Analysis
-
max time kernel
564s -
max time network
568s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
29/03/2025, 09:14
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/blob/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip
Resource
win10ltsc2021-20250314-en
General
-
Target
https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/blob/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip
Malware Config
Extracted
njrat
0.7d
HacKed
dllsys.duckdns.org:3202
3b570ffeeb3d34249b9a5ce0ee58a328
-
reg_key
3b570ffeeb3d34249b9a5ce0ee58a328
-
splitter
svchost
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1568 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation Remcos Professional Cracked By Alcatraz3222.exe Key value queried \REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation Remcos Professional Cracked By Alcatraz3222.exe -
Executes dropped EXE 6 IoCs
pid Process 4244 Remcos Professional Cracked By Alcatraz3222.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 5936 taskhost.exe 2528 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe 1792 taskhost.exe -
Loads dropped DLL 1 IoCs
pid Process 5452 msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 97 raw.githubusercontent.com 98 raw.githubusercontent.com 99 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3716 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4244 set thread context of 5936 4244 Remcos Professional Cracked By Alcatraz3222.exe 128 PID 2528 set thread context of 1792 2528 Remcos Professional Cracked By Alcatraz3222.exe 140 -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1748295537\_platform_specific\win_x64\widevinecdm.dll.sig msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\kk\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\fil\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-hi.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\shoppingfre.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\ar\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\pt-PT\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\th\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\wallet\wallet-eligibile-aad-users.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\et\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1586791886\deny_full_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-de-ch-1901.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1942264418\Part-FR msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\pt-PT\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\es\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\zh-Hant\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\wallet\wallet-notification-config.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\cs\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\ru\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_2071722831\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-pt.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-ec\id\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\zh-Hant\strings.json msedge.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\my\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\am\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-fr.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\sv\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\zh-Hant\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\el\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-tokenized-card\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\Wallet-Checkout\load-ec-i18n.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1586791886\deny_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-mr.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-ru.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\zh-Hant\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-shared-components\fr\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_536149734\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\ko\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\pl\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\ar\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\page_embed_script.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\mn\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\es\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\auto_open_controller.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_167628586\product_page.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-mobile-hub\de\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\wallet-webui-560.da6c8914bf5007e1044c.chunk.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1586791886\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-el.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1944275173\hyph-hu.hyb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\bnpl\bnpl.bundle.js.LICENSE.txt msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-ec\it\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-ec\ja\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\it\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\ko\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1060753448\_locales\eu\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\da\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-hub\sv\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification\fr\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\el\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5452_1396291165\json\i18n-notification-shared\fr\strings.json msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos Professional Cracked By Alcatraz3222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos Professional Cracked By Alcatraz3222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos Professional Cracked By Alcatraz3222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos Professional Cracked By Alcatraz3222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877132930287738" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1702774510-645589634-1201277210-1000\{38C391A3-86D4-4E7C-ADF8-DE4DFA70BA6D} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4244 Remcos Professional Cracked By Alcatraz3222.exe 4244 Remcos Professional Cracked By Alcatraz3222.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 4244 Remcos Professional Cracked By Alcatraz3222.exe 4244 Remcos Professional Cracked By Alcatraz3222.exe 2528 Remcos Professional Cracked By Alcatraz3222.exe 2528 Remcos Professional Cracked By Alcatraz3222.exe 4244 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe 2528 Remcos Professional Cracked By Alcatraz3222.exe 2528 Remcos Professional Cracked By Alcatraz3222.exe 2528 Remcos Professional Cracked By Alcatraz3222.exe 3728 msedge.exe 3728 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2180 Remcos Professional Cracked By Alcatraz3222.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 4808 7zG.exe Token: 35 4808 7zG.exe Token: SeSecurityPrivilege 4808 7zG.exe Token: SeSecurityPrivilege 4808 7zG.exe Token: SeDebugPrivilege 4244 Remcos Professional Cracked By Alcatraz3222.exe Token: SeDebugPrivilege 2528 Remcos Professional Cracked By Alcatraz3222.exe Token: SeDebugPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe Token: SeIncBasePriorityPrivilege 5936 taskhost.exe Token: 33 5936 taskhost.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 4808 7zG.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 5452 msedge.exe 3716 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3716 Remcos Professional Cracked By Alcatraz3222.exe 2180 Remcos Professional Cracked By Alcatraz3222.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5452 wrote to memory of 5308 5452 msedge.exe 81 PID 5452 wrote to memory of 5308 5452 msedge.exe 81 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5944 5452 msedge.exe 82 PID 5452 wrote to memory of 5944 5452 msedge.exe 82 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 5816 5452 msedge.exe 83 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 PID 5452 wrote to memory of 4420 5452 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/cybertoxin/Remcos-Professional-Cracked-By-Alcatraz3222/blob/master/Remcos%20Professional%20Cracked%20By%20Alcatraz3222.zip1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x288,0x7ff8c32af208,0x7ff8c32af214,0x7ff8c32af2202⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:32⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2956,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=2952 /prefetch:22⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2280,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3132 /prefetch:82⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:12⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4860,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5116,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:82⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:82⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:82⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:82⤵PID:888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:82⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:82⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4840,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:82⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6304,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6556,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:82⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6636,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:82⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6084,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6792 /prefetch:82⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6612,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:82⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:82⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5576,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:82⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:82⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5060,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:82⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6384,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:82⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6812,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:82⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:82⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3836,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:82⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3528,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:82⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3120,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:82⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5692,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6504 /prefetch:82⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4984,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:82⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6964,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:82⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:82⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1372,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:82⤵PID:748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,907847987600848047,9123724164429044946,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:82⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:3952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:1984
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2676
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\" -ad -an -ai#7zMap27644:148:7zEvent95851⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808
-
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3716
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Downloads/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y2⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f2⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier2⤵
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5936 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1568
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini1⤵PID:3056
-
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"C:\Users\Admin\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2180 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://breaking-security.net/shop/remcos/3⤵PID:3628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/Downloads/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222/Remcos Professional Cracked By Alcatraz3222.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y2⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f2⤵
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f3⤵
- System Location Discovery: System Language Discovery
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier2⤵
- System Location Discovery: System Language Discovery
PID:5132
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remcos Professional Cracked By Alcatraz3222.exe.log
Filesize522B
MD59066e7d7f14951d0434bd3fdfa7ec1ac
SHA1379439bab651ac0160f349aab4f7ab00291e97a3
SHA256e2980ccd6345d55c608ef790e4f95bc2fb53dbaebdd63c24b605ae62653655af
SHA512809041cb1ec626e7efed8e7c091517d3a6b8bb1ed0b934c35a4d3f04df6b3c1c645d6e6f39595d691518dd62cc47620b198a74d4899b9232f0d58bc9123c4dca
-
Filesize
280B
MD5004b10499ccdef678495d126747817d4
SHA1f2613e109771ee8f435d219c0f1d09dc400ec8f5
SHA256de04bf151a1ded657ac3df0f0b30f214dfc53231f87e45a16004482cddb0bd4e
SHA51225758072a30783f0664b1ca3cafd6d35613133ab06ac69df8f482aa61a2ad2c3cd850c28334613c274bf42d99a5aa84d89a3e98e234f3a1d22abec325c5cc3b2
-
Filesize
7KB
MD517fadece4f23c52c51fe0fa5bda82137
SHA19907781932cd6bad8482999fc0aee243a48eae1b
SHA256674270cafe5b0d09ce9af9c72fb5f076597133a876f65aded077ae27ddea8253
SHA5125aec7045f93921ae71efae627952dfc4f7f5a05f9967f33606bacb0e30a503bd102e584c1493e4a9a24139375c9e76b6ca4d2941917328ca2e8edf2c0ef8108f
-
Filesize
151B
MD5b21d33b94e73cd59dd683425953c1ff0
SHA19247256eca6b875ef3aefba7ca1ddb510021bd9b
SHA25679ed58e03975c3fbbc0e4b4639d7921c1af16cb9649ed62cb1d57cd7c7648d01
SHA512925d9fe34ad64f35ff6a43303f93a204bea0e2666db29974896e93f0a4e7c664842ee5a9c166eb74580cc04c5dd940af555a1937297ee18c405a93d8a0e4fa9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5416cb9e19b1096d8c006a20403538999
SHA1e287948ad2a85efd3022d0c0e107528e8466364a
SHA256c8d4acd78de81f7464a0a6d2d9278ac06f4d88ac92a0a33add95085d8dd5de21
SHA512fe58eef355d07a24d503589ca10e8aed8dc6557599e9cbd77a9317af3370dfecb2df6c50051577133603b19a1c38c9a68d14fe3626cfd6f40d5f0e96e9d574ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c285.TMP
Filesize3KB
MD5b9effde9ae7c20bd4a45aea7742b3cb4
SHA15fcbe321e561113b9304f984258f4578c6cc0be8
SHA25608f31f03c59be697b887f4c8d1d70314e2f34ccba6d56168443908578395308e
SHA512f1bd5f63c1ead13d577e98d4649a35eafe7b885cb13c4cdd0f3b84f05b3a3246cda7bc2f332ff70567cf6b77feee45fea346648c040b5c578ee861d38cfab136
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
3KB
MD59aa5a224f338d33f350f98616ffca589
SHA1aaba9f275d57e4fc9d2f3378e775427b1ad05d7e
SHA256cbf4ec3bcc520b201156b63e34b41214c970a22743efe21df1d77e69e87fe18b
SHA512cc3f0f797a9fd9701ad4d0a0ba8b07a5664191db99da55c34d392198603d8e608d0ed8983b74adaaf99b3d5c97a280ee7bd7674c15bba869d643d6ac4af3a149
-
Filesize
3KB
MD5c3d42217b584248f2d8c78943dd9cf7c
SHA1ef7c71d14f0e1e84d81f11af82223fd63d516065
SHA256d3faa3b106d46bd85e271255953e9e7703c872c84cb08aaf92639eba83780b2d
SHA512100d2eaffa7f17681e9eab5e90839eac6c17cdfa1ec98c81eff305bb4ee5aa2361c03eb5081feb3baaa7ea270f3fab6750f6b1bc4b0bb04e74e01f368fa4db97
-
Filesize
3KB
MD501c91d8872f29cd94530c9a0cbafcc57
SHA1e35cde0d146df5bba7cdaad4e4b7e97158f4d009
SHA256deaaddf81cfccd5ab9d8bcecf3bf3638db018d23f5aa38420e0d6c1c98e627d6
SHA512eed3f986df79f07b0458da1e6d9be8707a00c4fdb7e55304cd8ab6a35641b82f100bb2a0d04f029007e9410a48d323acbc736da49d876f76b5280479eeb9e030
-
Filesize
3KB
MD5da7258f69e738ddf7480680b90d8779d
SHA141d42448a4461f98d46559c29fc7f4c2fcb1c3f1
SHA2560d613df6d4c94a6f075fd30bdb4b7c6cdd75f239c1a1aed07112cf67b500621e
SHA51284381e5715727a29e97fb69b26a046379dd3e38ce027720eb04386d6ee8299a568c2ce741934447f769853da7f65dc2a1b3f4dd3d53002519c16e049a6beeb73
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
18KB
MD587b1779b215bbf39f0c90a473989b22d
SHA1c3aebf20da29e65cf86b6fbe9575758dc2743278
SHA256cbd20e15cc4baf65560fdad4ac2407b674a61d201b47530fa7d8caea49ec949d
SHA5127ac5edcf85f4cb619023e590782c54c2c12554530db47d8d4d8b748fdc3ddb83084b1aa4ccf4ecfdf0bf665055dfa2f83048704a6de70834d5a0a085eb3731a9
-
Filesize
18KB
MD5960881bfaf5b055ccf724fb0fd186781
SHA1e1fba15dde18e0538d741f0123b5e48520782131
SHA2560ee2cb796c6695f890d7f0cbc91a97fae7287a8bd404fc4676df1ae5293e9a42
SHA512aafb4339e7e69cd17678775903bb4005df0bccb2abb40422457d95b98f2d5f3ae41343352b1ef1be6891db6b38cc36791eb6c67155adf333e8a534dde7fd9ddb
-
Filesize
18KB
MD542b1a432d73f3c857ab0f59789d5d3ee
SHA140c3b8d745b1fe6600c7026dc73d0305ee712aff
SHA256ea8393e9ac1c78bc8a106d0af9863a145fc7533c7d2e61935937990bec5b0ead
SHA512544323c68d7a8ef6ce2aab9668b65549567eaa763cc8b50bcaf3340f53ebff5dcf912184b31ce34f90550e3a2b90a53a1bab0e63625fba3fee5ed9943430f2f2
-
Filesize
36KB
MD5ae06f46ff32a3a72a61da4c2dfd0e6cf
SHA1ae5110da23210d3978c027b9033090e510655cbf
SHA256662410c187aa5bd205f4c99c9766a48e713f793dbad21c51d6ccb703ee740412
SHA5127c73971bf39f75f267c9bbad29ad5798e007f54eb76b59b50e09e900be511dfb6894387af14f00d949916cbe2fda20f580273ac15c48e72b70b1cdb847d84ea2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8854b910-1f0e-4005-86ad-f49d9236caec\index-dir\temp-index
Filesize1KB
MD5efc1b48fa3d1288016f45dbc1886e716
SHA145512d22fe3ccb87e949a4ae276315c896febc71
SHA2561197c839c14493575a22f0365296ebeb9b90c1f57874d7fdbdf58b62830fe792
SHA5121434eed217962d7170419799f5eb81f7eb0b2dfb94c80296ded818154a1ba7baada3ab1626ca7c8cafecf6fee7f2a85c1515f9d313be62bf3aff14f3040bb0e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8854b910-1f0e-4005-86ad-f49d9236caec\index-dir\the-real-index~RFe5be82a.TMP
Filesize1KB
MD517c022dddb6223d23d972be6bef36775
SHA16d57892090c1442d7ff5d7971b00d5073ad17ae2
SHA2568d980deb2a65bff625bead15fc3886e83212d686d8df79425dd93c5b683251ec
SHA512a52fe38c396c6ff13cc422864f6bfb31c082801d08949cf35baf3f416358939f12d07dc7184a91f264a7e04b90fe4261cdf40417789e9f7011b63032daaa4b92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize253B
MD56a1e54044a51f463b0aea4c089641eac
SHA129ee982f175bcfff1a0e39dc196ba85f326ece56
SHA256ddb5a3d47c0d5a2b53171c3fc0fbc71db2c79f7124dd597ff35830e84cd5fbdd
SHA512ad88134aa2f95371e9635e5faae887a2b23a28e02b8a4c20d521454744be8f7cf57d60cf86603361efbdd20023f923ac10c3ac6eba0eda1f7d15db547cf17c31
-
Filesize
22KB
MD5968ab3e30a30dfb14ee99e385772ffe2
SHA1cd5400f8e53317c2fb4f66e4863fbc97ba1808ce
SHA256e94e5f9d2e07c1ff39740bd9c3374b197efb559b25837f062477da8a352daeec
SHA51221bb12f20742b2cbf69654aed408f8291c1dc6d2f40abd6228fb0a6e62b34b4e8920a1974384750731bdc992a65124643e51ce4a3c97648288446623593631ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\9d19cc01-9260-4ebe-8fb5-1d5db6453f19.tmp
Filesize19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
467B
MD5975d5ac7dbec5773a8d7024998b13ba1
SHA1f3e1081a370859a4b5399b54508dddd43e7e72b3
SHA256332e69f50665413788a368a75ce5062963c545a7111736a218dbfca43a7b7f17
SHA51296385c065a80e147ff82a6aeab617604ff12b9bb27a5c215e26a5835f11cd1ddf126f1fbbb9b1597d972dee0bb05e290e478e74ed035f5ae47ad5f2d57a61e9a
-
Filesize
23KB
MD5905531d9f24428b741e13a13bc64671e
SHA1e40dd4cdbb6e4645e7387c275516646970c131ba
SHA2560e62906b1280eb46a6a6a6df1f6f37efcd0357921b29857f221e69047af09c37
SHA51267ce33f549495d2c8819e362c9cbdee107562e51aa3865909289319fed876e0c51f8439a86a71fccb2835ab1d8659c4fa6548794d3fa9aecdbdb1823c6cb6c18
-
Filesize
900B
MD54bf2f6bfa70df38ea63019065ce0d5ac
SHA1e0ef968f25c947b9446ee027fd85d738a4905f21
SHA256a194055a48eb544e760fe5ba670dc522b2c903cac005d4c3dd9bb36b1a602fc0
SHA5128dae882126e622aea440527f555186bb974c17c36611e1b06bd56291aa9f1749526eed5ba49142226fcb7dc8858d8aa7fa55e009a1f9fcc403cb650b281be1f3
-
Filesize
55KB
MD56cddf24ae48010e8bba9880b8ad62339
SHA154f60bff8de73ead09da41445a9c5f6d9bc5ae0b
SHA256f9fd4cd264e5c60b0b09d193719b479f9ef19a4b8778cf45a2aa620b99247f7a
SHA512b63fcb2aaae014f38217fe28e64e531b97b6c6c511c0c758490698392503fd29f34594102bdce4c2a493c93aa4e6b09e7a4be1cef2a5ff45a46fd37ad25f9751
-
Filesize
55KB
MD5138d43c5b75b12ebec77c187ba4ef5fa
SHA1d7defc246ec4fe4fe075efbca6b4768f0fde9a66
SHA256c5e72100a124bfcb1b098e7a855f2ca4cef16aba400b5b3401e10fab3cb364af
SHA512141c29e1fd69de06fbe59a4bed36bc38c4d5de36ab50bd8b900eeabc3e5f0895bbac245366c5bd8c45deeb478d21d36b23fe0a5e8459c06c0c4b02d4c956a71d
-
Filesize
41KB
MD5b8ecb1aacf29789ef24fb23328fdfa67
SHA128cc69dc3a8ed943d085f8ae7a89901e689a2b04
SHA2567498e5b0fdfdebb5159fd2b9bdf6294a8102c3df8c0e22664201bcff26dbbc17
SHA512bd43c447bffb40f05bc35161f4edac991d6f6034794ea8c640b9119c09f4a6807d9e17510df5ed1480ee3ab5b04ba88327ad333216be07705774c2d7daea1689
-
Filesize
49KB
MD540b099338957c28d5fcf8da91bdea998
SHA1585cf1cae13a4997b5e6c1eac09ebd1cc8d19a6d
SHA256de5a707e4ff5233afbdc1349b22fd7b713175c8539610bba750c2d5a37425fa9
SHA51263d9d6410f1d7091b5a2fa3be4c11b348e71ed5568d3e0959a4255f40b37145473a09e7ae25155f82188d15ca7eab568fda3bb754c048af063ec22d96fb5b615
-
Filesize
40KB
MD546514587e854a6007eb93d289423dfe1
SHA120743657672750f45e743b424e0a920e75669dd0
SHA2567ab3ab52bdc533a37c61f5594e1257a24d8565f987097f0fd6ec39fe54598aed
SHA512c55e5924f00862d39e530497caab313c91c5368d3f2e25c00873f404c834c73a5ea97861e4fde0d549f1f3f982310ef44bc7ce01970ff567c3f43759a5ec66c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll
Filesize572KB
MD5f5f5b37fd514776f455864502c852773
SHA18d5ed434173fd77feb33cb6cb0fad5e2388d97c6
SHA2562778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e
SHA512b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD55911288c9be480b6a759309bed00c5c0
SHA13db0cce2f62b05cd7266b652c5059826632936cb
SHA256253e9f3acb5b3e545f5da78feed66e93e1f1e514fc50167f831d46d1d1037959
SHA5122d7c6e8fc2c18f18310348782b1dfe16fc0b8850b347dddbb94fda23c238c45f3b9cb19eecb05ac7659f61ed34d86dab7f88176c25d90e74814e5e2342596b48
-
Filesize
73B
MD51a32b94bd8d51df35d766b6affdfacfc
SHA1b35ba7f44b350dd9e86c74acfc722ee7373b77ee
SHA2563d464700f406245d63409c36aae1504dd9fb63c784cbf7ae8957052068213937
SHA5129f31cb9b0972efab2ba566acd10e0355acb316b49a8cdb5c3b0787cba9f97670ea592e385182fe143f54a2effb565c1f78083223bc4600cd961bbffc8f01d3bd
-
Filesize
229B
MD5c705d9d9732e434b429505ac8405154a
SHA19d7e3903a2c2ed2ae118982c2ef2bdc9a2c7f85c
SHA256461ca01730541f5405a76bce0a9d7b2314f8104eb0402104f1e80439c3ab4091
SHA512d511a1d264f75e7f9ce0efc7e6fd4ebeefd2e90858b4dbba80b25831f8ef51af95b4b1434fc5a558e8564d6aacd89a7f961eae05572e81feacee8898a4dc5416
-
Filesize
1KB
MD54a15396751ea437401842eead4c1fc32
SHA1319a950bf1b9cf59bafc58e6614417cdd4881c65
SHA2568787fb3aadc39b64a723af6dc518c53ac0f37aff9fd35f4170f3915218a4ee9c
SHA512f1ae1d6768752f6aefbd246daa455ab315e0935367fdefb2351af70ef06173b388c21d36e6f143aab8e5f108c2acad49514ad69fc65fc86e1b48b1e813bd146d
-
Filesize
17.4MB
MD5c3c21fa4c2186deb641455482ab0d3aa
SHA12f4b49e8383e073ccb965943ce970de403412567
SHA2564ea203509d0fdff3e31f976413c546ca3d36133bc708e9a1301860961cc3a8d9
SHA51231db2963f1bd49f7b4a6ee38e54940d20120d6c05ef7bf34ec97eb93051bee6d5428e9e1271e4ae8f5544b824188ac7278315e2e2c27be302a312eebbf8c3fb7
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
17.3MB
MD5ea3fd7407073aae0205a02f10c1f826f
SHA1aeb5a674da5bbdea4e1b42470e6e059b730b88a6
SHA256bdb96b7a1a75fa4f56d1b1f922d80f029c12df21df49cbbfd1f2a3175d604195
SHA512bf69f80a585eed54b599cb5adf285ca0576650b275daef6e502eae2d564906950cb4a13821b67325bc1c2ba0ca6436401f562c279cc42d3590e0f8becfec028f
-
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222.exe
Filesize17.7MB
MD5efc159c7cf75545997f8c6af52d3e802
SHA1b85bd368c91a13db1c5de2326deb25ad666c24c1
SHA256898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e
SHA512d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d
-
C:\Users\Admin\Downloads\Remcos Professional Cracked By Alcatraz3222\Remcos Professional Cracked By Alcatraz3222\Remcos_Settings.ini
Filesize881B
MD5a3468935e33e361cf94f4721ed4cb66d
SHA1c3b19ca8382534b2179940cabede8c6c952a9c06
SHA256b374af58c24b6085f64f979dab434643da39d0267a27975f396473327dc98c7d
SHA512c1caa0b9637a46187d54b2952db204182fad5a5324574949ce4db13bdb17624ccd8b3228eb9b2bcfe5851add2c5d2f586945e7264b1d1cd02d91acf1fd81583a
-
Filesize
1.1MB
MD50e3ea2aa2bc4484c8aebb7e348d8e680
SHA155f802e1a00a6988236882ae02f455648ab54114
SHA25625ffb085e470aa7214bf40777794de05bf2bb53254244a4c3a3025f40ce4cef7
SHA51245b31d42be032766f5c275568723a170bb6bbf522f123a5fdc47e0c6f76933d2d3e14487668e772488847096c5e6a1f33920f1ee97bc586319a9005bacd65428
-
Filesize
703B
MD58961fdd3db036dd43002659a4e4a7365
SHA17b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92
-
Filesize
687B
MD50807cf29fc4c5d7d87c1689eb2e0baaa
SHA1d0914fb069469d47a36d339ca70164253fccf022
SHA256f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42
SHA5125324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3
-
Filesize
141KB
MD5f2d8fe158d5361fc1d4b794a7255835a
SHA16c8744fa70651f629ed887cb76b6bc1bed304af9
SHA2565bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809
SHA512946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c