lucastealer | 686055eb8d7ff01db297adb4dbf58c7ec6778206204f7940cf07cf9f47f1dbb8

Analysis

max time kernel
77s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My Logo.txt
Size

396B
MD5

3b314c9a5197892cce631c43979142db
SHA1

25a704a6a5e13dd08dab3b715314d0b3e176d770
SHA256

686055eb8d7ff01db297adb4dbf58c7ec6778206204f7940cf07cf9f47f1dbb8
SHA512

6e95b42a3e49727a92f9f1d7d2b248d1120457aec148b2dec2d1f3e9fb2f8f207815f7d7ae43866f789854a565f83d915a4f49e5a855c42bb20e86359770333f

Score

10^/10

lucastealer spyware stealer upx

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Remcos Professional.exeRemcos Professional.exe

pid process

5192 Remcos Professional.exe
2860 Remcos Professional.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5192	Remcos Professional.exe
2860	Remcos Professional.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Remcos Professional.exe.crdownload	upx
C:\Users\Admin\Desktop\Remcos Professional.exe	upx
C:\Users\Admin\Desktop\Remcos Professional.exe	upx
behavioral1/memory/5192-184-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp	upx
behavioral1/memory/5192-206-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp	upx
C:\Users\Admin\Desktop\Remcos Professional.exe	upx
behavioral1/memory/2860-208-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp	upx
behavioral1/memory/5192-213-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp	upx
behavioral1/memory/2860-244-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp	upx
behavioral1/memory/2860-249-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Remcos Professional.exeRemcos Professional.exe

description ioc process

File opened (read-only) \??\F: Remcos Professional.exe
File opened (read-only) \??\F: Remcos Professional.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

87 ip-api.com

description	ioc	process
File opened (read-only)	\??\F:	Remcos Professional.exe
File opened (read-only)	\??\F:	Remcos Professional.exe

flow	ioc
87	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133470480733127946"	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

chrome.exeRemcos Professional.exeRemcos Professional.exe

pid	process
1516	chrome.exe
1516	chrome.exe
5192	Remcos Professional.exe
5192	Remcos Professional.exe
5192	Remcos Professional.exe
5192	Remcos Professional.exe
5192	Remcos Professional.exe
5192	Remcos Professional.exe
2860	Remcos Professional.exe
2860	Remcos Professional.exe
2860	Remcos Professional.exe
2860	Remcos Professional.exe
2860	Remcos Professional.exe
2860	Remcos Professional.exe
2860	Remcos Professional.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1516 chrome.exe
1516 chrome.exe
1516 chrome.exe
1516 chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

chrome.exe

pid	process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1516 wrote to memory of 220	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 220	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 4192	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 2504	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 2504	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe
PID 1516 wrote to memory of 3168	1516	chrome.exe	chrome.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\My Logo.txt"
1⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe79cc9758,0x7ffe79cc9768,0x7ffe79cc9778
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:2
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5504 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5648 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5400 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3892 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4760 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1912,i,17685934109407124201,15241544104949110492,131072 /prefetch:8
  2⤵
  PID:5480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe79cc9758,0x7ffe79cc9768,0x7ffe79cc9778
  2⤵
  PID:4352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5140

C:\Users\Admin\Desktop\Remcos Professional.exe
"C:\Users\Admin\Desktop\Remcos Professional.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:5192

C:\Users\Admin\Desktop\Remcos Professional.exe
"C:\Users\Admin\Desktop\Remcos Professional.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e16572fcfba9a512cda54c2ea69b3fe5

SHA1
4af8572dde993bc4f2af992a2c14a805853d9f9a

SHA256
1d04e6f7c418c7f0b70902345561ffb53c625ee2fb93cb1c09ab5ae1b57c394d

SHA512
f547140f0cb0245d3cca44eb1c8661323b1a08311224775cf0dd4097a480ac7861cd0e18f11280719b3bb0b451e93c6c663e85d55dfa1776e5171bd4844c07f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fe7fd487b692c12d33ab03384e41c1be

SHA1
2750776d7602500377e99a0ecd6f42c807ba1bf2

SHA256
93a0dc2d4a2a8d4a9250fe9d7e86e03edaf7df78a4ebc53d5f15f386a301484f

SHA512
67af4368cc35ca6557cfd8048f55a2e428b2e4b7ad5206b3813d5f898218d4261ec6e72e1ea8843a4c04d691c91fe3473786ff68ea5a78dd4fe635096c446eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
95389b157c0e013c03116a9fe55e479d

SHA1
9c95563c66012e91e7721a72f01697e562263cec

SHA256
25cd93fa038f2601546f9a59b127ae4ea37b43d0718c2fba89b5ab311a85d56e

SHA512
e1f2d6f5b4e4aba77ce14f949b204f6a17b47af60577497c6f7a760a9bc8a7f9fdee9d4e273f3c646842b5e7b77038eab185402dba141942a11b712660a10838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7fbab9bbad296d4713e5a7e288bc28e9

SHA1
32bfd8abcf090cbff80c2bc015948ac8d02381d9

SHA256
b4c64c822b408d4079bc4e8f9a8f2c54e101d9a8a372eed0293d7139ad868913

SHA512
43088ac8af146045d359f951e3da38174e4458a801c502e5cdeb34f947400c7fe4f35aa57647458aca1e345be33d891c771624c140911f6796599ec406197f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
56a09769fdb73b28a6cd831c5d8611e6

SHA1
bc8b5c0eb012005a814921976ef022d8c935df0e

SHA256
31176fe92260c82584af00222d8bd0eed0d95589c3005e65bb30f36d109a2625

SHA512
0c1875a02a06e17f4d5b75e27d7e0ab6af986e0cfc2d1756a3d9148b6494be70b3f072a4c7bc74964e0c8dec6ed09452ba72b46ca70eb59cd0f87348fa40f55a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
225KB

MD5
f4b06eb1e4266e776f3b1319fc6da456

SHA1
97eb5a4ea0e536924036fb3c48d2249d31ceb6f0

SHA256
989728cab66edab4a5b0d66e4171828ec06175b4ec87b61722053bba907c3d82

SHA512
3c61057e7691adeaff4fe81b242a3b1b613e921b977565500dae4cde4c35a602c90a368aad103e1f8cfaab9b1217a290876a17dceda09fecbabebe4e2221d81c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
225KB

MD5
95474db22862d2ffbdd01e964c1ebce2

SHA1
cfec8d4892d1aa5f06ca553a0470529ed9f0dae6

SHA256
edbd19e0457231d81b64d3dbac41cf80e96b903b28fa8c0dda16ddc7d3be7dc0

SHA512
ec663ae6657d89ad8cce25071357bd97430a23ecf65ce8c19c99dc23266480f5b5f8bfbcfe0e7d1fe0345694a962d08a4f04d7869074f9648a50348d76f1979e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google_cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google_login_data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google_webdata

Filesize
92KB

MD5
8be74deae72b95c1f150e6e1a36858a0

SHA1
dd485d3feb9821b85badec94a85f3b26e98b7b19

SHA256
f728bc2252e778b9d31f45b9ebec891a100407b72b31a61d6cf7c1dcc70dbe87

SHA512
4289c0c1ec9bde5b565cf44acf4d8a2181a6a35880da72d667f14fb036573c6de41a0c8f3692c069184165ff2939cf9bb9b67769a6f91f500e7604c3be32341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_login_data

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.zip

Filesize
64KB

MD5
1523d0089e2d9ec2aae2e77178a2fc5c

SHA1
2a204b024f35480ac72f61c9df27f7e9b7b9b7de

SHA256
2fc2d177aadf176e4d5fa34d89d3092d6c7b6a723c9e0f87e2874c1526e3690a

SHA512
08d64308412b4b54efded52793fbb28beccee1100b84caa75d70c94c990605c9447a929225349eb9014491f99c34f5a48967323de8f31d4a909a1a2e9f1db36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sensfiles.zip

Filesize
8.2MB

MD5
e462e4902e0f74dff42ec79c69960c9f

SHA1
1e470dd3cdb1f143ced0892ddefcb8a7c0b82fb2

SHA256
998cec1371b5aa4ce6d196ab135edca70d622a0b165e93012f71936d5002fcb8

SHA512
58bcf814368a5cbaca1d522f17c6375860c0e3e967af9fefc51c4084af92f031135a74001b6af834f1ed8f2e797a2549f5d952bc7942e527d9e41d0c4673a9d3

Download Submit
C:\Users\Admin\AppData\Local\logscx\info.txt

Filesize
333B

MD5
9c12d4148a1404d9b0e4083e4ba25384

SHA1
35fe68feeff6e49c6d4dfaa5b06aefc08169a3fd

SHA256
60c24998ad21a6bea9a6c2435b4ef7c5e7bf32d535b3b64ccf18ad692f188b9c

SHA512
439338a399c19ffc0cb24d1f0d972eafc4c4382a75516446c28178af9c7b2a244a4914ecc93b7903ea21e3acb4d919c22ef87fb20f25aae237cd147306d6d61d

Download Submit
C:\Users\Admin\AppData\Local\logscx\screen-1.png

Filesize
536KB

MD5
b2083760a1758b881f9f4f1358a8c039

SHA1
e8367e9c53c5ea71ae12a7043805c2a2c0e29d44

SHA256
45132192f681b968c2f792f1106fe9998c0d68940340ffd7bba7902572bc2f66

SHA512
21c2d6cd7d764a92f7022c7a191a953eb9aefd59ae99dc8265bee92106b70f1602d543c4e316d915df67fae6ed246768cdcc668b0d32e45917588691849dafa2

Download Submit
C:\Users\Admin\AppData\Local\logscx\sensfiles.zip

Filesize
1.2MB

MD5
7b51faf896904f0101d517de4dd26055

SHA1
8c71b411a8f3a28dc595ade6c1f768ad014a0254

SHA256
e99abb4ecb101d65197608086fdee9c1a3cfa003269303ea5e27ddc3eefde987

SHA512
ebc1a5f8751d2f29dd209c3e736050f8daecd4608aa5679549110ebc8423fdedacfa9c4ecc89743900144b5c1a793031443a76041f9f97a6010fea8dbf4304c8

Download Submit
C:\Users\Admin\AppData\Local\logscx\sensfiles.zip

Filesize
8.2MB

MD5
8c69f5644ab8466093c6545451985a28

SHA1
2e891fe22e6c8e195debdeeffe985952ece5da30

SHA256
df7f10484c45393a7681a4e0bf57297a3942a21c3a1447678915d9b3803c01c2

SHA512
5c98632fabf4caaae7488a8ab34815733e134920bf628369f47c4cc5ac0cbd9babd5f72064f8378a67e3958010cb254b4a41a458837b0a4e775c67f0f535538d

Download Submit
C:\Users\Admin\AppData\Local\logscx\system_info.txt

Filesize
2KB

MD5
1868126ce406b30625ae45c109d7dc85

SHA1
f34075668d656439f34a65494762b495e51f0f74

SHA256
b45708ea5f5b88b7c76cffc63d948422d16f3b0c46563e2a0c404cf13028088a

SHA512
7f8a177a9dd437e5668181a6c0c4b3479980dd8d34aab3d2aaabb1337342276cb7dea437aa3d3b23a7b8922b138dbb23e227f153bbd0525044aeaf2ce2d0fb39

Download Submit
C:\Users\Admin\Desktop\Remcos Professional.exe

Filesize
5.9MB

MD5
0a39399db2cef9af978793ba1d89475f

SHA1
bf635431e20eb951903d0d5332222d0b65151853

SHA256
8bf609f9ab1122d335ae99d41ca4be95b08811c47a9aa5f164ba1a46a40da811

SHA512
38c1a73e9de0c40e89cda65beeab7a51a6a878f018105262c4294cb2fa6ab9ba8824ddc37ff704673bacb4c74491fa77ac20951a65055a9c7a0a5627535867bd

Download Submit
C:\Users\Admin\Desktop\Remcos Professional.exe

Filesize
3.2MB

MD5
f838a949eb48a8ad60a400b0f1cbbe24

SHA1
0c514d4b56d07de801dd8d5a619b2fbae19dd3f9

SHA256
81898a45168be1ca01b9657c053c251175aa4aac6d2a8b6730b7fb3c0e4ecc8f

SHA512
9128c31fb165acc139a8a320ad0615682556c8376b50655f79e95ff2963cd494e134d85a75ede4926321fcc34da21c25269cf94849e3b2059f0c6625cb1d0cda

Download Submit
C:\Users\Admin\Desktop\Remcos Professional.exe

Filesize
1.1MB

MD5
42d82c17f60bcd3e8e0c11a3e9d96d9c

SHA1
65d57abd2191989f1ea9e09b20252137f57f3118

SHA256
1333a8a36623981f8c6cce1a3b7e03899b99c1748fe83390bdcc736b42e9b727

SHA512
fc63ef0f5caa83d760e847703509c5d7c4609c5282062fee0402e64b593e62957df6030f64afe290cb8f877d9c4e790916625256c8a3aa539fc476ec12948885

Download Submit
C:\Users\Admin\Downloads\Remcos Professional.exe.crdownload

Filesize
6.5MB

MD5
1ecae7b88236fff686604c40f2ec8ef0

SHA1
5338d387c764b7da0a097e4dd38c17c603e62b08

SHA256
95a3f82e8e77aeb491d7faaf17c4f206763ff7eb08b8696e28ad109b67b984cf

SHA512
6a396bf98181250a2a386c2ee4dbcd8a4be6e23de029d614296e6f33a66b6f6049b487ef07d70936812c31f6cce7bb1b709361b749e0b1ad3507382b26c00a5c

Download Submit
\??\pipe\crashpad_1516_RIEHZWEDARDSBKIX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2860-208-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp

Filesize
25.3MB

Download
memory/2860-244-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp

Filesize
25.3MB

Download
memory/2860-249-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp

Filesize
25.3MB

Download
memory/5192-213-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp

Filesize
25.3MB

Download
memory/5192-206-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp

Filesize
25.3MB

Download
memory/5192-184-0x00007FF7814F0000-0x00007FF782E34000-memory.dmp

Filesize
25.3MB

Download