remcos | 402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Size

1.2MB
MD5

08b5fa6876e0dc8d5c226597d89e646b
SHA1

4b5f7b0dd2303c81427f9ab47ff9046c43718552
SHA256

402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361
SHA512

4f20a03dbcb5e16c4e934e67455eb48bf7bd9681b5fdc731bf278409c78e698527ee125ac2ed0e3f09bc1551a2684e16ba3e34613da9a1eb32bca781b85ea48c
SSDEEP

24576:IPMpzxWvSQVw/BSCDyBSvbSFMySqL1fjv4G4uKZ0PU:JWvxiSCWBSzsVL1fktec

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.16.54:6092

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YJ70D0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1936	powershell.exe
2884	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	remcos.exe

Executes dropped EXE 2 IoCs

pid	Process
3300	remcos.exe
1040	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 3300 set thread context of 1040	3300	remcos.exe	97
PID 1040 set thread context of 1400	1040	remcos.exe	98

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1936	powershell.exe
1936	powershell.exe
1040	remcos.exe
1040	remcos.exe
2884	powershell.exe
2884	powershell.exe
1016	msedge.exe
1016	msedge.exe
3232	msedge.exe
3232	msedge.exe
1012	identity_helper.exe
1012	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1040	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	91
PID 1980 wrote to memory of 1936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	91
PID 1980 wrote to memory of 1936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	91
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 1980 wrote to memory of 4936	1980	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	93
PID 4936 wrote to memory of 3300	4936	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	94
PID 4936 wrote to memory of 3300	4936	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	94
PID 4936 wrote to memory of 3300	4936	402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe	94
PID 3300 wrote to memory of 2884	3300	remcos.exe	95
PID 3300 wrote to memory of 2884	3300	remcos.exe	95
PID 3300 wrote to memory of 2884	3300	remcos.exe	95
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 3300 wrote to memory of 1040	3300	remcos.exe	97
PID 1040 wrote to memory of 1400	1040	remcos.exe	98
PID 1040 wrote to memory of 1400	1040	remcos.exe	98
PID 1040 wrote to memory of 1400	1040	remcos.exe	98
PID 1040 wrote to memory of 1400	1040	remcos.exe	98
PID 1400 wrote to memory of 3232	1400	iexplore.exe	99
PID 1400 wrote to memory of 3232	1400	iexplore.exe	99
PID 3232 wrote to memory of 884	3232	msedge.exe	100
PID 3232 wrote to memory of 884	3232	msedge.exe	100
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101
PID 3232 wrote to memory of 1484	3232	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
"C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe
  "C:\Users\Admin\AppData\Local\Temp\402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1040
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99af46f8,0x7ffa99af4708,0x7ffa99af4718
        7⤵
        
        PID:884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        7⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
        7⤵
        
        PID:456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        7⤵
        
        PID:3464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        7⤵
        
        PID:4900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
        7⤵
        
        PID:2576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
        7⤵
        
        PID:4340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        7⤵
        
        PID:808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        7⤵
        
        PID:1212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
        7⤵
        
        PID:3472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
        7⤵
        
        PID:2884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
        7⤵
        
        PID:1956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4973915508616576064,3222909688057880123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        7⤵
        
        PID:112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99af46f8,0x7ffa99af4708,0x7ffa99af4718
        7⤵
        
        PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
1.2MB

MD5
08b5fa6876e0dc8d5c226597d89e646b

SHA1
4b5f7b0dd2303c81427f9ab47ff9046c43718552

SHA256
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361

SHA512
4f20a03dbcb5e16c4e934e67455eb48bf7bd9681b5fdc731bf278409c78e698527ee125ac2ed0e3f09bc1551a2684e16ba3e34613da9a1eb32bca781b85ea48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
1fb15b3fb92694178577243b93595866

SHA1
e574ee4804271c6b6c4b173908831faa224af89a

SHA256
b88c05ce2d79fe62b0b2ddcac6f5ea8811c64ca7b81113d30698480cd81e0f07

SHA512
64231f339201e6338276a7e0d87ccf8630df6b10c1122cdf2b05561a9e43490049377f9a399e473b6d046b8c6668a448d1e22cd2df8697a6bb350af674ced0a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1cb8d2b12ed592d792281a8b11dfc09

SHA1
01bc856e686a3f20a3220229a6753e745705d357

SHA256
7892b9a1ed259a5f9118deebee04a5701bce72347db465778a8236992ce2078a

SHA512
c3ced513e2225c2a77189ffaeee2b6f424462958f8d8b328d9aa5dbc998fc639b663d69016e215d49e411baec8e4c139cb25ba1bd0e65eb6cbcac9d637e484aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c490c1743b896ccded20122f4bd02226

SHA1
80d76a31c90a2a1af53c332895ec89aa4e7312c0

SHA256
842ade80dcdf2df84a2984060d6a1293cf9d47339f0e557e6957d3f8cf6c198a

SHA512
eb1db91e736ec1709d933157bfb17d055516b0656798049042642847b652ea5d23e4a5d4691f3bdbdc9d8e4c4521846fc73e6deddbf281c75b6a73b56302c287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a414ec6b777b4cfddcfe6b3ee97eb8b8

SHA1
14a23a8b795c194f54d06a318ff08af8aa770e6e

SHA256
dfbfab6030208188e5ecd4e64529c79297d47cb3831ea65098d2803361417d18

SHA512
aa36823036cf2c4f795f33b9417105869e6879f354d0758f5836390babcb2ed46637bc076456c887a570eb04e3ab19f70ccd3354fbba13f0135ed18608d74956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
02eda3fe67c53991fcb1c2360b6fc362

SHA1
164abbca3bcf5102cffe9c0372780f93c9ce46d3

SHA256
f92ee979b1caffd706441aef7a60646bd9cfbe69ccb1ff93e18573449e6af85b

SHA512
2ac71e6068a6bfcf5f746dbffd2f65bcd8509bdee0bc1927a7827190b121adb1fe5a0cdaf7343b0fc6881e7b53b139d5c1ef2343476f6d2ba649e8968691c79c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594433.TMP

Filesize
371B

MD5
16cedd94c2cd801a353c3177c2110a5f

SHA1
dc96c1fcbfe19b800d83fe1c2d464809df37022b

SHA256
a47dbec9ff6bc59c620370628b86dfd4eec4e083fdcf3727615276f891692fc0

SHA512
4a8ebc230c964ec14ebf907ed91d95ec66205a4b25190664561108e18ad1151244fe7b294044a167362f46413011967a0e4e72dbcf4a084e9ba44b891803cd15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bac8361b924604b4ca45900fafa96586

SHA1
380f79e1ab8319a3588e9870f9e926abcdfe5f3b

SHA256
e524291de4b088296ca650fad56f80c9d5679bb708f66d2907a93b0a6c999920

SHA512
3ffcb8c5c1f66d73344dbaabf265bb9e67c928b2cf081da7ad725a5d29a36b6d40ea908a0e956d4c668e704bb77606183de31cdef8a6ded9d80efe861a921883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
97508f9479c62add88b5cedf377cef4f

SHA1
72fb6cb59feb8b0d428d9083d8ffb8acdb9c4bea

SHA256
f3171189d643919134db90bafd23e187dff5439af435a4a4b0ac06223cfb1ccb

SHA512
723afd96829a3b4492caec533d14e1ca32476cfc5513610b56716dbd4a2beda286029041476f13dd22d5c3207ee8f3ee190c0c1f0a61243979edeaa6515676f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_142pdoxq.5w4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1040-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1400-78-0x0000000000A00000-0x0000000000B30000-memory.dmp

Filesize
1.2MB

Download
memory/1936-60-0x00000000070C0000-0x00000000070DE000-memory.dmp

Filesize
120KB

Download
memory/1936-68-0x00000000076C0000-0x00000000076D4000-memory.dmp

Filesize
80KB

Download
memory/1936-29-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1936-73-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1936-33-0x00000000051B0000-0x00000000057D8000-memory.dmp

Filesize
6.2MB

Download
memory/1936-27-0x00000000027E0000-0x0000000002816000-memory.dmp

Filesize
216KB

Download
memory/1936-34-0x0000000005180000-0x00000000051A2000-memory.dmp

Filesize
136KB

Download
memory/1936-18-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1936-38-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/1936-35-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1936-46-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/1936-47-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/1936-48-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/1936-49-0x00000000070E0000-0x0000000007112000-memory.dmp

Filesize
200KB

Download
memory/1936-50-0x0000000070540000-0x000000007058C000-memory.dmp

Filesize
304KB

Download
memory/1936-70-0x00000000077A0000-0x00000000077A8000-memory.dmp

Filesize
32KB

Download
memory/1936-61-0x0000000007120000-0x00000000071C3000-memory.dmp

Filesize
652KB

Download
memory/1936-62-0x0000000007AC0000-0x000000000813A000-memory.dmp

Filesize
6.5MB

Download
memory/1936-63-0x0000000007480000-0x000000000749A000-memory.dmp

Filesize
104KB

Download
memory/1936-64-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/1936-65-0x0000000007700000-0x0000000007796000-memory.dmp

Filesize
600KB

Download
memory/1936-66-0x0000000007680000-0x0000000007691000-memory.dmp

Filesize
68KB

Download
memory/1936-67-0x00000000076B0000-0x00000000076BE000-memory.dmp

Filesize
56KB

Download
memory/1936-26-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1936-69-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/1980-10-0x0000000006580000-0x0000000006644000-memory.dmp

Filesize
784KB

Download
memory/1980-1-0x0000000000F80000-0x00000000010B0000-memory.dmp

Filesize
1.2MB

Download
memory/1980-17-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1980-2-0x0000000005FD0000-0x0000000006574000-memory.dmp

Filesize
5.6MB

Download
memory/1980-3-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/1980-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1980-4-0x0000000005C50000-0x0000000005C5A000-memory.dmp

Filesize
40KB

Download
memory/1980-5-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1980-6-0x0000000005D50000-0x0000000005DEC000-memory.dmp

Filesize
624KB

Download
memory/1980-7-0x0000000005D00000-0x0000000005D12000-memory.dmp

Filesize
72KB

Download
memory/1980-8-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1980-9-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2884-80-0x0000000005C70000-0x0000000005FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-104-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/2884-103-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/2884-102-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/2884-92-0x0000000070230000-0x000000007027C000-memory.dmp

Filesize
304KB

Download
memory/2884-91-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/4936-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4936-31-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download