remcos | hxxps://drive[.]usercontent[.]google[.]com/download?id=19WW8leOjeIKFcpXQy7agCGpdYE60SQhw&export=download

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.usercontent.google.com/download?id=19WW8leOjeIKFcpXQy7agCGpdYE60SQhw&export=download

Score

10^/10

remcos lindooooooo discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LINDOOOOOOO

septiembre11.con-ip.com:7773

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DCJTJ2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
5408	TutelaRadicado50 001 40 88 002 2024 00002 00.exe
5548	TutelaRadicado50 001 40 88 002 2024 00002 00.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuntraUpdater = "C:\\Users\\Admin\\Pictures\\MantraUpdater\\MuaOpener.exe"	TutelaRadicado50 001 40 88 002 2024 00002 00.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TutelaRadicado50 001 40 88 002 2024 00002 00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TutelaRadicado50 001 40 88 002 2024 00002 00.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
4224	msedge.exe
4224	msedge.exe
2924	identity_helper.exe
2924	identity_helper.exe
2324	msedge.exe
2324	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5548	TutelaRadicado50 001 40 88 002 2024 00002 00.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3180	7zG.exe
Token: 35	3180	7zG.exe
Token: SeSecurityPrivilege	3180	7zG.exe
Token: SeSecurityPrivilege	3180	7zG.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
3180	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3584	OpenWith.exe
5548	TutelaRadicado50 001 40 88 002 2024 00002 00.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2972	4224	msedge.exe	83
PID 4224 wrote to memory of 2972	4224	msedge.exe	83
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 3472	4224	msedge.exe	84
PID 4224 wrote to memory of 1508	4224	msedge.exe	85
PID 4224 wrote to memory of 1508	4224	msedge.exe	85
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86
PID 4224 wrote to memory of 2844	4224	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.usercontent.google.com/download?id=19WW8leOjeIKFcpXQy7agCGpdYE60SQhw&export=download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0x100,0x104,0xd8,0x108,0x7ff8e84246f8,0x7ff8e8424708,0x7ff8e8424718
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6660718952969590345,16570083788782708223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1336:156:7zEvent1525
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3180

C:\Users\Admin\Downloads\TutelaRadicado50 001 40 88 002 2024 00002 00.exe
"C:\Users\Admin\Downloads\TutelaRadicado50 001 40 88 002 2024 00002 00.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5408
- C:\Users\Admin\Downloads\TutelaRadicado50 001 40 88 002 2024 00002 00.exe
  "C:\Users\Admin\Downloads\TutelaRadicado50 001 40 88 002 2024 00002 00.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
270B

MD5
59994b6ecf024f6a723371a7e9a8798f

SHA1
9e231ecab3ad36094de5db55eda3852f39ddb71b

SHA256
7f2dc5a631a0bee6acd92fee43e14eacaa2dc66c5688fb30a7cd1c59ed2fdb28

SHA512
9b96293f2c7b095d22224eabd1bcedc67d2e1cca21d6a4c82520fa2404a7aa57adbbe8f9e73bb2328816e2bd826c7d5aea9e7a245feb94d9c099bb90fd29fa78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
602B

MD5
9a09c7ebda8b8e529a05d077680820ca

SHA1
edba5988fc82dcaf3042523167106705b38c290a

SHA256
33348607c14d595c5a9784f9a2f9064966730efae14274a009b3ca8b76980a96

SHA512
e4a1d1342ba0b50f62781f59b69667028af18da9ff026821db0bfc97e8885747edd2d442fb36058f4f504f92c9752de93d9dbc7c9baba39c18bd9c7aaececefb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2099efed57afd102a65d957bae08b7e0

SHA1
56f2e8edd24dcc817e719670b1a8712ccd35996f

SHA256
cddacc1b24c6a733798aa86b049d4b8b4a77ca0b6bfa884caaf63e3a9c6268cf

SHA512
a6b4802eee72e99724da520a647e05c95b76caff06c0db294f3ed887c13706f75ef876a44199f4f0ea3ed065f221283b5795397e6b447b1128042e6cd0a09739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d00a1e5f-11f6-477b-9ae0-aced2b140d13.tmp

Filesize
5KB

MD5
ee8fd597b51a8638572b52bc89e7494d

SHA1
09e5ebf551d9c7ae9134e91771fc88ccb83f12c1

SHA256
ceab8e9fef1f5851296e1fb25e7b7c598579a8f17bce1546981b36cb5395f7b2

SHA512
c90e63e1854208ec32be2997f2711581193ccb7c856648db5ea4e3c2caa3a5ae75fbc7d8646496924b290190646c899351ba8313cdfb72222f737c84a4da267c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2f8e1b19596ad3e07481e12cbc67e92

SHA1
122d78d1dd96ba8fb81640c8fd6c375cfa5b53ff

SHA256
ff03df073a0f69d3a6c633032aba602c04bc68cd6d1c6ae5791136b8b593f363

SHA512
ee4905f14df2669850dc04e3f72f81169524a76c59f4fa9531227786affd160ed402cc2e2fbf900c3d4795132f99fd8b270e90315686b3adc197cc897628ba40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ebb125da8d9b63fd119d9ccc19c88dd6

SHA1
5950bfefdd67cef4e6214705c7b0a4d4d794c094

SHA256
444306cd3ab249c1a072352d9081aed005fb02c55f80aed9899f3125843260f0

SHA512
66ab3022d8e86c511a85ae09caffa26b799d19ddd44c80e4e1751a61e296f539286820081ce704b61c31351b2d0af294862c558a71c6eff24e31a11195d04f53

Download Submit
C:\Users\Admin\Downloads\TutelaRadicado50 001 40 88 002 2024 00002 00.exe

Filesize
2.1MB

MD5
02bb19c2207b20b5aad590dad6ffbfee

SHA1
b3961f8ee50e3b31c4a80dceec1c51c6ab07b525

SHA256
360eb2898c9ce5963cf3925f76506065bdef0a00a3651b635cb4b955b9fadb96

SHA512
ad2cb5b2ebfcc78b14f5e6e9b0ab997813136eb0cb1085d5058328479fa11c6a02cb3ad43fc4140a143c5d8c6e6e30c79cb5878b9831852bf5490d7470198fa9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 410195.crdownload

Filesize
992KB

MD5
6c332dd3b726d9d3c407a44b565e39e2

SHA1
0e4100c8e331999183ecb6bb16fa885adbcd6dd7

SHA256
5bb9ab62b088130d18b8bdbe7efa8f2290b74e7f8db2e025bb0eabfbb9fcadfe

SHA512
80e7cf9c74c52afd2eb54c0da153b328bed27abd3c94eb8018d512016dfc16963acbaf169c8e066b6082dea52daaadd5b39bbf91905e27efb9cb60f2e708796c

Download Submit
memory/5408-106-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/5408-107-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/5408-105-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/5408-110-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/5408-109-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/5408-104-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/5548-115-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-119-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-108-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-112-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-118-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-154-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-155-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-114-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-160-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-161-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-169-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-170-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-177-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/5548-187-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download