njrat | hxxps://github[.]com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/blob/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222[.]zip

Analysis

max time kernel
564s
max time network
568s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
29/03/2025, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/blob/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

dllsys.duckdns.org:3202

Mutex

3b570ffeeb3d34249b9a5ce0ee58a328

Attributes

reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
splitter
svchost

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1568	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	Remcos Professional Cracked By Alcatraz3222.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	Remcos Professional Cracked By Alcatraz3222.exe

Executes dropped EXE 6 IoCs

pid	Process
4244	Remcos Professional Cracked By Alcatraz3222.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
5936	taskhost.exe
2528	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe
1792	taskhost.exe

Loads dropped DLL 1 IoCs

pid	Process
5452	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
97	raw.githubusercontent.com
98	raw.githubusercontent.com
99	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3716	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 5936	4244	Remcos Professional Cracked By Alcatraz3222.exe	128
PID 2528 set thread context of 1792	2528	Remcos Professional Cracked By Alcatraz3222.exe	140

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1748295537\_platform_specific\win_x64\widevinecdm.dll.sig	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-hi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\th\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\wallet\wallet-eligibile-aad-users.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1586791886\deny_full_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1942264418\Part-FR	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\wallet\wallet-notification-config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\cs\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_2071722831\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-pt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-ec\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\zh-Hant\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\am\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-fr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-tokenized-card\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\Wallet-Checkout\load-ec-i18n.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1586791886\deny_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-mr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-ru.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_536149734\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\pl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\page_embed_script.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\mn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\auto_open_controller.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\wallet-webui-560.da6c8914bf5007e1044c.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1586791886\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-el.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-hu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\bnpl\bnpl.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-ec\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-ec\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\eu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\fr\strings.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos Professional Cracked By Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877132930287738"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1702774510-645589634-1201277210-1000\{38C391A3-86D4-4E7C-ADF8-DE4DFA70BA6D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4244	Remcos Professional Cracked By Alcatraz3222.exe
4244	Remcos Professional Cracked By Alcatraz3222.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
4244	Remcos Professional Cracked By Alcatraz3222.exe
4244	Remcos Professional Cracked By Alcatraz3222.exe
2528	Remcos Professional Cracked By Alcatraz3222.exe
2528	Remcos Professional Cracked By Alcatraz3222.exe
4244	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe
2528	Remcos Professional Cracked By Alcatraz3222.exe
2528	Remcos Professional Cracked By Alcatraz3222.exe
2528	Remcos Professional Cracked By Alcatraz3222.exe
3728	msedge.exe
3728	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4808	7zG.exe
Token: 35	4808	7zG.exe
Token: SeSecurityPrivilege	4808	7zG.exe
Token: SeSecurityPrivilege	4808	7zG.exe
Token: SeDebugPrivilege	4244	Remcos Professional Cracked By Alcatraz3222.exe
Token: SeDebugPrivilege	2528	Remcos Professional Cracked By Alcatraz3222.exe
Token: SeDebugPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe
Token: SeIncBasePriorityPrivilege	5936	taskhost.exe
Token: 33	5936	taskhost.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
4808	7zG.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
5452	msedge.exe
3716	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3716	Remcos Professional Cracked By Alcatraz3222.exe
2180	Remcos Professional Cracked By Alcatraz3222.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5452 wrote to memory of 5308	5452	msedge.exe	81
PID 5452 wrote to memory of 5308	5452	msedge.exe	81
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5944	5452	msedge.exe	82
PID 5452 wrote to memory of 5944	5452	msedge.exe	82
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 5816	5452	msedge.exe	83
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84
PID 5452 wrote to memory of 4420	5452	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/blob/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x288,0x7ff8c32af208,0x7ff8c32af214,0x7ff8c32af220
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:3
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2956,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=2952 /prefetch:2
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2280,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3132 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4860,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5116,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4840,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6304,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6556,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6636,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6084,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6612,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5576,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5060,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6384,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6812,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3836,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3528,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3120,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5692,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4984,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6964,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1372,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\" -ad -an -ai#7zMap27644:148:7zEvent9585
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808

C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244
- C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Downloads/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini
1⤵
PID:3056

C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
- C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://breaking-security.net/shop/remcos/
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Downloads/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5132
- C:\Users\Admin\AppData\Local\Temp\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remcos Professional Cracked By Alcatraz3222.exe.log

Filesize
522B

MD5
9066e7d7f14951d0434bd3fdfa7ec1ac

SHA1
379439bab651ac0160f349aab4f7ab00291e97a3

SHA256
e2980ccd6345d55c608ef790e4f95bc2fb53dbaebdd63c24b605ae62653655af

SHA512
809041cb1ec626e7efed8e7c091517d3a6b8bb1ed0b934c35a4d3f04df6b3c1c645d6e6f39595d691518dd62cc47620b198a74d4899b9232f0d58bc9123c4dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
004b10499ccdef678495d126747817d4

SHA1
f2613e109771ee8f435d219c0f1d09dc400ec8f5

SHA256
de04bf151a1ded657ac3df0f0b30f214dfc53231f87e45a16004482cddb0bd4e

SHA512
25758072a30783f0664b1ca3cafd6d35613133ab06ac69df8f482aa61a2ad2c3cd850c28334613c274bf42d99a5aa84d89a3e98e234f3a1d22abec325c5cc3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
7KB

MD5
17fadece4f23c52c51fe0fa5bda82137

SHA1
9907781932cd6bad8482999fc0aee243a48eae1b

SHA256
674270cafe5b0d09ce9af9c72fb5f076597133a876f65aded077ae27ddea8253

SHA512
5aec7045f93921ae71efae627952dfc4f7f5a05f9967f33606bacb0e30a503bd102e584c1493e4a9a24139375c9e76b6ca4d2941917328ca2e8edf2c0ef8108f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

Filesize
151B

MD5
b21d33b94e73cd59dd683425953c1ff0

SHA1
9247256eca6b875ef3aefba7ca1ddb510021bd9b

SHA256
79ed58e03975c3fbbc0e4b4639d7921c1af16cb9649ed62cb1d57cd7c7648d01

SHA512
925d9fe34ad64f35ff6a43303f93a204bea0e2666db29974896e93f0a4e7c664842ee5a9c166eb74580cc04c5dd940af555a1937297ee18c405a93d8a0e4fa9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
416cb9e19b1096d8c006a20403538999

SHA1
e287948ad2a85efd3022d0c0e107528e8466364a

SHA256
c8d4acd78de81f7464a0a6d2d9278ac06f4d88ac92a0a33add95085d8dd5de21

SHA512
fe58eef355d07a24d503589ca10e8aed8dc6557599e9cbd77a9317af3370dfecb2df6c50051577133603b19a1c38c9a68d14fe3626cfd6f40d5f0e96e9d574ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c285.TMP

Filesize
3KB

MD5
b9effde9ae7c20bd4a45aea7742b3cb4

SHA1
5fcbe321e561113b9304f984258f4578c6cc0be8

SHA256
08f31f03c59be697b887f4c8d1d70314e2f34ccba6d56168443908578395308e

SHA512
f1bd5f63c1ead13d577e98d4649a35eafe7b885cb13c4cdd0f3b84f05b3a3246cda7bc2f332ff70567cf6b77feee45fea346648c040b5c578ee861d38cfab136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9aa5a224f338d33f350f98616ffca589

SHA1
aaba9f275d57e4fc9d2f3378e775427b1ad05d7e

SHA256
cbf4ec3bcc520b201156b63e34b41214c970a22743efe21df1d77e69e87fe18b

SHA512
cc3f0f797a9fd9701ad4d0a0ba8b07a5664191db99da55c34d392198603d8e608d0ed8983b74adaaf99b3d5c97a280ee7bd7674c15bba869d643d6ac4af3a149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c3d42217b584248f2d8c78943dd9cf7c

SHA1
ef7c71d14f0e1e84d81f11af82223fd63d516065

SHA256
d3faa3b106d46bd85e271255953e9e7703c872c84cb08aaf92639eba83780b2d

SHA512
100d2eaffa7f17681e9eab5e90839eac6c17cdfa1ec98c81eff305bb4ee5aa2361c03eb5081feb3baaa7ea270f3fab6750f6b1bc4b0bb04e74e01f368fa4db97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
01c91d8872f29cd94530c9a0cbafcc57

SHA1
e35cde0d146df5bba7cdaad4e4b7e97158f4d009

SHA256
deaaddf81cfccd5ab9d8bcecf3bf3638db018d23f5aa38420e0d6c1c98e627d6

SHA512
eed3f986df79f07b0458da1e6d9be8707a00c4fdb7e55304cd8ab6a35641b82f100bb2a0d04f029007e9410a48d323acbc736da49d876f76b5280479eeb9e030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
da7258f69e738ddf7480680b90d8779d

SHA1
41d42448a4461f98d46559c29fc7f4c2fcb1c3f1

SHA256
0d613df6d4c94a6f075fd30bdb4b7c6cdd75f239c1a1aed07112cf67b500621e

SHA512
84381e5715727a29e97fb69b26a046379dd3e38ce027720eb04386d6ee8299a568c2ce741934447f769853da7f65dc2a1b3f4dd3d53002519c16e049a6beeb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
87b1779b215bbf39f0c90a473989b22d

SHA1
c3aebf20da29e65cf86b6fbe9575758dc2743278

SHA256
cbd20e15cc4baf65560fdad4ac2407b674a61d201b47530fa7d8caea49ec949d

SHA512
7ac5edcf85f4cb619023e590782c54c2c12554530db47d8d4d8b748fdc3ddb83084b1aa4ccf4ecfdf0bf665055dfa2f83048704a6de70834d5a0a085eb3731a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
960881bfaf5b055ccf724fb0fd186781

SHA1
e1fba15dde18e0538d741f0123b5e48520782131

SHA256
0ee2cb796c6695f890d7f0cbc91a97fae7287a8bd404fc4676df1ae5293e9a42

SHA512
aafb4339e7e69cd17678775903bb4005df0bccb2abb40422457d95b98f2d5f3ae41343352b1ef1be6891db6b38cc36791eb6c67155adf333e8a534dde7fd9ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
42b1a432d73f3c857ab0f59789d5d3ee

SHA1
40c3b8d745b1fe6600c7026dc73d0305ee712aff

SHA256
ea8393e9ac1c78bc8a106d0af9863a145fc7533c7d2e61935937990bec5b0ead

SHA512
544323c68d7a8ef6ce2aab9668b65549567eaa763cc8b50bcaf3340f53ebff5dcf912184b31ce34f90550e3a2b90a53a1bab0e63625fba3fee5ed9943430f2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
ae06f46ff32a3a72a61da4c2dfd0e6cf

SHA1
ae5110da23210d3978c027b9033090e510655cbf

SHA256
662410c187aa5bd205f4c99c9766a48e713f793dbad21c51d6ccb703ee740412

SHA512
7c73971bf39f75f267c9bbad29ad5798e007f54eb76b59b50e09e900be511dfb6894387af14f00d949916cbe2fda20f580273ac15c48e72b70b1cdb847d84ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8854b910-1f0e-4005-86ad-f49d9236caec\index-dir\temp-index

Filesize
1KB

MD5
efc1b48fa3d1288016f45dbc1886e716

SHA1
45512d22fe3ccb87e949a4ae276315c896febc71

SHA256
1197c839c14493575a22f0365296ebeb9b90c1f57874d7fdbdf58b62830fe792

SHA512
1434eed217962d7170419799f5eb81f7eb0b2dfb94c80296ded818154a1ba7baada3ab1626ca7c8cafecf6fee7f2a85c1515f9d313be62bf3aff14f3040bb0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8854b910-1f0e-4005-86ad-f49d9236caec\index-dir\the-real-index~RFe5be82a.TMP

Filesize
1KB

MD5
17c022dddb6223d23d972be6bef36775

SHA1
6d57892090c1442d7ff5d7971b00d5073ad17ae2

SHA256
8d980deb2a65bff625bead15fc3886e83212d686d8df79425dd93c5b683251ec

SHA512
a52fe38c396c6ff13cc422864f6bfb31c082801d08949cf35baf3f416358939f12d07dc7184a91f264a7e04b90fe4261cdf40417789e9f7011b63032daaa4b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
6a1e54044a51f463b0aea4c089641eac

SHA1
29ee982f175bcfff1a0e39dc196ba85f326ece56

SHA256
ddb5a3d47c0d5a2b53171c3fc0fbc71db2c79f7124dd597ff35830e84cd5fbdd

SHA512
ad88134aa2f95371e9635e5faae887a2b23a28e02b8a4c20d521454744be8f7cf57d60cf86603361efbdd20023f923ac10c3ac6eba0eda1f7d15db547cf17c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
968ab3e30a30dfb14ee99e385772ffe2

SHA1
cd5400f8e53317c2fb4f66e4863fbc97ba1808ce

SHA256
e94e5f9d2e07c1ff39740bd9c3374b197efb559b25837f062477da8a352daeec

SHA512
21bb12f20742b2cbf69654aed408f8291c1dc6d2f40abd6228fb0a6e62b34b4e8920a1974384750731bdc992a65124643e51ce4a3c97648288446623593631ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\9d19cc01-9260-4ebe-8fb5-1d5db6453f19.tmp

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
975d5ac7dbec5773a8d7024998b13ba1

SHA1
f3e1081a370859a4b5399b54508dddd43e7e72b3

SHA256
332e69f50665413788a368a75ce5062963c545a7111736a218dbfca43a7b7f17

SHA512
96385c065a80e147ff82a6aeab617604ff12b9bb27a5c215e26a5835f11cd1ddf126f1fbbb9b1597d972dee0bb05e290e478e74ed035f5ae47ad5f2d57a61e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
905531d9f24428b741e13a13bc64671e

SHA1
e40dd4cdbb6e4645e7387c275516646970c131ba

SHA256
0e62906b1280eb46a6a6a6df1f6f37efcd0357921b29857f221e69047af09c37

SHA512
67ce33f549495d2c8819e362c9cbdee107562e51aa3865909289319fed876e0c51f8439a86a71fccb2835ab1d8659c4fa6548794d3fa9aecdbdb1823c6cb6c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
4bf2f6bfa70df38ea63019065ce0d5ac

SHA1
e0ef968f25c947b9446ee027fd85d738a4905f21

SHA256
a194055a48eb544e760fe5ba670dc522b2c903cac005d4c3dd9bb36b1a602fc0

SHA512
8dae882126e622aea440527f555186bb974c17c36611e1b06bd56291aa9f1749526eed5ba49142226fcb7dc8858d8aa7fa55e009a1f9fcc403cb650b281be1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
6cddf24ae48010e8bba9880b8ad62339

SHA1
54f60bff8de73ead09da41445a9c5f6d9bc5ae0b

SHA256
f9fd4cd264e5c60b0b09d193719b479f9ef19a4b8778cf45a2aa620b99247f7a

SHA512
b63fcb2aaae014f38217fe28e64e531b97b6c6c511c0c758490698392503fd29f34594102bdce4c2a493c93aa4e6b09e7a4be1cef2a5ff45a46fd37ad25f9751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
138d43c5b75b12ebec77c187ba4ef5fa

SHA1
d7defc246ec4fe4fe075efbca6b4768f0fde9a66

SHA256
c5e72100a124bfcb1b098e7a855f2ca4cef16aba400b5b3401e10fab3cb364af

SHA512
141c29e1fd69de06fbe59a4bed36bc38c4d5de36ab50bd8b900eeabc3e5f0895bbac245366c5bd8c45deeb478d21d36b23fe0a5e8459c06c0c4b02d4c956a71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
b8ecb1aacf29789ef24fb23328fdfa67

SHA1
28cc69dc3a8ed943d085f8ae7a89901e689a2b04

SHA256
7498e5b0fdfdebb5159fd2b9bdf6294a8102c3df8c0e22664201bcff26dbbc17

SHA512
bd43c447bffb40f05bc35161f4edac991d6f6034794ea8c640b9119c09f4a6807d9e17510df5ed1480ee3ab5b04ba88327ad333216be07705774c2d7daea1689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
40b099338957c28d5fcf8da91bdea998

SHA1
585cf1cae13a4997b5e6c1eac09ebd1cc8d19a6d

SHA256
de5a707e4ff5233afbdc1349b22fd7b713175c8539610bba750c2d5a37425fa9

SHA512
63d9d6410f1d7091b5a2fa3be4c11b348e71ed5568d3e0959a4255f40b37145473a09e7ae25155f82188d15ca7eab568fda3bb754c048af063ec22d96fb5b615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
46514587e854a6007eb93d289423dfe1

SHA1
20743657672750f45e743b424e0a920e75669dd0

SHA256
7ab3ab52bdc533a37c61f5594e1257a24d8565f987097f0fd6ec39fe54598aed

SHA512
c55e5924f00862d39e530497caab313c91c5368d3f2e25c00873f404c834c73a5ea97861e4fde0d549f1f3f982310ef44bc7ce01970ff567c3f43759a5ec66c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
5911288c9be480b6a759309bed00c5c0

SHA1
3db0cce2f62b05cd7266b652c5059826632936cb

SHA256
253e9f3acb5b3e545f5da78feed66e93e1f1e514fc50167f831d46d1d1037959

SHA512
2d7c6e8fc2c18f18310348782b1dfe16fc0b8850b347dddbb94fda23c238c45f3b9cb19eecb05ac7659f61ed34d86dab7f88176c25d90e74814e5e2342596b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile

Filesize
73B

MD5
1a32b94bd8d51df35d766b6affdfacfc

SHA1
b35ba7f44b350dd9e86c74acfc722ee7373b77ee

SHA256
3d464700f406245d63409c36aae1504dd9fb63c784cbf7ae8957052068213937

SHA512
9f31cb9b0972efab2ba566acd10e0355acb316b49a8cdb5c3b0787cba9f97670ea592e385182fe143f54a2effb565c1f78083223bc4600cd961bbffc8f01d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.bat

Filesize
229B

MD5
c705d9d9732e434b429505ac8405154a

SHA1
9d7e3903a2c2ed2ae118982c2ef2bdc9a2c7f85c

SHA256
461ca01730541f5405a76bce0a9d7b2314f8104eb0402104f1e80439c3ab4091

SHA512
d511a1d264f75e7f9ce0efc7e6fd4ebeefd2e90858b4dbba80b25831f8ef51af95b4b1434fc5a558e8564d6aacd89a7f961eae05572e81feacee8898a4dc5416

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk

Filesize
1KB

MD5
4a15396751ea437401842eead4c1fc32

SHA1
319a950bf1b9cf59bafc58e6614417cdd4881c65

SHA256
8787fb3aadc39b64a723af6dc518c53ac0f37aff9fd35f4170f3915218a4ee9c

SHA512
f1ae1d6768752f6aefbd246daa455ab315e0935367fdefb2351af70ef06173b388c21d36e6f143aab8e5f108c2acad49514ad69fc65fc86e1b48b1e813bd146d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe

Filesize
17.4MB

MD5
c3c21fa4c2186deb641455482ab0d3aa

SHA1
2f4b49e8383e073ccb965943ce970de403412567

SHA256
4ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9

SHA512
31db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222.zip.crdownload

Filesize
17.3MB

MD5
ea3fd7407073aae0205a02f10c1f826f

SHA1
aeb5a674da5bbdea4e1b42470e6e059b730b88a6

SHA256
bdb96b7a1a75fa4f56d1b1f922d80f029c12df21df49cbbfd1f2a3175d604195

SHA512
bf69f80a585eed54b599cb5adf285ca0576650b275daef6e502eae2d564906950cb4a13821b67325bc1c2ba0ca6436401f562c279cc42d3590e0f8becfec028f

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe

Filesize
17.7MB

MD5
efc159c7cf75545997f8c6af52d3e802

SHA1
b85bd368c91a13db1c5de2326deb25ad666c24c1

SHA256
898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e

SHA512
d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d

Download Submit
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini

Filesize
881B

MD5
a3468935e33e361cf94f4721ed4cb66d

SHA1
c3b19ca8382534b2179940cabede8c6c952a9c06

SHA256
b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d

SHA512
c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\edge_checkout_page_validator.js

Filesize
1.1MB

MD5
0e3ea2aa2bc4484c8aebb7e348d8e680

SHA1
55f802e1a00a6988236882ae02f455648ab54114

SHA256
25ffb085e470aa7214bf40777794de05bf2bb53254244a4c3a3025f40ce4cef7

SHA512
45b31d42be032766f5c275568723a170bb6bbf522f123a5fdc47e0c6f76933d2d3e14487668e772488847096c5e6a1f33920f1ee97bc586319a9005bacd65428

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-bn.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-mr.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-nn.hyb

Filesize
141KB

MD5
f2d8fe158d5361fc1d4b794a7255835a

SHA1
6c8744fa70651f629ed887cb76b6bc1bed304af9

SHA256
5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809

SHA512
946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_377119368\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
memory/2180-887-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2180-894-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/2180-888-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2180-886-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/3716-786-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3716-787-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/3716-788-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/3716-789-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3716-794-0x0000000000400000-0x0000000002991000-memory.dmp

Filesize
37.6MB

Download
memory/3716-792-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/3716-790-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/3716-791-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/3716-793-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/4244-753-0x0000000000F70000-0x000000000211E000-memory.dmp

Filesize
17.7MB

Download
memory/4244-767-0x000000000E200000-0x000000000F382000-memory.dmp

Filesize
17.5MB

Download
memory/4244-757-0x0000000006B10000-0x0000000006BAC000-memory.dmp

Filesize
624KB

Download
memory/5936-874-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/5936-872-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/5936-802-0x00000000053E0000-0x0000000005986000-memory.dmp

Filesize
5.6MB

Download
memory/5936-800-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download