Malware Analysis Report

2025-01-22 13:51

Sample ID 240827-sjtdmaycrj
Target Remcos Professional Cracked By Alcatraz3222.exe
SHA256 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
Tags
discovery njrat hacked evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

Threat Level: Known bad

The file Remcos Professional Cracked By Alcatraz3222.exe was found to be: Known bad.

Malicious Activity Summary

discovery njrat hacked evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 15:09

Reported

2024-08-27 15:11

Platform

win7-20240708-en

Max time kernel

59s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 2604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/2604-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/2604-1-0x0000000000200000-0x00000000013AE000-memory.dmp

memory/2604-2-0x0000000074C90000-0x000000007537E000-memory.dmp

memory/2604-3-0x000000000D330000-0x000000000E4B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe

MD5 efc159c7cf75545997f8c6af52d3e802
SHA1 b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512 d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

\Users\Admin\AppData\Local\Temp\taskhost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/2604-33-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/2604-34-0x0000000074C90000-0x000000007537E000-memory.dmp

memory/2604-35-0x0000000074C90000-0x000000007537E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 15:09

Reported

2024-08-27 15:11

Platform

win10v2004-20240802-en

Max time kernel

111s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1404 set thread context of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 1404 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe C:\Users\Admin\AppData\Local\Temp\taskhost.exe
PID 4464 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe C:\Windows\SysWOW64\netsh.exe
PID 4464 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe C:\Windows\SysWOW64\netsh.exe
PID 4464 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\taskhost.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 dllsys.duckdns.org udp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 40.140.123.92.in-addr.arpa udp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
US 8.8.8.8:53 dllsys.duckdns.org udp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
IT 84.220.8.178:3202 dllsys.duckdns.org tcp

Files

memory/1404-0-0x000000007477E000-0x000000007477F000-memory.dmp

memory/1404-1-0x0000000000B00000-0x0000000001CAE000-memory.dmp

memory/1404-2-0x00000000064C0000-0x000000000655C000-memory.dmp

memory/1404-3-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/1404-4-0x000000000DCD0000-0x000000000EE52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe

MD5 efc159c7cf75545997f8c6af52d3e802
SHA1 b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512 d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

C:\Users\Admin\AppData\Local\Temp\taskhost.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

memory/4464-12-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4464-15-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4464-18-0x0000000005C60000-0x0000000006204000-memory.dmp

memory/1404-19-0x000000007477E000-0x000000007477F000-memory.dmp

memory/1404-20-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4464-21-0x00000000058D0000-0x0000000005962000-memory.dmp

memory/4464-22-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4464-23-0x0000000005810000-0x000000000581A000-memory.dmp

memory/4464-24-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/1404-26-0x0000000074770000-0x0000000074F20000-memory.dmp

memory/4464-27-0x0000000074770000-0x0000000074F20000-memory.dmp