remcos | 96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

Analysis

max time kernel
136s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/03/2023, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50d0216c89d4f5cbb6168d770be9c72e.exe
Size

890KB
MD5

50d0216c89d4f5cbb6168d770be9c72e
SHA1

f31499ea411422128840bf4ab2974cb4ceb19627
SHA256

96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe
SHA512

2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00
SSDEEP

12288:qUd7JFXADz1KG1voFO6FJMUicg0lx+IrY0G1ycLT8AK0m2kffIp86YJbItbmJ:X1q1QFVFnB//GA4T8AFm2kfAc

Score

10^/10

remcos happy new month evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Happy New Month

arttronova124.duckdns.org:3030

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows Audio Service.exe
copy_folder
Microsoft Media Corp
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Microsoft Sound EndPoints
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 5 IoCs

pid	Process
1948	Windows Audio Service.exe
1648	Windows Audio Service.exe
1516	Windows Audio Service.exe
1656	Windows Audio Service.exe
1128	Windows Audio Service.exe

Loads dropped DLL 2 IoCs

pid	Process
984	cmd.exe
984	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\	50d0216c89d4f5cbb6168d770be9c72e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound EndPoints = "\"C:\\Windows\\Microsoft Media Corp\\Windows Audio Service.exe\""	50d0216c89d4f5cbb6168d770be9c72e.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows Audio Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound EndPoints = "\"C:\\Windows\\Microsoft Media Corp\\Windows Audio Service.exe\""	Windows Audio Service.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1948 set thread context of 1128	1948	Windows Audio Service.exe	38
PID 1128 set thread context of 1088	1128	Windows Audio Service.exe	42

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft Media Corp\Windows Audio Service.exe	50d0216c89d4f5cbb6168d770be9c72e.exe
File opened for modification	C:\Windows\Microsoft Media Corp\Windows Audio Service.exe	50d0216c89d4f5cbb6168d770be9c72e.exe
File opened for modification	C:\Windows\Microsoft Media Corp	50d0216c89d4f5cbb6168d770be9c72e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{376CE831-B864-11ED-981D-FAEC88B9DA95} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000d3facd3fd558eae747b7c52feb1936da72d692d770760386c6631e307ad2d0d7000000000e8000000002000020000000140a5ebaf6d442b5980e8b8ae77f84c669ce936145ea6d46094c37061dca7a84200000009afc7e60fdb68fa46fe072700b21542ea5df698497998bf3af9c1907253c7ab540000000bd3797a4c0f92dab11bca591397a5acad3ab5025aaf32ff20c1367b4ee04f3ddbec1fc92c6dc56a6b890c50cd88009c6d8a008933d67e90c6f3182a3063fcf90	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7062d410714cd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000eafeb6d16b6c626ad1c31531bf423bbc1a85afa7532289158a8a663097c18a54000000000e800000000200002000000011a7475b96bc4ad78349251011d3a2f26fdb493cbfa9b817b324485d592b3b24900000005f65a8adc36183d9034b0de19b8304024f7663f403fb97b545217bd92c7a74f6a580869014c8113a52a03d79ceaa24cb833ea035e651e9f33499b1705c37a62d33ed4058c0fe720fbabf7e6f2b30788ca1dac7749ee61e910ca8b0ae71bd42ad529da61432033a9fd8a7dae95cf489d6b96e99893f8ae10ede3a33502e92f7d2e670acbed401dd615ecd3a12302b63af400000003a9b512bf96595b7e945b113d92709f4e5f5c0ddd7cb1072dbc65ae13f78ec0cba2b7d06a9d8c8f1324eb587b1efb3cc4625d8e6894c95e1baf05ddc165b8a25	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2016	reg.exe
1780	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
752	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1948	Windows Audio Service.exe
1948	Windows Audio Service.exe
1948	Windows Audio Service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	Windows Audio Service.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1680	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1680	iexplore.exe
1680	iexplore.exe
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 1980 wrote to memory of 268	1980	50d0216c89d4f5cbb6168d770be9c72e.exe	27
PID 268 wrote to memory of 1100	268	50d0216c89d4f5cbb6168d770be9c72e.exe	28
PID 268 wrote to memory of 1100	268	50d0216c89d4f5cbb6168d770be9c72e.exe	28
PID 268 wrote to memory of 1100	268	50d0216c89d4f5cbb6168d770be9c72e.exe	28
PID 268 wrote to memory of 1100	268	50d0216c89d4f5cbb6168d770be9c72e.exe	28
PID 1100 wrote to memory of 2016	1100	cmd.exe	30
PID 1100 wrote to memory of 2016	1100	cmd.exe	30
PID 1100 wrote to memory of 2016	1100	cmd.exe	30
PID 1100 wrote to memory of 2016	1100	cmd.exe	30
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 268 wrote to memory of 984	268	50d0216c89d4f5cbb6168d770be9c72e.exe	31
PID 984 wrote to memory of 752	984	cmd.exe	33
PID 984 wrote to memory of 752	984	cmd.exe	33
PID 984 wrote to memory of 752	984	cmd.exe	33
PID 984 wrote to memory of 752	984	cmd.exe	33
PID 984 wrote to memory of 1948	984	cmd.exe	34
PID 984 wrote to memory of 1948	984	cmd.exe	34
PID 984 wrote to memory of 1948	984	cmd.exe	34
PID 984 wrote to memory of 1948	984	cmd.exe	34
PID 1948 wrote to memory of 1648	1948	Windows Audio Service.exe	35
PID 1948 wrote to memory of 1648	1948	Windows Audio Service.exe	35
PID 1948 wrote to memory of 1648	1948	Windows Audio Service.exe	35
PID 1948 wrote to memory of 1648	1948	Windows Audio Service.exe	35
PID 1948 wrote to memory of 1516	1948	Windows Audio Service.exe	36
PID 1948 wrote to memory of 1516	1948	Windows Audio Service.exe	36
PID 1948 wrote to memory of 1516	1948	Windows Audio Service.exe	36
PID 1948 wrote to memory of 1516	1948	Windows Audio Service.exe	36
PID 1948 wrote to memory of 1656	1948	Windows Audio Service.exe	37
PID 1948 wrote to memory of 1656	1948	Windows Audio Service.exe	37
PID 1948 wrote to memory of 1656	1948	Windows Audio Service.exe	37
PID 1948 wrote to memory of 1656	1948	Windows Audio Service.exe	37
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1948 wrote to memory of 1128	1948	Windows Audio Service.exe	38
PID 1128 wrote to memory of 1896	1128	Windows Audio Service.exe	39
PID 1128 wrote to memory of 1896	1128	Windows Audio Service.exe	39
PID 1128 wrote to memory of 1896	1128	Windows Audio Service.exe	39
PID 1128 wrote to memory of 1896	1128	Windows Audio Service.exe	39
PID 1896 wrote to memory of 1780	1896	cmd.exe	41
PID 1896 wrote to memory of 1780	1896	cmd.exe	41
PID 1896 wrote to memory of 1780	1896	cmd.exe	41
PID 1896 wrote to memory of 1780	1896	cmd.exe	41
PID 1128 wrote to memory of 1088	1128	Windows Audio Service.exe	42

C:\Users\Admin\AppData\Local\Temp\50d0216c89d4f5cbb6168d770be9c72e.exe
"C:\Users\Admin\AppData\Local\Temp\50d0216c89d4f5cbb6168d770be9c72e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\50d0216c89d4f5cbb6168d770be9c72e.exe
  "C:\Users\Admin\AppData\Local\Temp\50d0216c89d4f5cbb6168d770be9c72e.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:752
  - - C:\Windows\Microsoft Media Corp\Windows Audio Service.exe
      "C:\Windows\Microsoft Media Corp\Windows Audio Service.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\Microsoft Media Corp\Windows Audio Service.exe
        
        "C:\Windows\Microsoft Media Corp\Windows Audio Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:1648
    - - C:\Windows\Microsoft Media Corp\Windows Audio Service.exe
        
        "C:\Windows\Microsoft Media Corp\Windows Audio Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:1516
    - - C:\Windows\Microsoft Media Corp\Windows Audio Service.exe
        
        "C:\Windows\Microsoft Media Corp\Windows Audio Service.exe"
        5⤵
        Executes dropped EXE
        
        PID:1656
    - - C:\Windows\Microsoft Media Corp\Windows Audio Service.exe
        
        "C:\Windows\Microsoft Media Corp\Windows Audio Service.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:1780
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4941e9d81793214c60b45e959b6d25a

SHA1
95ceb0ead653e387784ae18a71bb3d7c5050d317

SHA256
1b2b0814046402df96ba8d2912af03e54eeba6837702fd70707f4c92346c5900

SHA512
dbb34b368d4b0fdeb1762c91d850e5a5b98908e96e367e9238aedc9326dd677f99ad99e4f066878a2a27f1516256024db183f644f6255bee4892eb3d2759d5e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df01f195d5ca05117624ad4bbf4eb6eb

SHA1
71b8439fd25dba000e1b4be072c89c7efa5b7f15

SHA256
dc8d0f8044873a32d4d65bfdf5b72d9dec8a8f577c1b3e35a9b11b68385d9813

SHA512
45973105eb659478da822f0b40ca0c091bdba5ec5d66be58a47aca3ce796bde8a6a5253501910eaa39f8e452851faf3be89a26729652aa701d9bc48366601aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19224c3c8c15f4d4ee74fb40cbf8ea74

SHA1
ab9a5cf960f29504208d3fddec34de62e560f189

SHA256
85c24a268ef7dd99416a3522cb454a944bab898272fbcfa73a6be1f01e65f087

SHA512
d87f5c30d87087b4395f6ab29919620abc4a2eab9437e6f56c4000889edfad42e4b210a07f21895ac8d81f5ca92f7cb761d260012c81942f5b9f1ee7026a7b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a631dd34e4213b1f3f0260793ffc5ec8

SHA1
8fe8756b5204ebddb71e9b9bcdcb034c55ab7213

SHA256
c7af48375dc4733bc6eb5abefeffa902d708426c78e346aba71911e5446d796c

SHA512
17fcef1d4e1a80eb2cca26266ee0180190a3d29ec757a072279f83ff66cf1a72ff5f2c8c18fb3b4891a5b1194ae7081056cb934460fcb2a3613d7e45530315e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3ab87b9cec876569db12297e388072a

SHA1
327a50b5d1812ae7d89d5403d7c386613bfd3021

SHA256
f3a2f86027a7adb7583062356473c862489105718c7f248e47a7aa44fa453ef0

SHA512
99aa9f6bc0a4a58dd4c48175f905e103119e945ad1931e3cdc866229d9da2772ec3f279a05b3c87b930143a05c67c230ea3a69d8092cd8e606185c18caaee5d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
299fd14431428f5ef1040a17d8b8b0e0

SHA1
d5597072cc8d55a88ee20e87ea6dcdd7af3ccd1f

SHA256
f45a1674773743d534414e7f47f1de065783da4476db12642207639b5d8bd8c2

SHA512
f6ce49bc223a61a6b534f44ea938759af7de88d89446499fda1cb09e523c0ffce52636fabffd6e8f46e942673fdcb92d5dfa21b209d24c1843240c093f228a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF0D6.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF158.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
108B

MD5
5478adcfef5625fa418c0b5e82aeb720

SHA1
fed6821b291318efc380c19b983b31e287559981

SHA256
62628e6b2fe6ad893b3cd688da49c6eec67266c6a00508f4f9c189bef4e09f4a

SHA512
91eb838fca8304948382e84d8cb5c3187aab74ed416137ff183ac8797289e27d5ea609429437fb8e6839ddf23f6217a379a5991c6bc95a72c43720bc74e6fb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
108B

MD5
5478adcfef5625fa418c0b5e82aeb720

SHA1
fed6821b291318efc380c19b983b31e287559981

SHA256
62628e6b2fe6ad893b3cd688da49c6eec67266c6a00508f4f9c189bef4e09f4a

SHA512
91eb838fca8304948382e84d8cb5c3187aab74ed416137ff183ac8797289e27d5ea609429437fb8e6839ddf23f6217a379a5991c6bc95a72c43720bc74e6fb0c

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
C:\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
\Windows\Microsoft Media Corp\Windows Audio Service.exe

Filesize
890KB

MD5
50d0216c89d4f5cbb6168d770be9c72e

SHA1
f31499ea411422128840bf4ab2974cb4ceb19627

SHA256
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe

SHA512
2e0669b7f37bfc672ec021cbe89239c231f0404c18fd722e87f6f3fa1ad6e1489a389aa0e5620bd79efcc0573eab99630a6c1ac6de7aecea6739d8a9f2f37c00

Download Submit
memory/268-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/268-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1088-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1088-116-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1088-114-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1088-108-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1088-113-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1088-110-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1088-104-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1088-106-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1128-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-102-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1128-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1428-118-0x0000000001070000-0x0000000001072000-memory.dmp

Filesize
8KB

Download
memory/1680-117-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/1948-88-0x00000000042F0000-0x0000000004330000-memory.dmp

Filesize
256KB

Download
memory/1948-89-0x00000000042F0000-0x0000000004330000-memory.dmp

Filesize
256KB

Download
memory/1948-87-0x0000000000070000-0x0000000000154000-memory.dmp

Filesize
912KB

Download
memory/1980-54-0x0000000000B00000-0x0000000000BE4000-memory.dmp

Filesize
912KB

Download
memory/1980-61-0x00000000009B0000-0x00000000009D0000-memory.dmp

Filesize
128KB

Download
memory/1980-60-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/1980-59-0x0000000005390000-0x0000000005426000-memory.dmp

Filesize
600KB

Download
memory/1980-58-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/1980-57-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1980-56-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/1980-55-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download