilege	1812	taskhost.exe
Token: 33	1812	taskhost.exe
Token: SeIncBasePriorityPrivilege	1812	taskhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exeRemcos Professional Cracked By Alcatraz3222.exe

pid	process
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3348	7zG.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exeRemcos Professional Cracked By Alcatraz3222.exe

pid	process
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

firefox.exeRemcos Professional Cracked By Alcatraz3222.exeRemcos Professional Cracked By Alcatraz3222.exe

pid	process
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3500	Remcos Professional Cracked By Alcatraz3222.exe
3392	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 1584 wrote to memory of 3440	1584	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4296	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4296	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 4276	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe
PID 3440 wrote to memory of 5064	3440	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://raw.githubusercontent.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://raw.githubusercontent.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.0.58374396\1224522430" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 1604 gpu
3⤵
PID:4296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.3.1829844088\611071073" -childID 1 -isForBrowser -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 122 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 2236 tab
3⤵
PID:4276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3440.13.246523457\1566400921" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 6904 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3440 "\\.\pipe\gecko-crash-server-pipe.3440" 3388 tab
3⤵
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1812

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\" -spe -an -ai#7zMap2293:148:7zEvent13712
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3348

C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Downloads/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
2⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
2⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
3⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
2⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:5060

C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Downloads/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
2⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
2⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
3⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
2⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
2⤵
- Executes dropped EXE
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remcos Professional Cracked By Alcatraz3222.exe.log
Filesize
522B

MD5
3fb3c31c2798922aca207c7db9c84d90

SHA1
3d5525cba9eec8be78db0a014f04207c788bfbc2

SHA256
5750c9dc2cc9ff90e20ec80d5373e4ca4e4bf474314394339248889ef6b1e5ff

SHA512
22300ae83016d53882cf4cd620ed19faa92fb4ab99e46adc93a0cdedb64818a5ec4b12f405caeb52493ea58805f898fdcf254be956bb86bc86ac20d62e48a33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile
Filesize
73B

MD5
1a32b94bd8d51df35d766b6affdfacfc

SHA1
b35ba7f44b350dd9e86c74acfc722ee7373b77ee

SHA256
3d464700f406245d63409c36aae1504dd9fb63c784cbf7ae8957052068213937

SHA512
9f31cb9b0972efab2ba566acd10e0355acb316b49a8cdb5c3b0787cba9f97670ea592e385182fe143f54a2effb565c1f78083223bc4600cd961bbffc8f01d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk
Filesize
1KB

MD5
aaf946328862696ce980316a9550b42d

SHA1
68f2f0f0843a9b4156de2a2c91625528fe1a5ca2

SHA256
8d577c86f78048c096a03f916c4090dfba450944d068dedfbedcba6c93ad9efe

SHA512
2c902a7e9017d4822e20f797ca8b4ff5c50cdd19f34a0745aa97d773327009bd71d11aa2181a2c9b9deb017387a57b0718cbc1cfe86d921be9c18aa2c062a1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222.zip
Filesize
17.3MB

MD5
ea3fd7407073aae0205a02f10c1f826f

SHA1
aeb5a674da5bbdea4e1b42470e6e059b730b88a6

SHA256
bdb96b7a1a75fa4f56d1b1f922d80f029c12df21df49cbbfd1f2a3175d604195

SHA512
bf69f80a585eed54b599cb5adf285ca0576650b275daef6e502eae2d564906950cb4a13821b67325bc1c2ba0ca6436401f562c279cc42d3590e0f8becfec028f

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini
Filesize
881B

MD5
a3468935e33e361cf94f4721ed4cb66d

SHA1
c3b19ca8382534b2179940cabede8c6c952a9c06

SHA256
b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d

SHA512
c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a

Download Submit
memory/768-303-0x0000000000000000-mapping.dmp

Download
memory/1096-438-0x0000000000000000-mapping.dmp

Download
memory/1404-478-0x0000000000000000-mapping.dmp

Download
memory/1812-453-0x0000000000408CDE-mapping.dmp

Download
memory/1812-531-0x00000000057F0000-0x0000000005CEE000-memory.dmp

Filesize
5.0MB

Download
memory/1812-684-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/1812-760-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/1812-522-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2292-160-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-137-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-142-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-143-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-144-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-145-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-146-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-147-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-148-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-149-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-150-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-151-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-152-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-153-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-154-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-155-0x0000000000950000-0x0000000001AFE000-memory.dmp

Filesize
17.7MB

Download
memory/2292-156-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-157-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-158-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-159-0x00000000063B0000-0x000000000644C000-memory.dmp

Filesize
624KB

Download
memory/2292-118-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-161-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-162-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-163-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-164-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-165-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-166-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-167-0x000000000DAB0000-0x000000000EC32000-memory.dmp

Filesize
17.5MB

Download
memory/2292-168-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-140-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-139-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-119-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-120-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-138-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-141-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-136-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-121-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-122-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-178-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-135-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-134-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-133-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-183-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-184-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-185-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-186-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-180-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-123-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-132-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-131-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-124-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-130-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-129-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-125-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-127-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-128-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3392-291-0x0000000000000000-mapping.dmp

Download
memory/3392-602-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3392-441-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3392-788-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3392-461-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3500-357-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3500-344-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3500-214-0x0000000000000000-mapping.dmp

Download
memory/3500-573-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3500-787-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3504-170-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-175-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-171-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-172-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-173-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-174-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-182-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-181-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-176-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-179-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-177-0x00000000770F0000-0x000000007727E000-memory.dmp

Filesize
1.6MB

Download
memory/4044-362-0x0000000000000000-mapping.dmp

Download
memory/4148-388-0x0000000000000000-mapping.dmp

Download
memory/4184-432-0x0000000000000000-mapping.dmp

Download
memory/4416-523-0x0000000000000000-mapping.dmp

Download
memory/4608-377-0x0000000000000000-mapping.dmp

Download
memory/4772-535-0x0000000000408CDE-mapping.dmp

Download
memory/5060-577-0x0000000000000000-mapping.dmp

Download