remcos | a29f6ff51d0d30645ad96de426db809e3122ce282851c52838a8542aaa6e2bd0

Analysis

max time kernel
410s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REMCOS_RAT__3.8.0_CRACK_FULL.rar
Size

34.1MB
MD5

faf7abdf6fb088b279d198ce4cf17c7a
SHA1

385fc5f04f029143818f80674e403a52f0b93c69
SHA256

a29f6ff51d0d30645ad96de426db809e3122ce282851c52838a8542aaa6e2bd0
SHA512

758db5accb12e3319099ca4bc466f0e1743d661063226387a183b53802e156297a2bf2ad40a9ae53e6062a18aebeda5a12005ca2f9bec7a6eafd0fea8b8f5504
SSDEEP

786432:MDxl/gcQd0Y9WQPn6D0lJyw2WaaWgNi4Qqrvmkx5dHd9JKG:MvHQGYUQv6EywhbZNoK1rhd9l

Score

10^/10

remcos discovery persistence privilege_escalation rat upx

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
2052	7z2408-x64.exe
1772	7zG.exe
4004	Remcos v3.8.0 Pro.exe
16792	upx.exe
16980	remcos_a.exe

Loads dropped DLL 4 IoCs

pid	Process
1772	7zG.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000300000001e6f7-13770.dat	upx
behavioral1/memory/16792-13771-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral1/memory/16792-13778-0x0000000000400000-0x00000000005F5000-memory.dmp	upx
behavioral1/files/0x000200000001e6f9-13779.dat	upx
behavioral1/memory/16980-13782-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/16980-13783-0x0000000000400000-0x0000000000488000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
17076	16980	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v3.8.0 Pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133709003727124147"	chrome.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\NodeSlot = "4"	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Remcos v3.8.0 Pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 86003100000000002f591998100052454d434f537e312e305f4300006a0009000400efbe2f5919982f5919982e000000db060000000003000000000000000000000000000000d2ab7200520045004d0043004f0053005f005200410054005f005f0033002e0038002e0030005f0043005200410043004b005f00460055004c004c0000001c000000	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Remcos v3.8.0 Pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Remcos v3.8.0 Pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 6e003100000000002f592e98100052454d434f537e312e300000540009000400efbe2f5919982f592e982e0000000707000000000300000000000000000000000000000062f54900720065006d0063006f0073005f005200410054005f00760033002e0038002e00300000001a000000	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	Remcos v3.8.0 Pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = ffffffff	Remcos v3.8.0 Pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos v3.8.0 Pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Remcos v3.8.0 Pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	Remcos v3.8.0 Pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Remcos v3.8.0 Pro.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4004	Remcos v3.8.0 Pro.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
1772	7zG.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
4004	Remcos v3.8.0 Pro.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4892	OpenWith.exe
4380	OpenWith.exe
4004	Remcos v3.8.0 Pro.exe
4004	Remcos v3.8.0 Pro.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3028	5004	chrome.exe	104
PID 5004 wrote to memory of 3028	5004	chrome.exe	104
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 5064	5004	chrome.exe	105
PID 5004 wrote to memory of 32	5004	chrome.exe	106
PID 5004 wrote to memory of 32	5004	chrome.exe	106
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107
PID 5004 wrote to memory of 3300	5004	chrome.exe	107

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REMCOS_RAT__3.8.0_CRACK_FULL.rar
1⤵
- Modifies registry class
PID:4340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff90d82cc40,0x7ff90d82cc4c,0x7ff90d82cc58
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2324,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5132,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3404,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5288,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3416,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5080,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5184,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5100,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5392,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5540,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5696,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5852,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,14401383885662134534,5474437800318375554,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:1400
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\" -spe -an -ai#7zMap30308:114:7zEvent28667
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1772

C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\Remcos v3.8.0 Pro.exe
"C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\Remcos v3.8.0 Pro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ""C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\upx.exe" --best "C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\remcos_a.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16744
- - C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\upx.exe
    "C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\upx.exe" --best "C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\remcos_a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:16792

C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\remcos_a.exe
"C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\remcos_a.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:16980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 16980 -s 528
  2⤵
  - Program crash
  PID:17076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 16980 -ip 16980
1⤵
PID:17048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9660e4458176e80d232ff7c2713d90a7

SHA1
f07537c0b218594338a6a2bca8d0c718280e6c1c

SHA256
6f1b40305f63d5f22c3fa4004b37d606f97426f6c9b28650eb45050f60b8fc28

SHA512
8e2bcdea9d5c829e2fc767f03e0badd8dbfe528df8a6dea6ee5f54b5760bf9f567d9e38e081c7457b538ee0b9e1d412cd551f77dda54abbc79ff8a2375519ccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5114091d59bc18102a2329d8fe1d45eb

SHA1
abe6973f777b60b14fd5769cad984a3243040012

SHA256
314a1030515c4eb4bfc4fed04dbd9cf89c6f0f4527bac5886846410267d4a173

SHA512
84a91eeceee048787f2b049a0dd4269a8b1bd817fe047ec054760f095f07291640c6d16cbd9ea0800dcf5c3587ab5a88639c1a30619ee84d123584561d372d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c0e05fa48a1fffc1c25ef279140d0f7b

SHA1
3dc6f0b161e79ae2e5b63d8427adab823b2211fa

SHA256
f5550ff9b4002633bc856ee36f171e7027491efed0cbdb0cd654b1f2bf8ad835

SHA512
03f99e2063a93c6cd640822508e43b86cf7063bf42737ee29e296e4a4774c8779a88f32ad47fed1fbdc285432c268c6ef4d687b6723c385beef87e5f31214aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d4c5e01a8599eb9e27153da99cd18fdd

SHA1
dbf1ce3299e03de75565b8b27f252ddf9e1ba9f7

SHA256
de4cb5b44cf6c4b2a4e4aafaf641b320f49d20146d3efbaea939d8921c88d698

SHA512
42435807e0ba0250d81a5bf65f59053d03c79904ac34f6581bee24e0e7e00d1e3a2b31b54e019d6ba6c842a32cdacb8adb0185e508a84072670a1179a1780e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
0c544c54fa1271697d49fa2c70d5b56b

SHA1
9e0f6960fcde4b859967c7fdc881133df549c16d

SHA256
75218a380173a0f2499e776def73d3cc61f727a3e0e7be2bf34159c81550511e

SHA512
3f57ad56b5efba8564d478d69407eafc2aa25c3c84dcb300ef2e1795868539cc738bcfc0b9756573e569a31c8239b2fee43e2b3f66ea00d961fabec570b941ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc6ae9ee1bc67218a377fa1edb690474

SHA1
54eea5862fa00d298258d2cee84a3a5e5223059b

SHA256
ea5b43494e7d16d849a2c748d85ef1673789a97072be5a620129a6252506ade8

SHA512
3ccbd967cf403ac2533ac5bea0485e39ac3321d97f144ebe6af19f923ad28a472249f616b523c5095f59a26c20c27cc23bd8abd29b47676097da9a599d58a4c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27e745121ebba267b52efe0879e83e0f

SHA1
155fa8d6b6d6a966afc7a1907bf89873a16b8a42

SHA256
e1eb1bc06b7b41f9bf8f8dbbf5c7c24ccc48c91fd940a94df0479d0e87873934

SHA512
2b01b5c01e3ba2f5241bae5e8bb503db83b722010b17ae9d69d7a68f0bd81b7a38e703af553b7b8536202ae945425c5221c3bf6076590d4ea0b29b3db7e2a3f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
28728daf756ab600453f71956d4f36c7

SHA1
8fc0223bc138f44780561540265aabc51bb9ab48

SHA256
40e9c40def54e3c9e97c90ec1b6fef9abbd643bd2a01cc9188c43f482718d823

SHA512
ac87c0f86f6e56755e61e8e3283afcf51ae2d6680f62c9946de6c70329039739f087d2c2ce3d7dc55a77e09a5a7afef0dbcecea35d60f86a1caabf4a9479d7ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71df242bf47007ad55b0dd04c25bf2e3

SHA1
d4cff860368cdd16f77d7b8e182d588aac997b3c

SHA256
e842f8e0973ce2ccfe56718b220eabd2695e21dfa29854e4c533ba58af70e23d

SHA512
1a7cba6b4f804af544fe3ec6a8d5a111709d58dbfdd9e8fcdc44f21ab84acdec84bbef868b9ecafd498f7a73e55c075dc2c4f5ed7340d7c330ed74633c039e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce39cf15438a3b8bc58004961a1faff8

SHA1
405d3014215ea648a3b40e4dd10ee936d31e33c2

SHA256
ce16ec36fdd86d5e67ae3e3d9d6852989c07e29173e390d9d8a5aa609077bb7f

SHA512
27f46d916b297f9b1cc7f54b8769524a44b946ec20e2a9cf03a0545e5f0af3960fa703716fca6332517cc96903b31128b254a0fbd96d5a4f5d853bf43a7b0778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
604186e2f71162077226e7ea698d98e4

SHA1
3138ff348d87b29c4df14034885ca1a4756179a7

SHA256
9bad0ab7842a72200b0f995f3b992bb1f322165b7257740af22dc3190b0e289c

SHA512
8ec520d907c5042d4b6a73426982f957d93738a330a94852437376b173453b214fc47f324129202192f55459cc96bad0b4746aa97a697e418e148dc4fe97385d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
2b1d37925aefa3db56ae12a68e6f0237

SHA1
6a1219aeff28e740fe011d3e218c0c618ff46591

SHA256
7e516ead4d20e1a44e1ed1381647c920b63866b0467735b13077b8783100a259

SHA512
4be090204bde52a4cdc2dd5c05b5019daa2e7f74e1af3a7757e6899e525ef7ad4c0b233f8cdd5983c54c4e45d13be47a7e1cc9191a29e77cfec17b95ef80da19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
d8df28d88973b1ace0bcf6292d739f40

SHA1
8d07a5ef52cc9abf276e2cb90533507230edf2af

SHA256
0e46f1314eedd8b95bd71fe6ca0380e85e1e09090477fa4d02d499dde978fc63

SHA512
1612d4b534ef638287655d35c24e4f14982e76df5614276c9d4ae2755f71a94a095e4117291d4fca2eb462768b55710daa965f2baa26a9382a8a6a68e9f0cfeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
f35500690a280eb0b6e71bc4de6ba2d8

SHA1
5e7b3c6f4c308825774c11972453b5accc0dd67c

SHA256
9c70c51e5ed8b82407326bd0b5b6aa1d89dc01f3e56cb5851bc53f948fcde9ff

SHA512
524648bae654fb914a4d17a22f1d396fe867222d283b27b8e467957d32881e4fb937d8788220c27e42de76d7fbe359684b3834ef4d6818f013288b828033271c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
51513c239530c3e616c58df27209ffde

SHA1
ec70dbeea647f1698bfed9493a77c92a7eab4642

SHA256
036cb3e2d6dd7d2d4a1601b8426995851e4225a8876fd83212e16cc598bbd4e1

SHA512
016975d603c92bbee6f3602e820c62a71d99fb00aeb68779c1772019c577dc8d52a6a3c1000f4a7227c33c7a49ca8dec15036573aafde296c5da1ed24226b917

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\BuilderProfiles\DefaultProfile.ini

Filesize
1KB

MD5
c01944205fae4ddf51d4400cad722243

SHA1
4bce2bb2120d9444ee9c37494e91980ad54a801a

SHA256
b96ee8a60b4c9a63e2fbb365e12c86e8774153d62a7bbadf04f4897af5a2ff17

SHA512
2cc16a721418cb71ee35d1f09095cd4006eb6c6e3cd025a46e0ef35d27ffc7e21500ae32198fcc3db1fa3d9169f2fd88d761340b0ee69d3271f4f99be78aae36

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\Remcos v3.8.0 Pro.exe

Filesize
25.7MB

MD5
95ba79f03a69c939408191d83182d91a

SHA1
41c536c3e8384473c9fc17aa672062205d9804bf

SHA256
7d1613c9f1296cdf11358b72f290abcabda75f6ef3fa2eb6d7b19beccbb7b427

SHA512
8a9e7afb422cb7a3566fd601de07e72dee9b99dd9f99509997a2931ce14cd46ede2f13fd2e85b15d1bede3efb41306bca913668048c8ff4dc5127d57085858f8

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\Remcos_Settings.ini

Filesize
32B

MD5
902927c48d191e30067d84a53158e2ba

SHA1
95dd6d3508790b98d1a576f0b2057bdcc2099247

SHA256
b408602c7d2107d819b18d47cbc196a307ab6435bbc819173f300e76573e616c

SHA512
328af5e697278b2c8150534162c330b11e9cc3024ee676cf9321a248701d99322cc1341694904d0ca5c6898e74e39419cd36765499d6992934075b08276c8eeb

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\remcos_a.exe

Filesize
469KB

MD5
8e06453b738b77ef86e8dc63117594d5

SHA1
0b8c0aa3e799c26506d3548319dfc1b14f5c4116

SHA256
8e17148779d4f31f7af96b316166001387f40710a524b18f0cf42124c616be66

SHA512
70a39ed14ad320fb019bc46e7a9b410d551b3f924e185ac3c7e11500ce9f981bcceec525c2578eb4edab6b3bce18ec44815d7223c5c9f8860c704b939432632b

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\remcos_a.exe

Filesize
228KB

MD5
1cd4e7696ced47c0c0b8877bf4905489

SHA1
247e4d8fd4d82d86fa3397a85746ddda8f972f9e

SHA256
0d9b2d5cee32d844228885682cad713751f22d8ca9fafdf6b37b6e6b61636404

SHA512
eda094ec8b4331e5bd94f41bf193e1416c3dc5b95f8402f9f5d7ccedd44d6c7751fbc1daa8cb8998b627e63ace79e89b80a330c036ecd529b78d29c930556f5c

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\tls\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\tls\ssleay32.dll

Filesize
330KB

MD5
2117e31688aef8ecf267978265bfcdcd

SHA1
e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc

SHA256
0a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f

SHA512
dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\upx.exe

Filesize
402KB

MD5
e8b39f250fb67e115e07e9eac5c99708

SHA1
51bf6ab0baa3a4c6f45be46011baa8ccd7ceaf8f

SHA256
d634cde09d1aa1320a1d4c589d35d306f8350129faf225b2bca394128c2c4442

SHA512
37418c8941834c95f59bc026e82002035fcdd7ea217061a217d5ab28f9859f1aacf0e9f213bc5eb27e3f23db8d8817ae88abc3c2ab6a4f45ce3e4ca74c0ce7e8

Download Submit
C:\Users\Admin\Desktop\REMCOS_RAT__3.8.0_CRACK_FULL\remcos_RAT_v3.8.0\version.dll

Filesize
6.4MB

MD5
8e3be79c1b00969564523f61f4d6b20a

SHA1
26780685399bef2dbb50a1884a1d8db8fc471117

SHA256
152148291a80aa81b8c94402b69be538779dfac50affb3e84be3d201027f40bd

SHA512
0e8cc5bd67d4dd719593339a03a983aa7b1a6c15be3b1d02426eb0b949db88dd1630752681d31481c65e348fb39b27ce275e8a7af01e29c9c3d26adcf339a433

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 772116.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
memory/4004-13600-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-13615-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-13602-0x000000006D660000-0x000000006D670000-memory.dmp

Filesize
64KB

Download
memory/4004-13601-0x000000006D660000-0x000000006D670000-memory.dmp

Filesize
64KB

Download
memory/4004-13609-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/4004-13610-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/4004-13612-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/4004-13611-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/4004-13608-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/4004-13607-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/4004-13606-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/4004-13605-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/4004-13613-0x0000000000400000-0x0000000003C18000-memory.dmp

Filesize
56.1MB

Download
memory/4004-13603-0x000000006D660000-0x000000006D670000-memory.dmp

Filesize
64KB

Download
memory/4004-13604-0x000000006D660000-0x000000006D670000-memory.dmp

Filesize
64KB

Download
memory/4004-13688-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-13597-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-13598-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-13696-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-13698-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-6412-0x0000000075AC0000-0x0000000075B3A000-memory.dmp

Filesize
488KB

Download
memory/4004-4403-0x0000000075BE0000-0x0000000075D80000-memory.dmp

Filesize
1.6MB

Download
memory/4004-528-0x0000000073E10000-0x0000000074668000-memory.dmp

Filesize
8.3MB

Download
memory/4004-529-0x00000000761B0000-0x00000000763C5000-memory.dmp

Filesize
2.1MB

Download
memory/16792-13778-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/16792-13771-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/16980-13782-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/16980-13783-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download