remcos | 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER AND SPECIFICATIONS.scr.exe
Size

1.2MB
MD5

08b5fa6876e0dc8d5c226597d89e646b
SHA1

4b5f7b0dd2303c81427f9ab47ff9046c43718552
SHA256

402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361
SHA512

4f20a03dbcb5e16c4e934e67455eb48bf7bd9681b5fdc731bf278409c78e698527ee125ac2ed0e3f09bc1551a2684e16ba3e34613da9a1eb32bca781b85ea48c
SSDEEP

24576:IPMpzxWvSQVw/BSCDyBSvbSFMySqL1fjv4G4uKZ0PU:JWvxiSCWBSzsVL1fktec

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.16.54:6092

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YJ70D0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2576 powershell.exe
1032 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

2044 remcos.exe
480 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

ORDER AND SPECIFICATIONS.scr.exe

pid process

2608 ORDER AND SPECIFICATIONS.scr.exe

pid	process
2576	powershell.exe
1032	powershell.exe

pid	process
2044	remcos.exe
480	remcos.exe

pid	process
2608	ORDER AND SPECIFICATIONS.scr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ORDER AND SPECIFICATIONS.scr.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ORDER AND SPECIFICATIONS.scr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ORDER AND SPECIFICATIONS.scr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ORDER AND SPECIFICATIONS.scr.exeremcos.exeremcos.exe

description	pid	process	target process
PID 2788 set thread context of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2044 set thread context of 480	2044	remcos.exe	remcos.exe
PID 480 set thread context of 1240	480	remcos.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEORDER AND SPECIFICATIONS.scr.exeORDER AND SPECIFICATIONS.scr.exepowershell.exeremcos.exepowershell.exeremcos.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER AND SPECIFICATIONS.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER AND SPECIFICATIONS.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{232154E1-A7DE-11EF-A8EF-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000009e794028fc819ad67a8a2327127d791a7221a6411b61e94ced7e60c88de34fbb000000000e8000000002000020000000fb777359a15c015ae549f41af511cca794e7b6e4bce5972bb866d675f814fd6120000000f7220e6955aee2a8c434e46bc425bd9a4963e480f181f2cdca0cf628c5f416fb4000000025a02ecc83abe76b793104287963e336a166d43f74b3389e64771a1c41629071704f432eaf70711eeb4f6adb8e146c832df19f336b01f143fad099de9b7f8938	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04758f9ea3bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000721ad372b171f136d31e7c2614550f3b9a83099cbfbaf306a53cbe6d2a9d13c5000000000e8000000002000020000000c5015623fcf7f08c4ad14db895d2ec7ebdb0c108f176b9c5be02b57e61be469a9000000048f5d186064d1c89f6aec1f15c145eb37c9234abb6e48cc3604f58ee26940497a62b44368b41a0bdec5329ff6154077328a5dcebaec4aae0f7e678470917272b8bc3086c2ca91ec27de50b9620645e4d2d9bb4976af2faae6fd451878313d0cad2150a4f6588f4da28a5c21f7eaa0549aa8df45fbc481ba2c05349d63f7287a6e6f0b4af2900d9f69cf01876e76965d640000000e29d24dd8a44ec94004696c8eee0015ee96d4e1ba8654350b77a48f68bccf6856adb993240b7bf3edf99f8689454755cb9d4a0fd27fbb7d358032544372b86b1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeremcos.exepowershell.exe

pid process

2576 powershell.exe
480 remcos.exe
1032 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

remcos.exe

pid process

480 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2576 powershell.exe
Token: SeDebugPrivilege 1032 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2076 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2076 iexplore.exe
2076 iexplore.exe
980 IEXPLORE.EXE
980 IEXPLORE.EXE
980 IEXPLORE.EXE
980 IEXPLORE.EXE

pid	process
2576	powershell.exe
480	remcos.exe
1032	powershell.exe

pid	process
480	remcos.exe

description	pid	process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe

pid	process
2076	iexplore.exe

pid	process
2076	iexplore.exe
2076	iexplore.exe
980	IEXPLORE.EXE
980	IEXPLORE.EXE
980	IEXPLORE.EXE
980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

ORDER AND SPECIFICATIONS.scr.exeORDER AND SPECIFICATIONS.scr.exeremcos.exeremcos.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 2788 wrote to memory of 2576	2788	ORDER AND SPECIFICATIONS.scr.exe	powershell.exe
PID 2788 wrote to memory of 2576	2788	ORDER AND SPECIFICATIONS.scr.exe	powershell.exe
PID 2788 wrote to memory of 2576	2788	ORDER AND SPECIFICATIONS.scr.exe	powershell.exe
PID 2788 wrote to memory of 2576	2788	ORDER AND SPECIFICATIONS.scr.exe	powershell.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2788 wrote to memory of 2608	2788	ORDER AND SPECIFICATIONS.scr.exe	ORDER AND SPECIFICATIONS.scr.exe
PID 2608 wrote to memory of 2044	2608	ORDER AND SPECIFICATIONS.scr.exe	remcos.exe
PID 2608 wrote to memory of 2044	2608	ORDER AND SPECIFICATIONS.scr.exe	remcos.exe
PID 2608 wrote to memory of 2044	2608	ORDER AND SPECIFICATIONS.scr.exe	remcos.exe
PID 2608 wrote to memory of 2044	2608	ORDER AND SPECIFICATIONS.scr.exe	remcos.exe
PID 2044 wrote to memory of 1032	2044	remcos.exe	powershell.exe
PID 2044 wrote to memory of 1032	2044	remcos.exe	powershell.exe
PID 2044 wrote to memory of 1032	2044	remcos.exe	powershell.exe
PID 2044 wrote to memory of 1032	2044	remcos.exe	powershell.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 2044 wrote to memory of 480	2044	remcos.exe	remcos.exe
PID 480 wrote to memory of 1240	480	remcos.exe	svchost.exe
PID 480 wrote to memory of 1240	480	remcos.exe	svchost.exe
PID 480 wrote to memory of 1240	480	remcos.exe	svchost.exe
PID 480 wrote to memory of 1240	480	remcos.exe	svchost.exe
PID 480 wrote to memory of 1240	480	remcos.exe	svchost.exe
PID 1240 wrote to memory of 2076	1240	svchost.exe	iexplore.exe
PID 1240 wrote to memory of 2076	1240	svchost.exe	iexplore.exe
PID 1240 wrote to memory of 2076	1240	svchost.exe	iexplore.exe
PID 1240 wrote to memory of 2076	1240	svchost.exe	iexplore.exe
PID 2076 wrote to memory of 980	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 980	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 980	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 980	2076	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATIONS.scr.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATIONS.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATIONS.scr.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATIONS.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER AND SPECIFICATIONS.scr.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
f64363041f93b264f5a8f7d270a8b393

SHA1
ac9bee7508e8881439d69dc940a2b709e015b760

SHA256
08a9e3a734bc42a97174577d9f505f820249880981f566e47ac33974d5617d5d

SHA512
6bbb89a1cc85a0ecd10ebc80fd9c3db812b5d180dac7f5ec9eba6e745b27b76dc52d701ebdfc1c2c4596b24fc69e8d45b158ae5afd931a4109ebbf43c5bce3ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
147d4868a7687b4617409cafa18d6185

SHA1
ba5bb7c28f8f7a4a9d1a8eccaa934a1cf9cc2117

SHA256
9335ea27c2acdbbe0971adcbdd76374f59d4b35320f360f851736ea80f689f9e

SHA512
b9d0f19d01796aa38ed1b8c9ee6f9411bd55cbc9cf86d82fdc5f6335dca8f0d593847c4b37b4092b8118b3703c8b3a4294b8aa429662e2951c12b05d323b3043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e23fb521e59e93fdc58640f8e9bcf79

SHA1
12068ddf54b8cfb8494d43e64ca31ca5d3bc8656

SHA256
33a5966ce980b470e72807b9fcb670085dc29a30d832d7f44f52117004a605e0

SHA512
9a2c9294861fa26cd48274a9d143a875f1e8fc7bd97e5d497678e7af9b4ac501b1dcd12678138807f9c009827e6386cb9c54c4906912a02ce466cae7e356990e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe0147e752bee56dfa51c993042b6e8b

SHA1
fb432446ffde028c896d52063c5516c833ec7688

SHA256
18edb57981c14d09522d861cf0f5561c6e35b2d82fc8c7eb828b21ab45ff2227

SHA512
590197fb8fbb5685075f341d7e265b03ce8341cf30c40b7cdf4c63759b19d55f988b1b180df434f502851105fa980deef4c9a462fcf86a14dfe0dc9674b40aa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa6a982d2fb0ce77761a13202248f99b

SHA1
5b7a9257a845750bf1a91fcb115878037715d2ca

SHA256
cb7acce523e5a6645057064d6370d1953716dc6037e4a66094c9df79dac159c6

SHA512
f6acd9cde65bb9422e4483242289b3923482435d95231771bcf9a4d240a1399094a17a0ac65066b71523f6f40942146e0e0f02222012eb5453eda17dc8165370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8ef2b5bd4e756e8f9f093c414dd148e

SHA1
8e6c32261340c03505a242e59443a930c7dcb92d

SHA256
8174e5132e454ead196f2b590f5d018d442ad5fe9d7b368ea14bb99c492fc77a

SHA512
5c50d81fdb73b913fab8542a4eeba0a9a2fc7a81422fda60c9ada88bf4e58cfd468f77d5966f137352d2eb7042ae99bf31e001c76e521d0b769974c4b33c1891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b07715d9d21aadbcb80a873f7fe6a0fa

SHA1
4e667b8a9849d5dc31b943cc0273a41447a74cff

SHA256
e995c13ce2172f4db2985c0e65a0086b96b013eed629bab35466fa043fa3589d

SHA512
e24064375a7f037a0a9850f2208b64c738f0298b8d749639edd781c7b65319cbf7a9133215406218d462a5aa043cf6b56488527eaa83d76048296cfcbd398a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
115bbe7605ad188845aec2a9d21d25a8

SHA1
413c5f8261bf0bbb9b79d6a507a540e8dbc073ad

SHA256
4d50c4fb589adc3209c903e7ede78d4a5682a1c12ca4e40a86b9c107446acda2

SHA512
fb85b60747c6c7e8740219bd61e6e545afc9496259f7f143eac7155a6636d13475abf38f713685a26b60103172dadd32a551d232ea378a1ebee69c36b7f8c6aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c545263a4cb78657822e7fc8b517d987

SHA1
9b47ad5eaf4c049fc79bfa519b855e4b9e580b17

SHA256
5ea20c4c92a1ff6aba44061c661d7121a922f3d79af3c394173bb69af00ea829

SHA512
2271fb14f5189af20654eeecf554fb9d52d84d52480bebf3a586d16f7b6570ad2c7c922042e8f3bdf6c103087fc2329f7217a1f1ed5d00fd4d1f362b8bf3f32a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af31d9170df95dd08c0babe2058da759

SHA1
3e001f375201507bad8dbb0c2d41181b1f8870d1

SHA256
98de939029f24aa13a0f0d0ca7bc90fcdd548f2b467db66580bd4d8dc3b523c7

SHA512
db55d9c85cd0145f2d52cb456d25919a629994b28a447c70e81403dd465a2a1d9141a7f85d71b91d4ce17cd0386a2850498ef1b2f8cc69f3ba2f04ffc58f0e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd7f5ff8e589abc9615898555763d488

SHA1
4bf1a73f56bcd6ce07e43382028947852634ed16

SHA256
8bff54e35506b9ac5d38b85f1268d3629f4aeeb16d3a0e4f9cbc09c50f4f3e48

SHA512
a105361a28b153f9592f15bcfd57c1fa434398e3768e627b14fc14b23e80261565abb4967018b90a300a19a98608b8ac270b5eb6072b2444f1454a6bdf422d08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
700d916d4c18948acf093d9114132502

SHA1
9131970df74872b91777d0bcf8699ab6bd8f164a

SHA256
cc9b7b8224669938a5f3b0f984f59e2dcd7867edd0fcae6e0182cafe48c0a067

SHA512
174bd388f6b4651286c406daef67344dac5f925f84d8e72d7234de99439fbb876a2da5ef45b75413ac5013691e7bb9a7fb04d43842f238ea220ee06d0917db04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27427dd8122230b91a4bf6fab7bca214

SHA1
1700a0ddee4cd8dab560e77eec7b55b6c815430e

SHA256
399c482788335d505192ac38b83c5af8d99f622fb0377d034667f96beab2cfb1

SHA512
cbeb38f3c3bf881119eda694821058295d3a063ac883322d9cce8b4f400b6a6396b3abd462db1cc9c09e4c4224f7ec0f30100bd36e20ebae1aa3cfbf955061ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36099cd67ec656e0d6980bb165225fae

SHA1
2cbdd181f4b75d9ba843fcad370d76c4618ccc2f

SHA256
88160048624ba33cc5fdf5be6369decd0c50f0f38bc78249af8b0e96514cc711

SHA512
c9ba0252f9b928a0bdbcb75037c08505e57d32b34ba31ba90247c67d03a13ee9cd1897e72fda52bb0fcd6d45f14ad2870df902cbf03a9791bbb9adcbf8dfcb17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bb5e2fdbd1225aee0718ddc2884ff9a

SHA1
936f99c487728a5d21c21b94f85231eb5f90d933

SHA256
3c3399793883642dc39014f8597d35ec8da1a5d577f467d38d0117b2975ec04f

SHA512
368a428d27807412d87f96d4e10e0d5d0caf5ffcea8c7f50d82633a9932fb673795b9692ba0a691d973c9069ad760df6b6dd4630c25127bbd9c2a153f768eecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a7037915fc57cc512a3b7b09dd382fe

SHA1
a8abff3aa8629343d1df462fe291051f4d772e30

SHA256
e33aafabed9139a7c7641b8266088a78212311f430b4243bee7d5531d3674e86

SHA512
6a59698b6f75646f74b8502d3da514aac48c2ee487e8df855ed0aef8ace31a7ed0a6164ad41140a628f8c29e3330294b3b9df85927d6a5ceff1f0cb6a24e42c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b20ebbe6f2814bddca14640ad3ae2c

SHA1
b3873a6319c193aa7535434be409b0fa71eb9bdb

SHA256
0126bdfcfab243ebff9f100acd3828457cb83e5a2b713c23f49d339ff6cc9255

SHA512
541fff00cc420e0f24d9c340865cf561f72b93f53a0bdcbc04ffa720febfed78b71b35aa289cca2b239933fa797e17a0dcb13f2e44216d75002ab90685919974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d68cb724f5e60cd814d2cef52e30a4e7

SHA1
67f0ebe8c003b02d2c475800b1f9c6c49cffc0f6

SHA256
00b9970c8cb4bf3aca7f46db1ddf84ef39942e515b592d43e086c8d382cce6a7

SHA512
93ae0d43ca5ea954f1cbb5caec03e2a6ef16efabfb4fc784579ede01b198e280dbc0446961e8308c4a4d2dba040cbf2e76b5725383311d5c59619a2f2c47dc6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c59bf71dc09ae4d545f34af919ae2c05

SHA1
2279c98197676c645abbbfc92f6178e386d0ea32

SHA256
a0241ad41e0a1321418dd56a6eb95e993b3f3cd50d8a208e44131c9a1d502f0f

SHA512
1b19372facde5f56e5907334069a5da4345e9b095e558ec2d6db39d8a8198a77f09ea44e2f1dc3718354da0b328612dd8a8a10c6e3d4ca3de5f6822b79c84bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab429E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar432D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0ebd3fc98424143332179b24df6ab768

SHA1
577ebfaf857a8394ad6484585ea9f099102c29e5

SHA256
484d024b48b525e3af6bab33b3e656d402abf851689d0909711224834d4b10c5

SHA512
81cf47e057b3f31f08eb69ed215fba49360589b63f18919f84ccee187c036da3568452cba142ffcc49f0f7c90f18d89bc6582fdce851bad99cdc699c2b341ac4

Download Submit
\ProgramData\Remcos\remcos.exe

Filesize
1.2MB

MD5
08b5fa6876e0dc8d5c226597d89e646b

SHA1
4b5f7b0dd2303c81427f9ab47ff9046c43718552

SHA256
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361

SHA512
4f20a03dbcb5e16c4e934e67455eb48bf7bd9681b5fdc731bf278409c78e698527ee125ac2ed0e3f09bc1551a2684e16ba3e34613da9a1eb32bca781b85ea48c

Download Submit
memory/480-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/480-54-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1240-57-0x0000000000240000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/1240-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1240-56-0x0000000000240000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/1240-58-0x0000000000240000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/2044-34-0x0000000000820000-0x0000000000950000-memory.dmp

Filesize
1.2MB

Download
memory/2044-38-0x0000000005190000-0x0000000005254000-memory.dmp

Filesize
784KB

Download
memory/2044-37-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/2608-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2608-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2788-27-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-0-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2788-6-0x00000000049E0000-0x0000000004AA4000-memory.dmp

Filesize
784KB

Download
memory/2788-5-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-4-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2788-3-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2788-2-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-1-0x00000000013D0000-0x0000000001500000-memory.dmp

Filesize
1.2MB

Download