remcos | hxxps://bazaar[.]abuse[.]ch/sample/ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255/

Analysis

max time kernel
418s
max time network
420s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-09-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255/

Score

10^/10

remcos remotehost collection discovery persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

104.250.180.178:7902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Adobe.exe
copy_folder
Adobe
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Adobe-OTOIRK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/3120-309-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/492-306-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/4296-307-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/4296-307-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/492-306-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Executes dropped EXE 8 IoCs

pid	Process
3324	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
4260	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
728	Adobe.exe
4064	Adobe.exe
492	Adobe.exe
4296	Adobe.exe
3492	Adobe.exe
3120	Adobe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Adobe.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	Adobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	Adobe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK = "\"C:\\ProgramData\\Adobe\\Adobe.exe\""	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3324 set thread context of 4260	3324	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe	97
PID 728 set thread context of 4064	728	Adobe.exe	99
PID 4064 set thread context of 492	4064	Adobe.exe	100
PID 4064 set thread context of 4296	4064	Adobe.exe	101
PID 4064 set thread context of 3120	4064	Adobe.exe	103

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718487089676463"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
492	Adobe.exe
492	Adobe.exe
3120	Adobe.exe
3120	Adobe.exe
492	Adobe.exe
492	Adobe.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4064	Adobe.exe
4064	Adobe.exe
4064	Adobe.exe
4064	Adobe.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeRestorePrivilege	4760	7zG.exe
Token: 35	4760	7zG.exe
Token: SeSecurityPrivilege	4760	7zG.exe
Token: SeSecurityPrivilege	4760	7zG.exe
Token: SeDebugPrivilege	3120	Adobe.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
4760	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4784	2156	chrome.exe	79
PID 2156 wrote to memory of 4784	2156	chrome.exe	79
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2340	2156	chrome.exe	80
PID 2156 wrote to memory of 2052	2156	chrome.exe	81
PID 2156 wrote to memory of 2052	2156	chrome.exe	81
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82
PID 2156 wrote to memory of 4812	2156	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb132cc40,0x7ffeb132cc4c,0x7ffeb132cc58
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3224,i,3695873325774966884,6268447711249401556,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - NTFS ADS
  PID:876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25461:190:7zEvent23909
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4760

C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
"C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3324
- C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe
  "C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4260
- - C:\ProgramData\Adobe\Adobe.exe
    "C:\ProgramData\Adobe\Adobe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:728
  - - C:\ProgramData\Adobe\Adobe.exe
      "C:\ProgramData\Adobe\Adobe.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:4064
    - - C:\ProgramData\Adobe\Adobe.exe
        
        C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\Admin\AppData\Local\Temp\ssvlrusdjmrjnhvjjejogpq"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:492
    - - C:\ProgramData\Adobe\Adobe.exe
        
        C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\Admin\AppData\Local\Temp\umbesmdxxujoxnknapepjclfvgu"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4296
    - - C:\ProgramData\Adobe\Adobe.exe
        
        C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\Admin\AppData\Local\Temp\eggotfozlcbazcgzjzqjuhfweuefvc"
        5⤵
        Executes dropped EXE
        
        PID:3492
    - - C:\ProgramData\Adobe\Adobe.exe
        
        C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\Admin\AppData\Local\Temp\eggotfozlcbazcgzjzqjuhfweuefvc"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\449eba96-7391-4c09-83f9-0710e5445b4e.tmp

Filesize
9KB

MD5
76963f0b1bba64d33734794dd89e81e7

SHA1
bdc9b29ff08569dc4ac0b52f31cbd7e59d37b7bc

SHA256
8c2849b8a1907c8f2950afc65bfa3401fc905db7507a1c01dda23aa581722393

SHA512
7d5f66ecf6df17f8268933379269b0161294969d3353b942cdfd5c1e6f52fc9080418b421a9ae2ecea95aa6864286a1d9e1c1a34a50ffcd325e602253615196c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3108e9fa482df219449f0d1e3ec77b35

SHA1
b1c70fe85021ae6e68a4a514f521f51fc6887778

SHA256
6ed87be2af13979ddc4ba334db4700a3b82c923842a7984c4f1a818c05bf5051

SHA512
f5a3e88e80a759d9c6c559f6670e1722800733edd81ab2c27c735d2d54009799dfc2787a204c3cd020e38b0bd058b445983d0650ba21f01dbb24a67d735708f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
3d97b72aa811ea39148ee9c902ccf506

SHA1
dc587a69fa791ebd4b5081767dd29f5a9506d5e8

SHA256
62686bb3b450838c2e31d3c139afec83a0b9b08c15e7d1b2373805b814dd9dd4

SHA512
306bdd08c9dd4e5cba8454e979ebd508a67f443f4e16c78a1fcc6d095ba825a783b8f9a6a4ccafb62f96848785d6d7d372b987a6f76184317e83fac49a59da2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c743d366e392a26ecff0f1fe0fcfd6ac

SHA1
441f0ebb842eea5f0d9629c752e2c0447a53519c

SHA256
3ab61867693542d2eed960029742a191958426e05578c2288179b36a9ebe3da1

SHA512
a43b060a7e422eda8324dd03297f2071b667e6f7a799d03d6c4e8bcab5a571b4cbea6ef7c72eff1632c52d83649ac0925e648de6483946b52ad22c80c2fce224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
20028a87e289f5b4d8b945403fe5f890

SHA1
5ab7979d812cab02f943afb886d18fb2cfc7f8bd

SHA256
4e59711d5f45be2390989fb126bcc8673b27b2e03fc542adab95812d64a80f2e

SHA512
a6cdece06e5ec7e3e5ea9eaa3802938695cc4714b0c0ebea4349817ef44eea0d0d3b4b4a20eaf3601945dce4ac05c63a51cb4914ad2b787b842ac7b2358935eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
7909a471522d510df79e5e8573b0614f

SHA1
4c9df760062394a82abbfbb46a81830264be3794

SHA256
5e324fb64c8af3df781c163834af472fc06ce84e9240fc902a31e433bcf60c68

SHA512
e9b5b97fb824d3463f0d9d6e7e40a302b5923814af35c180b47af862b3732417ecd46b4c9d2bd6c5faab27033af8ce2b2cf6bd674a553a99e52be29b0581e919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
48ae98c2f7980842a95bbf20614932a5

SHA1
bd66c25c9a686c47c0de7f318e45923b3d64832d

SHA256
2a70e9630272c19dd381924c164f0ff4304102487fa2ec0382a3c9588d2dc059

SHA512
bbc431673c6adac71403ed07eda2bfdde2b741fd3bc624ef0e10a82649c6e8f9091725e0e0b6bde7e971adcc93ef43c860955f427ffe884cd9e80e150959062f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcdab6b8ee22e7106bd3b7039b60cd6b

SHA1
9f6e54d95c121f93cfacd41835bceab049aae168

SHA256
5139a097f7a099b2fc0c26ba39754d82e4b7e5c702af50bd956a5136305db162

SHA512
dd218942af6c251ffa85a5e539ff86a94747a600a312f7f365b81e80f4d105f51cc541f3f7557893adde212684bbd74aec0fdc1c4cac725fce27bc6ea0154ef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f0f7dff7480a58777e7bf7ee87f7787

SHA1
bec97ea03cb15f0185d287b59ec9762b5f9bc69d

SHA256
9e3311db101944169b284997005169d316b9a1a6a84fc6cd79b97e6327a51881

SHA512
f4f72797b83ae52817d5c95c07f85f9bf7cd4fd23457bee7a5f481923fbd838832f99143444d208e637939a257da2bfbf9caf7f4710b40083454ed2d4efdac9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
0256b1c12b4026fbe175ac07d794c9d8

SHA1
e94ecd0ed928472612b9905984fe40b3576cee66

SHA256
06ad8cc3fc1b32df7d9e4b26501b93d44aee49e0d2db3412438095d7ce5e9cf1

SHA512
dd5bc974d192695a74ee10777d6662ebcb04e6a9983f2d6f90df2b84b49cb354811435614d10037b5c7c355f8ed1ee218ffc8bc828d9172d656fc8f83ba4dc4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
1fe242c95e9f3a2cc3a4ec438e0d5115

SHA1
092a89a95852078d1f3e38dde273923e7cd586cd

SHA256
475b499996878ebc3766d29c11043514243261a5ab195105ed3f1851c00c4271

SHA512
23b3ae3f7640ea0a7db48e5b7cf7c39bebe6f94e5d38b82e8be26de7d72613ed7e7c0a3774c44e54b0c2093664b80f0451488c4337502e1221e15ea54267703c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e2c87cdfd7a57d902f8a5b3b24dfdbe3

SHA1
c2a7ac76730077673fdb78b335b624b028dd5a2f

SHA256
cda5f71e0b8b67e10c8ed99b5d08c4b6646e64f301fd19dc88caf9a471c0b323

SHA512
7fc1636f34ee1af3cdd5da798c834880c8efa75f3e6247f7c5b4fb9e94d3a1ce06aed2592d4fada2d8bb20e7d717d892bfa05d1bc124cba9b07235f151e5f3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssvlrusdjmrjnhvjjejogpq

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.exe

Filesize
885KB

MD5
44fa8131343f26aaf5303090d7bba260

SHA1
6ae8634d960f8e659ad166d4e1d95297ac114de3

SHA256
ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255

SHA512
90ba08e0cc3b8cc1f9dbe401e07110c667354a39dd52ffbaa7f2cbbea93bb99d783fb48bec60f759cafcc1e9d3b74d7d5db359c15dd48b4198608f6ee0e77a1d

Download Submit
C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.zip

Filesize
845KB

MD5
a8dc4b086b2427efe9a7bfe452a9dccd

SHA1
2b19efc72784bc527ce9b500968e54b9ae767766

SHA256
e20c5ccf9e8d3c80c79585a9685ce61f72431ba72d72ea0a7090448ef45b1fcd

SHA512
4beaeb67de2ff62f757cf8218995484219e42bfc10df2fd22c35f6097e343bc30384149d9fc088d02a642d87d4f7b0c32871d7cd9463e25b45f963ee2e404b95

Download Submit
C:\Users\Admin\Downloads\ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255.zip:Zone.Identifier

Filesize
202B

MD5
0dba1186008fc6ca78b8188385375156

SHA1
76bc2473b655f5a9eafee3da8e9fcebab25360f1

SHA256
9d78eff517e9dffe5307c05526cdaf840a3d1a020190ff273bf577abfae24abe

SHA512
f3b4006d5c6deb33f1c26f51ced8f9ac2da7b6ed3d2ad2c4c545562ac105a771990ab8d44e976277194b99daaac52c90bd38ff54dfb00a18f79109782eb3f001

Download Submit
memory/492-297-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/492-306-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/492-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3120-304-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3120-309-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3120-308-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3324-260-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/3324-265-0x0000000009540000-0x00000000095DC000-memory.dmp

Filesize
624KB

Download
memory/3324-264-0x0000000006E80000-0x0000000006F40000-memory.dmp

Filesize
768KB

Download
memory/3324-263-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/3324-262-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3324-261-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3324-259-0x0000000005DF0000-0x0000000006396000-memory.dmp

Filesize
5.6MB

Download
memory/3324-258-0x0000000000BE0000-0x0000000000CC4000-memory.dmp

Filesize
912KB

Download
memory/3324-257-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/4064-294-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-336-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-293-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-291-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-296-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-286-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-345-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-288-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-344-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-290-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-289-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-342-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-341-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-340-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-316-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4064-320-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4064-319-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4064-321-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-322-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-323-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-324-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-325-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-326-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-327-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-328-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-329-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-330-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-332-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-333-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-292-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-337-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-338-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4064-339-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4260-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4260-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4260-271-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4296-307-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4296-302-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4296-299-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download