njrat | bdb96b7a1a75fa4f56d1b1f922d80f029c12df21df49cbbfd1f2a3175d604195

Resubmissions

15-09-2024 18:44

240915-xdfb2axhlk 10

15-09-2024 18:40

240915-xbd17axgkq 10

Analysis

max time kernel
175s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe
Size

17.7MB
MD5

efc159c7cf75545997f8c6af52d3e802
SHA1

b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256

898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512

d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
SSDEEP

393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx

Score

10^/10

njrat remcos hacked discovery evasion persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3068	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Remcos Professional Cracked By Alcatraz3222.exe

Executes dropped EXE 5 IoCs

pid	Process
4620	Remcos Professional Cracked By Alcatraz3222.exe
1632	taskhost.exe
800	remcos_agent.exe
4864	remcos_agent.exe
2032	remcos_agent.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4620	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5028	800	WerFault.exe	115
2328	4864	WerFault.exe	120
3016	2032	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 55 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000002598063120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe025980632f5992952e00000081e10100000001000000000000000000000000000000f7ecec004100700070004400610074006100000042000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Remcos Professional Cracked By Alcatraz3222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002f599695100054656d7000003a0009000400efbe025980632f5996952e00000095e1010000000100000000000000000000000000000069593001540065006d007000000014000000	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Remcos Professional Cracked By Alcatraz3222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos Professional Cracked By Alcatraz3222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000259b16510004c6f63616c003c0009000400efbe025980632f5992952e00000094e10100000001000000000000000000000000000000529b08014c006f00630061006c00000014000000	Remcos Professional Cracked By Alcatraz3222.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Remcos Professional Cracked By Alcatraz3222.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4428	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4428	Remcos Professional Cracked By Alcatraz3222.exe
4428	Remcos Professional Cracked By Alcatraz3222.exe
4428	Remcos Professional Cracked By Alcatraz3222.exe
1828	msedge.exe
1828	msedge.exe
1760	msedge.exe
1760	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4620	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1760	msedge.exe
1760	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	Remcos Professional Cracked By Alcatraz3222.exe
Token: SeDebugPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe
Token: 33	1632	taskhost.exe
Token: SeIncBasePriorityPrivilege	1632	taskhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4620	Remcos Professional Cracked By Alcatraz3222.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4620	Remcos Professional Cracked By Alcatraz3222.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4620	Remcos Professional Cracked By Alcatraz3222.exe
4620	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4620	4428	Remcos Professional Cracked By Alcatraz3222.exe	82
PID 4428 wrote to memory of 4620	4428	Remcos Professional Cracked By Alcatraz3222.exe	82
PID 4428 wrote to memory of 4620	4428	Remcos Professional Cracked By Alcatraz3222.exe	82
PID 4428 wrote to memory of 400	4428	Remcos Professional Cracked By Alcatraz3222.exe	88
PID 4428 wrote to memory of 400	4428	Remcos Professional Cracked By Alcatraz3222.exe	88
PID 4428 wrote to memory of 400	4428	Remcos Professional Cracked By Alcatraz3222.exe	88
PID 4428 wrote to memory of 4864	4428	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 4428 wrote to memory of 4864	4428	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 4428 wrote to memory of 4864	4428	Remcos Professional Cracked By Alcatraz3222.exe	90
PID 4864 wrote to memory of 3736	4864	cmd.exe	92
PID 4864 wrote to memory of 3736	4864	cmd.exe	92
PID 4864 wrote to memory of 3736	4864	cmd.exe	92
PID 4428 wrote to memory of 4200	4428	Remcos Professional Cracked By Alcatraz3222.exe	93
PID 4428 wrote to memory of 4200	4428	Remcos Professional Cracked By Alcatraz3222.exe	93
PID 4428 wrote to memory of 4200	4428	Remcos Professional Cracked By Alcatraz3222.exe	93
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 4428 wrote to memory of 1632	4428	Remcos Professional Cracked By Alcatraz3222.exe	95
PID 1632 wrote to memory of 3068	1632	taskhost.exe	98
PID 1632 wrote to memory of 3068	1632	taskhost.exe	98
PID 1632 wrote to memory of 3068	1632	taskhost.exe	98
PID 4620 wrote to memory of 1760	4620	Remcos Professional Cracked By Alcatraz3222.exe	102
PID 4620 wrote to memory of 1760	4620	Remcos Professional Cracked By Alcatraz3222.exe	102
PID 1760 wrote to memory of 2316	1760	msedge.exe	103
PID 1760 wrote to memory of 2316	1760	msedge.exe	103
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104
PID 1760 wrote to memory of 3748	1760	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://breaking-security.net/shop/remcos/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95fc046f8,0x7ff95fc04708,0x7ff95fc04718
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,17374220152424872503,703233475964687520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,17374220152424872503,703233475964687520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,17374220152424872503,703233475964687520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
      4⤵
      PID:1200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17374220152424872503,703233475964687520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,17374220152424872503,703233475964687520,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:3348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:4012

C:\Users\Admin\Desktop\remcos_agent.exe
"C:\Users\Admin\Desktop\remcos_agent.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 520
  2⤵
  - Program crash
  PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 800 -ip 800
1⤵
PID:4840

C:\Users\Admin\Desktop\remcos_agent.exe
"C:\Users\Admin\Desktop\remcos_agent.exe"
1⤵
- Executes dropped EXE
PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 488
  2⤵
  - Program crash
  PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4864 -ip 4864
1⤵
PID:3340

C:\Users\Admin\Desktop\remcos_agent.exe
"C:\Users\Admin\Desktop\remcos_agent.exe"
1⤵
- Executes dropped EXE
PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 496
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2032 -ip 2032
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
276B

MD5
9147e99ac4f8dcc0eacf7a08a1f824be

SHA1
70a652816632e9406b1d23555ea17d9e84409ec5

SHA256
16fbf6e6c1a6fa5473a08e048a8c81c6c44693db3261bb16b935f1825e27cec6

SHA512
5d02e020986073ed57688010885caddf0c3f31aaa029ba50b3186f39bb51db3c2aac5b33927fe61375befa81bae0516d3be1693904bab373a308b16cff9d1ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fd7de9499e59b51b3eef2f4b00ec45e0

SHA1
6c2dc4950b99dae7b32277bce85a233fc06015e8

SHA256
fb4f9c3d84eefec6bd95b70585e8275fa31ccffe94219452932f5fb7efce85b8

SHA512
fb89e6b9718fcab6dc95dcfbb22ee4b9ba9b8d8bbaa14f4b42bff127b573c078bb432e96c5c168d4b47817044079c2b08b7a6937a010778c7f5559cd0d4b4863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c90365a29a865e51df3b712f727c25c6

SHA1
5e71e9685760acdaad31edcc732537935ef2e78f

SHA256
a49957e2a2746c866eda838ecbd509c31050abba799cc7aace722fc5981855b1

SHA512
2b0fbff337a289ab6ed418d8fcf2c275154c3473a1ffba48b9444a3270d3201a6061f0c2a8ec043f2ecdff936cfcfd123d8c256b96ab25d078e61de4f99c3b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
40ebe64c2e580adf0774719481640a3d

SHA1
dee7b9cb97a699d25668bd89f14692a153344542

SHA256
c7da1431707f16c623b184065c60a14586589bf55008d9d5f414c667a0c7968a

SHA512
018749313d291709c3035d56dd7c07a5630090130d1d9907f4896434d7d589c294778f91512eda6d5f24465039c7fa10269b7735eaf1675ab74bae4d7f50adde

Download Submit
C:\Users\Admin\AppData\Local\Temp\BuilderProfiles\DefaultProfile.ini

Filesize
417B

MD5
f217b17707d9f7945632285ec6e0e3e9

SHA1
0b8e1a8530afd300316f19a22f605bc8492d4845

SHA256
cfbde5511954f6b2c4f74f3a927e28a0afc781c8fce678e69fd78f2efa18f0af

SHA512
03d7b16d327253ad2a10bcaefabcc1f498d100b6866de7dd95b19a97838221af2d44635a4e687c6e304727b254728b5d6b049588a8cb2158952c3225a0735ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe

Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\Desktop\remcos_agent.exe

Filesize
84KB

MD5
af0e2c084137227308929ed246ff51ef

SHA1
afac070eea6edbd2327cc76a602ff4d5a49dbdc0

SHA256
a059c50e0de004e59eb9907d6b5d9ab45fc0e4eef44dedf9a23c43d192e27bf2

SHA512
0875ce1fe6c3c9e985b968b971ea2baa82a5bb86fe03e80b8a383d90a9528880414d6ca281ef2d399ff9cb89a05f36a9f5a129bdae61783bc1cb00b21a375ce7

Download Submit
memory/1632-37-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/1632-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1632-45-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/1632-43-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4428-2-0x0000000006B20000-0x0000000006BBC000-memory.dmp

Filesize
624KB

Download
memory/4428-3-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-4-0x000000000E1D0000-0x000000000F352000-memory.dmp

Filesize
17.5MB

Download
memory/4428-1-0x0000000000ED0000-0x000000000207E000-memory.dmp

Filesize
17.7MB

Download
memory/4428-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/4428-40-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/4428-41-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-47-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4620-23-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/4620-44-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/4620-42-0x0000000000762000-0x000000000181E000-memory.dmp

Filesize
16.7MB

Download
memory/4620-24-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4620-22-0x0000000000762000-0x000000000181E000-memory.dmp

Filesize
16.7MB

Download
memory/4620-21-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4620-19-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/4620-25-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/4620-16-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/4620-17-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4620-18-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/4620-20-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download