Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 04:26
Behavioral task
behavioral1
Sample
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe
Resource
win10v2004-20241007-en
General
-
Target
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe
-
Size
481KB
-
MD5
416df385ee8cc5b57c5869cff2142747
-
SHA1
a79848e3b77e0e995dbc1b87c1a82b00bf4827eb
-
SHA256
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004
-
SHA512
f76e9cb4adbfda277d87ea85473fe4554b77f8da4c0e86b073d31046a3f4cf37a75336eb44fa3d009d20cf28685a41f191148db8b3167524aa46e598eba9bca0
-
SSDEEP
12288:LuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSx+DY:O09AfNIEYsunZvZ19Z6s
Malware Config
Extracted
remcos
RemoteHost
nextnewupdationsforu.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EC111K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/672-12-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/112-23-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/112-25-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/672-22-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2676-11-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/672-10-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2676-9-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/672-8-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2676-41-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/672-12-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/672-22-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/672-10-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/672-8-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2676-11-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2676-9-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2676-41-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2432 msedge.exe 3472 Chrome.exe 4344 Chrome.exe 3156 Chrome.exe 4756 msedge.exe 5072 msedge.exe 4372 Chrome.exe 3376 msedge.exe 4396 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1680 set thread context of 2676 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 87 PID 1680 set thread context of 672 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 88 PID 1680 set thread context of 112 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 2676 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 112 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 112 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 2676 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 2676 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 3472 Chrome.exe 3472 Chrome.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 112 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe Token: SeShutdownPrivilege 3472 Chrome.exe Token: SeCreatePagefilePrivilege 3472 Chrome.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3472 Chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2676 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 87 PID 1680 wrote to memory of 2676 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 87 PID 1680 wrote to memory of 2676 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 87 PID 1680 wrote to memory of 672 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 88 PID 1680 wrote to memory of 672 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 88 PID 1680 wrote to memory of 672 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 88 PID 1680 wrote to memory of 112 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 89 PID 1680 wrote to memory of 112 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 89 PID 1680 wrote to memory of 112 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 89 PID 1680 wrote to memory of 3472 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 90 PID 1680 wrote to memory of 3472 1680 4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe 90 PID 3472 wrote to memory of 4484 3472 Chrome.exe 91 PID 3472 wrote to memory of 4484 3472 Chrome.exe 91 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 4092 3472 Chrome.exe 92 PID 3472 wrote to memory of 2388 3472 Chrome.exe 93 PID 3472 wrote to memory of 2388 3472 Chrome.exe 93 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94 PID 3472 wrote to memory of 5116 3472 Chrome.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe"C:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exeC:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe /stext "C:\Users\Admin\AppData\Local\Temp\sqrtoixvfogqxpgdynmblywzpuyecv"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exeC:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe /stext "C:\Users\Admin\AppData\Local\Temp\ckedpbhxtwyvhvuhpyzdocrqyiinvgheg"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:672
-
-
C:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exeC:\Users\Admin\AppData\Local\Temp\4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004.exe /stext "C:\Users\Admin\AppData\Local\Temp\nekwp"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86884cc40,0x7ff86884cc4c,0x7ff86884cc583⤵PID:4484
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,10499634246018582157,7017145500622689821,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:23⤵PID:4092
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,10499634246018582157,7017145500622689821,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:33⤵PID:2388
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,10499634246018582157,7017145500622689821,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:83⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10499634246018582157,7017145500622689821,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:13⤵
- Uses browser remote debugging
PID:4344
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,10499634246018582157,7017145500622689821,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:13⤵
- Uses browser remote debugging
PID:3156
-
-
C:\Program Files\Google\Chrome\Application\Chrome.exe"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,10499634246018582157,7017145500622689821,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:13⤵
- Uses browser remote debugging
PID:4372
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies registry class
PID:4756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8684046f8,0x7ff868404708,0x7ff8684047183⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:33⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:83⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵
- Uses browser remote debugging
PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
- Uses browser remote debugging
PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:13⤵
- Uses browser remote debugging
PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2084,9156676739158354081,1365574215330432167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:13⤵
- Uses browser remote debugging
PID:2432
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2396
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:720
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5298b0d4f4e493b17b2625f93f6618885
SHA13f536e8557c7ffb773bb1b541dc273272f97a26f
SHA2564e3083e743eb897c0303cd9c858b444c205d348f58778ef82142d362b79a629a
SHA51227dc28f959b17cccd32cee0b00a9fb385364f01acd6f3d238553d227d96490106dc0e918cc240192722a23902fc505939392d09690a516ac5bbd6fa7f62feabc
-
Filesize
152B
MD5f4fd6e7a6d6abc0002147246b74bbecf
SHA1a148015d0eea2541a92ff4bd1264eb1100a9b023
SHA25682cc680b0d0113a71a3f52d789c234857d836be5b7a2252d8201c83a65a9695c
SHA5124916ace378f695eb0fff1a37c3fe019119f240bcf922cc6f9f4cd87112fcae2ea7d3c27f70cdbaf7f0013733a345acd8f5f91236c90be52bdff891cc539b5e44
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
20KB
MD561ff89b0420e8e58aad1c4657d48a7b2
SHA1ec8314990ce01aa4c19e3add4bb8287f7a0c9092
SHA256f40da0c5f9c5631cb4c3b734c31b1226ae5a6cf51aa42e1b582aa42352ebff8b
SHA512ec1843751f6896548cf191e78ca48ea8f75951eadf9c84aae0595321f68aa86561f2f39a257c242390295c967c71d1197534455c00851acf233fbe0fd2a270a1
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
15KB
MD58e666197f26d403b7473ec273b4ae165
SHA1e824ab02c45390db969bc93bd1a45963396e1c36
SHA25694d77e580b2c08409a527e2305bccae0402731d130618038bd0c149b195a3d09
SHA5124a3da340044a0705939f656fb64b668a8d1a0b26792b54a9e7c5ca335a364e5539197ddc1868981112620cf89d1bbcf0b42d908cb88736a2214fe178e2ee2fc0
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
116KB
MD5091dc496eeabfabf5a186a102964ae7b
SHA1d9788ea3793eab40f3e0c9ff2ba8e199d75838ca
SHA256dedd0db869af78cf5d6c33aeaa893909afb58c6b6c8b58752cc4f09518677403
SHA51229f3dbf2336480a37d5c4411276bbbfb22c4e954dc652af50ce5f5c3b18dd6fbba3f5ef37d73fe4ffe38b4de736a8031c2d2015284f09e74566f00396da7b6fa
-
Filesize
4KB
MD517eece3240d08aa4811cf1007cfe2585
SHA16c10329f61455d1c96e041b6f89ee6260af3bd0f
SHA2567cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903
SHA512a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370