Analysis
-
max time kernel
175s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
2238e83f.exe
Resource
win7-20220414-en
General
-
Target
2238e83f.exe
-
Size
1.4MB
-
MD5
abb0da45041a587897972066124a73fe
-
SHA1
5a82eb5e9ef349e798fc930f077e15e5e692fe5c
-
SHA256
2238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
-
SHA512
10c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25
Malware Config
Extracted
remcos
1.7 Pro
Host
194.5.97.32:5890
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_oqkhxjzletgovfx
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
remcos.exeremcos.exepid process 1828 remcos.exe 2520 remcos.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2238e83f.exe2238e83f.exeremcos.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2238e83f.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2238e83f.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation remcos.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
2238e83f.exeremcos.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 2238e83f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" 2238e83f.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2238e83f.exeremcos.exeremcos.exedescription pid process target process PID 4232 set thread context of 3960 4232 2238e83f.exe 2238e83f.exe PID 1828 set thread context of 2520 1828 remcos.exe remcos.exe PID 2520 set thread context of 3696 2520 remcos.exe iexplore.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3ab02a58-0b4e-43e4-8dba-854671129f7c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220520145125.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4164 timeout.exe 3740 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exe2238e83f.exepowershell.exeremcos.exemsedge.exemsedge.exeidentity_helper.exepid process 4304 powershell.exe 4304 powershell.exe 4232 2238e83f.exe 4232 2238e83f.exe 4232 2238e83f.exe 4232 2238e83f.exe 4232 2238e83f.exe 4232 2238e83f.exe 2008 powershell.exe 2008 powershell.exe 1828 remcos.exe 1828 remcos.exe 4876 msedge.exe 4876 msedge.exe 852 msedge.exe 852 msedge.exe 3436 identity_helper.exe 3436 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe 852 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exe2238e83f.exepowershell.exeremcos.exedescription pid process Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 4232 2238e83f.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1828 remcos.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 852 msedge.exe 852 msedge.exe 852 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2238e83f.execmd.exe2238e83f.execmd.exeremcos.execmd.exeremcos.exeiexplore.exemsedge.exedescription pid process target process PID 4232 wrote to memory of 4304 4232 2238e83f.exe powershell.exe PID 4232 wrote to memory of 4304 4232 2238e83f.exe powershell.exe PID 4232 wrote to memory of 4304 4232 2238e83f.exe powershell.exe PID 4232 wrote to memory of 2248 4232 2238e83f.exe cmd.exe PID 4232 wrote to memory of 2248 4232 2238e83f.exe cmd.exe PID 4232 wrote to memory of 2248 4232 2238e83f.exe cmd.exe PID 2248 wrote to memory of 4164 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 4164 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 4164 2248 cmd.exe timeout.exe PID 4232 wrote to memory of 4756 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 4756 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 4756 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 4232 wrote to memory of 3960 4232 2238e83f.exe 2238e83f.exe PID 3960 wrote to memory of 4368 3960 2238e83f.exe cmd.exe PID 3960 wrote to memory of 4368 3960 2238e83f.exe cmd.exe PID 3960 wrote to memory of 4368 3960 2238e83f.exe cmd.exe PID 4368 wrote to memory of 1264 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 1264 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 1264 4368 cmd.exe PING.EXE PID 4368 wrote to memory of 1828 4368 cmd.exe remcos.exe PID 4368 wrote to memory of 1828 4368 cmd.exe remcos.exe PID 4368 wrote to memory of 1828 4368 cmd.exe remcos.exe PID 1828 wrote to memory of 2008 1828 remcos.exe powershell.exe PID 1828 wrote to memory of 2008 1828 remcos.exe powershell.exe PID 1828 wrote to memory of 2008 1828 remcos.exe powershell.exe PID 1828 wrote to memory of 440 1828 remcos.exe cmd.exe PID 1828 wrote to memory of 440 1828 remcos.exe cmd.exe PID 1828 wrote to memory of 440 1828 remcos.exe cmd.exe PID 440 wrote to memory of 3740 440 cmd.exe timeout.exe PID 440 wrote to memory of 3740 440 cmd.exe timeout.exe PID 440 wrote to memory of 3740 440 cmd.exe timeout.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 1828 wrote to memory of 2520 1828 remcos.exe remcos.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 2520 wrote to memory of 3696 2520 remcos.exe iexplore.exe PID 3696 wrote to memory of 852 3696 iexplore.exe msedge.exe PID 3696 wrote to memory of 852 3696 iexplore.exe msedge.exe PID 852 wrote to memory of 4160 852 msedge.exe msedge.exe PID 852 wrote to memory of 4160 852 msedge.exe msedge.exe PID 852 wrote to memory of 3012 852 msedge.exe msedge.exe PID 852 wrote to memory of 3012 852 msedge.exe msedge.exe PID 852 wrote to memory of 3012 852 msedge.exe msedge.exe PID 852 wrote to memory of 3012 852 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2238e83f.exe"C:\Users\Admin\AppData\Local\Temp\2238e83f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AEEAcgB0AC0AUwBsAEUAZQBQACAALQBzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\2238e83f.exeC:\Users\Admin\AppData\Local\Temp\2238e83f.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2238e83f.exeC:\Users\Admin\AppData\Local\Temp\2238e83f.exe2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AEEAcgB0AC0AUwBsAEUAZQBQACAALQBzACAAMgAwAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 205⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 206⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.07⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff193446f8,0x7fff19344708,0x7fff193447188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5252 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings8⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70e2e5460,0x7ff70e2e5470,0x7ff70e2e54809⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15738914779950065276,9464593138554821121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.07⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7fff193446f8,0x7fff19344708,0x7fff193447188⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD553473ab893aa74c050da4b15a702cea9
SHA185c34c1138235afa21eae7c142640358ee110a5d
SHA2560ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852
SHA5123ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD54d7e664264f70cb2078b388e3bf7138f
SHA1a3f9e3f80672aaa5ba7697c122558ad76ee96451
SHA25685897a60ead78971322f8af6770d4fa737a050e88ee8b887e901dcaa33dbe024
SHA5128c11d1d55a56f0bb48913570be4cfdfdc143764c41abec34058c1a325a9be5aa5022d95e7f27c1579637ffd7e351d88d68e8af0ede6a3a4a71438e600a44f600
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
99B
MD576c1687d97dfdbcea62ef1490bec5001
SHA15f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA25679f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hussan\hussan.exeFilesize
1.4MB
MD5abb0da45041a587897972066124a73fe
SHA15a82eb5e9ef349e798fc930f077e15e5e692fe5c
SHA2562238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
SHA51210c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeFilesize
1.4MB
MD5abb0da45041a587897972066124a73fe
SHA15a82eb5e9ef349e798fc930f077e15e5e692fe5c
SHA2562238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
SHA51210c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeFilesize
1.4MB
MD5abb0da45041a587897972066124a73fe
SHA15a82eb5e9ef349e798fc930f077e15e5e692fe5c
SHA2562238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
SHA51210c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeFilesize
1.4MB
MD5abb0da45041a587897972066124a73fe
SHA15a82eb5e9ef349e798fc930f077e15e5e692fe5c
SHA2562238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
SHA51210c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25
-
\??\pipe\LOCAL\crashpad_852_KEIKQNLYQVLRSIEVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/440-158-0x0000000000000000-mapping.dmp
-
memory/852-167-0x0000000000000000-mapping.dmp
-
memory/1264-150-0x0000000000000000-mapping.dmp
-
memory/1496-190-0x0000000000000000-mapping.dmp
-
memory/1648-178-0x0000000000000000-mapping.dmp
-
memory/1828-151-0x0000000000000000-mapping.dmp
-
memory/1872-184-0x0000000000000000-mapping.dmp
-
memory/2008-154-0x0000000000000000-mapping.dmp
-
memory/2088-192-0x0000000000000000-mapping.dmp
-
memory/2248-140-0x0000000000000000-mapping.dmp
-
memory/2520-166-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2520-161-0x0000000000000000-mapping.dmp
-
memory/2520-165-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2668-191-0x0000000000000000-mapping.dmp
-
memory/3012-170-0x0000000000000000-mapping.dmp
-
memory/3436-194-0x0000000000000000-mapping.dmp
-
memory/3448-188-0x0000000000000000-mapping.dmp
-
memory/3724-189-0x0000000000000000-mapping.dmp
-
memory/3740-159-0x0000000000000000-mapping.dmp
-
memory/3960-144-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3960-148-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3960-143-0x0000000000000000-mapping.dmp
-
memory/3960-146-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4144-176-0x0000000000000000-mapping.dmp
-
memory/4152-182-0x0000000000000000-mapping.dmp
-
memory/4160-168-0x0000000000000000-mapping.dmp
-
memory/4164-141-0x0000000000000000-mapping.dmp
-
memory/4172-174-0x0000000000000000-mapping.dmp
-
memory/4232-130-0x00000000003D0000-0x000000000053E000-memory.dmpFilesize
1.4MB
-
memory/4304-139-0x00000000065B0000-0x00000000065CA000-memory.dmpFilesize
104KB
-
memory/4304-132-0x0000000002AE0000-0x0000000002B16000-memory.dmpFilesize
216KB
-
memory/4304-131-0x0000000000000000-mapping.dmp
-
memory/4304-134-0x0000000005830000-0x0000000005852000-memory.dmpFilesize
136KB
-
memory/4304-138-0x00000000076F0000-0x0000000007D6A000-memory.dmpFilesize
6.5MB
-
memory/4304-133-0x00000000051A0000-0x00000000057C8000-memory.dmpFilesize
6.2MB
-
memory/4304-137-0x00000000060B0000-0x00000000060CE000-memory.dmpFilesize
120KB
-
memory/4304-136-0x0000000005A70000-0x0000000005AD6000-memory.dmpFilesize
408KB
-
memory/4304-135-0x00000000058D0000-0x0000000005936000-memory.dmpFilesize
408KB
-
memory/4368-147-0x0000000000000000-mapping.dmp
-
memory/4548-180-0x0000000000000000-mapping.dmp
-
memory/4552-196-0x0000000000000000-mapping.dmp
-
memory/4596-186-0x0000000000000000-mapping.dmp
-
memory/4756-142-0x0000000000000000-mapping.dmp
-
memory/4876-171-0x0000000000000000-mapping.dmp
-
memory/5028-198-0x0000000000000000-mapping.dmp