Analysis Overview
Threat Level: Known bad
The file https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 19:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 19:07
Reported
2024-02-28 19:12
Platform
win10v2004-20240226-en
Max time kernel
299s
Max time network
303s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\taskhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 2076 | N/A | C:\Users\Admin\Desktop\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe | C:\Users\Admin\AppData\Local\Temp\taskhost.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe208d46f8,0x7ffe208d4708,0x7ffe208d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\Desktop\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4289328105575541062,12298591838311580032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Desktop/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| DE | 140.82.121.9:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 9.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | breakingsec02.co.nf | udp |
| N/A | 127.0.0.10:80 | tcp | |
| N/A | 127.0.0.10:80 | tcp | |
| N/A | 127.0.0.10:80 | tcp | |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| US | 8.8.8.8:53 | dllsys.duckdns.org | udp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
| IT | 84.220.8.178:3202 | dllsys.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0764f5481d3c05f5d391a36463484b49 |
| SHA1 | 2c96194f04e768ac9d7134bc242808e4d8aeb149 |
| SHA256 | cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3 |
| SHA512 | a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e494d16e4b331d7fc483b3ae3b2e0973 |
| SHA1 | d13ca61b6404902b716f7b02f0070dec7f36edbf |
| SHA256 | a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165 |
| SHA512 | 016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 306f9c7769be09f8900a5574a936b8bf |
| SHA1 | d5b8262c3e34505c327eafe48df291f14372ab7d |
| SHA256 | c61529487aa7d04a23d0d8536288c61037b933554c9b245d4a7003e0bc1e61eb |
| SHA512 | a99996b82924ea02e2f6dbbd174d28a26377d6743a75bc04a0d2454994430d27fdc87c2a5b14b2368c9cf236f82f17c6ea474efb6eb66cd95fc5520904f814f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6535541dd3b645361a34a1c2ff56c828 |
| SHA1 | c5b18370805c618f53ac72fe8672ce32fa6898bc |
| SHA256 | 73409de78a503e47599c59b4613b76cb686473e003b04eda904c8b73eda81e5e |
| SHA512 | f7b439f39e7bfdea89f69cc489a2ee8cc264e0f20310cb2b514471eabd9f9be2684077e849b362b4db7bfcc6dff022116b755651bb30108b83286c9d294338d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f2800ec482387f44326ce32ae1928c9a |
| SHA1 | a4313c294d64dc5145ad7e6d33c162d4b0deb2a3 |
| SHA256 | bf36dd4f3807f84dd6a10f0414d6ab25409dceb95088731b0b03209fe512848f |
| SHA512 | c185fd25d4587b34903b0a4ac8e82d9d725274783053a516865a5abb443e3a63afa6dfe8c77e0ec3b7a77ab8098ebba0ec041f04b1d6da4029070a729fe15272 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 62f5c3b55af5cbfc9f0ba87a9cbed46c |
| SHA1 | 050bcb9ef0096980d441abf25f34cf9d67e39f5a |
| SHA256 | 1d0e1982dcf34f0b6e9a6a1daf9e82a4c0dda5f2fd1e12cc94ea68344a85f836 |
| SHA512 | ef6273c891be67b63f05087fc7338833351431a5bb0fc48561092c3a687e3e81c3cad91f5e1ad0a964829d5b4711e89218e7e0a76fe6ac343b7152c04137deb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc66.TMP
| MD5 | cf302cdff8c52396e62ce371e1e32f13 |
| SHA1 | a7bda8183e99c81072723d8e53e4d2eafb65b11f |
| SHA256 | 748faf5af9be01b2d9f1619fe5e3659c69a1f60b341755af18ceddc134719486 |
| SHA512 | 3681d9f7dcbe231f15a1da77f721b2b7fb63aa8e5d74c49072a76169d2de9d62c7b7997a76a453729d8c994609449446fe3a3f249deb0250cd8bc7933c86d422 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8c03e83e77d02476ab4f670b91bc7d20 |
| SHA1 | 07308cb68ba0d4ff27addcf64da1b4bc9fe9786a |
| SHA256 | 6ece89f10bf5ea8a325a1058c242f4a1ececa85a75e5fc9325340f36c855f710 |
| SHA512 | de3a46210e84cac108d7076ac605c00c1ce7f7ec9f3b48919d259d0a3db6a1d799c18d777bfea6576f8f70728f727332ad04f992872326dd2bea50d18df74d7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ee80d47e91d0319719c64b478ba7b8a7 |
| SHA1 | 75406b027d5940014453f0f7c25d86333a1efdfd |
| SHA256 | 2d7bacb56d6939a1ff239ed4abb7e29393457cb9719fe5b77791b8331ba49c4a |
| SHA512 | f9143ae8360df7a7af9606882d21ee3255d70aad090b9c654cbe5f63c0a5f26119fc0daa5419b7dd10447b632683b8ee2d234ed424ba42345a2559434efab4bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 736137ac6ae2a0e171249d605eb017ab |
| SHA1 | 991a93be5f4475513047be536eb690795ecf9fee |
| SHA256 | ba6c4f38bc5a29e2820c393c538f4f8a7e8b721ee618e7f6f3bff95a39617a53 |
| SHA512 | f3de61e58a2b2c7b48850fa76c6bbe8752685e1fea365ae2d7bdec42bfef5d813563b42750280c11f37c341522b413915459e26a3d37180ba36c7ad2e30d992e |
C:\Users\Admin\Downloads\Unconfirmed 544686.crdownload
| MD5 | 94aabe33b1c788d3407703b7be909861 |
| SHA1 | 59b02e42522f06b3128edebf67e369aca31ee39e |
| SHA256 | a901e9357fd930774796430dbfbf9d77a35584b50ab478f69a482bf212f75792 |
| SHA512 | 62d3e2d361d0f03885747a83c81ca1e1e73dc03a44f88a8cd7975086a0d3205765b86a743eea844a2f7841f0c49d3fb88be999bf41141ed9a086a087228e1f71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2543c9d2e82d206788781ebcf188fa22 |
| SHA1 | 04b8762b30cc3155f34bde851b3fb8a018cca4ef |
| SHA256 | e2ef4aa92fef52c8cf7df63c63b8ba883bdfb436a5729a2b9d55af17747b287c |
| SHA512 | d3befacea62e0d667e98b225bfb2b9cc830d6f21e06cf9d46ca49f6b4a6ba33ac8d06491c2b46c2455f934760488dffcc59c240f2f2204b0e89a8e3a2cfe296d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 7835f7ef87b247d5a0d5c382055541b4 |
| SHA1 | 8851f3198c07c161e8c7e5f1980faafe578de469 |
| SHA256 | 1fc22f082f90a6e495c744b316cc8ea7675895aa4edf5ad59dd7cea97a4607ed |
| SHA512 | c804269aeae7abd64264e1b51d6910a9991f0ebf2eb7f9935de0f96f01928c7e81fc8d5929cae5a6ae80e03125cecb306b4533f35f8f654974d537aa4ec43297 |
memory/1472-263-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/1472-264-0x0000000000B70000-0x0000000001D1E000-memory.dmp
memory/1472-265-0x0000000006700000-0x000000000679C000-memory.dmp
memory/1472-266-0x00000000066B0000-0x00000000066C0000-memory.dmp
memory/1472-267-0x000000000DDB0000-0x000000000EF32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
| MD5 | c352c263799395c27a05f62315f0a688 |
| SHA1 | c2c06388577f359c504a1a1b12032536fbd63db7 |
| SHA256 | a315f78a5f9d27a6177b551fbc42de71815e3ad5be829c6e3d372d4dbefc9cf4 |
| SHA512 | ed07c0a8cd95a64b686395675e024bf57fa5b94ec3ed738686dfe3c43192e60f45616975bac7cc4dd0cbe65bd09433efe725d354c8003182aeae522e9fdbabc0 |
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
| MD5 | 11fae0024e1297801a6bf4f777efbec5 |
| SHA1 | 7cbf30d85ff63e7ee4e594971b2c57a2fd536f96 |
| SHA256 | 700a1ba2d69992555ef4d17688b76addd927eb298782ae7bd1525f8fdbe6918c |
| SHA512 | 5832bba8751fc723e904685915778620d2f0f70f7bd880902a5d4dafad341ddf1b3320bc58ac88325273c77ed95793c2f3ae75d99cf83abeb0a853a24cc9f13b |
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
| MD5 | 433c5b0629c266b888d752a9f487ff7e |
| SHA1 | ada68d29a679ad8b9a999742cfa46aecdf683560 |
| SHA256 | a014e4a5b9dbd9ee8bf6e36896d0e282994d8ba43bdfb4630423a183352db58a |
| SHA512 | 9d5114f620ce49c6ca063ec37f5f61805191cb62d711374f1569f7e1eaf3c4e4ec420a8e0df6ae20233e70d2cdf7cf7947897182600d3c31b10c0c2420ad4e91 |
memory/1492-281-0x0000000003070000-0x0000000003071000-memory.dmp
memory/1492-280-0x0000000000400000-0x0000000002991000-memory.dmp
memory/1492-282-0x0000000003080000-0x0000000003081000-memory.dmp
memory/1492-284-0x0000000004880000-0x0000000004881000-memory.dmp
memory/1492-283-0x0000000004870000-0x0000000004871000-memory.dmp
memory/1492-279-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/1492-285-0x0000000004890000-0x0000000004891000-memory.dmp
memory/1492-286-0x00000000048A0000-0x00000000048A1000-memory.dmp
memory/1492-287-0x00000000048B0000-0x00000000048B1000-memory.dmp
memory/1492-289-0x0000000000400000-0x0000000002991000-memory.dmp
memory/1492-293-0x0000000004C40000-0x0000000004C41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe
| MD5 | da6536c39ba9b72796d709a3ad417161 |
| SHA1 | f02436b57306fc04d71c700bf19d675892b7ba38 |
| SHA256 | 507274ebe2e4b17b4a6c819ff9330661bcb9c2a764acfd78701f6b037060dd2a |
| SHA512 | ca74ea0905ba9cb08a3e394182fbbd1d4f1da5fba909aabee9847f440f1496a4f0563449ced78747aeea663ab77e6919dec4ecbbdc5db312dc1b8fe8fd1599c0 |
memory/2076-301-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\taskhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/2076-306-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2076-307-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/1492-308-0x0000000007F20000-0x0000000007F21000-memory.dmp
memory/2076-309-0x0000000005110000-0x00000000051A2000-memory.dmp
memory/1472-310-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2076-311-0x0000000004E90000-0x0000000004EA0000-memory.dmp
memory/2076-314-0x00000000050D0000-0x00000000050DA000-memory.dmp
memory/1472-316-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/1492-317-0x0000000000400000-0x0000000002991000-memory.dmp
memory/1492-318-0x0000000000400000-0x0000000002991000-memory.dmp
memory/1492-328-0x0000000004C40000-0x0000000004C41000-memory.dmp
memory/2076-329-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/1492-330-0x0000000007F20000-0x0000000007F21000-memory.dmp
memory/2076-331-0x0000000004E90000-0x0000000004EA0000-memory.dmp
C:\Users\Admin\Desktop\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini
| MD5 | a3468935e33e361cf94f4721ed4cb66d |
| SHA1 | c3b19ca8382534b2179940cabede8c6c952a9c06 |
| SHA256 | b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d |
| SHA512 | c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a |
memory/1492-380-0x0000000000400000-0x0000000002991000-memory.dmp