remcos | 04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Size

988KB
MD5

b2618fbb2e344dbdc7d4b33947d71531
SHA1

a56c4724edef9a8fef490520ecaeb30c8356e314
SHA256

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452
SHA512

1ca8727770d6458785c1206e81fa6f69675afb521944a9206197bcc9737a81afea2a462bf93bbfbe836b841038e01c354fd9d2abdd902f13187a970a4ede6b57
SSDEEP

24576:X2leFeHHdWGhuvZJY9JuynjHOMt33ylD9ESMAwL1zGUxj:GsFsHthuvZJunjHOY32nMAwxL

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe
2884	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 236 set thread context of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 1568 set thread context of 2956	1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1404	236	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439579758"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd0147eb085e5945b111b3f1afa984ba00000000020000000000106600000001000020000000d5d903b62f119bcae542a910ad05b4d390e107204e7596182c16d267cbb14801000000000e80000000020000200000004234ff515f7363a5931c6581b1fe9033b8a6fe23309a1ad4d8d8d32e677fbdf390000000cc92964ef63cb000567a055a4422a6121ac114b236936611237be23582ed066d7576f94cee2f42c702218152a8e78fa1aeda9a31ad503ef412aa37445bc8e036deff829b1b8d9550635731da6fef567cc42fe9bf61bb04e6d5e82f0711ac7b968eed191b94be49763171e6f57ce21d01d181ebee24a660e9b28e3ebaa03efd658d030295d8cc1cbb41800c6f95aa721d400000002996138da2e55a5c255ceefdafafd28c86fae1ee9fe644ef588ae2da12493324cb8720f25f02148ae0baf1bc51f610787af536249fdbebd29b5e573c79f77f57	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b2d6f03647db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{193F5CE1-B32A-11EF-81C1-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd0147eb085e5945b111b3f1afa984ba00000000020000000000106600000001000020000000814b7bd286d44e09ecb53bf85b0fbbb29552cde990aa5f40d35fcb7d247994fb000000000e800000000200002000000048249c0e530f7e3f579a650433c89d48b01702a4555823d36ac2d26000dde9c020000000e7939a50e8871365533f591e87fc43c7ae9b1f3124af0958b0769260342e03894000000095062154b356e678a2d3310b329495a7300e4c783edceaef52d021c8c7873bf73efd9a3a2d0c65053bc10dad7ebdd2c6251d6ded9c75c8497cc39f0a4ba2f3ab	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2884	powershell.exe
2156	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2952	iexplore.exe
2952	iexplore.exe
336	IEXPLORE.EXE
336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2156	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 236 wrote to memory of 2156	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 236 wrote to memory of 2156	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 236 wrote to memory of 2156	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 236 wrote to memory of 2884	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 236 wrote to memory of 2884	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 236 wrote to memory of 2884	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 236 wrote to memory of 2884	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 236 wrote to memory of 2640	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 236 wrote to memory of 2640	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 236 wrote to memory of 2640	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 236 wrote to memory of 2640	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 236 wrote to memory of 1568	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 1568 wrote to memory of 2956	1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 1568 wrote to memory of 2956	1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 1568 wrote to memory of 2956	1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 1568 wrote to memory of 2956	1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 1568 wrote to memory of 2956	1568	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 236 wrote to memory of 1404	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 236 wrote to memory of 1404	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 236 wrote to memory of 1404	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 236 wrote to memory of 1404	236	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 2956 wrote to memory of 2952	2956	iexplore.exe	40
PID 2956 wrote to memory of 2952	2956	iexplore.exe	40
PID 2956 wrote to memory of 2952	2956	iexplore.exe	40
PID 2956 wrote to memory of 2952	2956	iexplore.exe	40
PID 2952 wrote to memory of 336	2952	iexplore.exe	41
PID 2952 wrote to memory of 336	2952	iexplore.exe	41
PID 2952 wrote to memory of 336	2952	iexplore.exe	41
PID 2952 wrote to memory of 336	2952	iexplore.exe	41

C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
"C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DGlxtFUfY.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1AC1.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1568
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1044
  2⤵
  - Program crash
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
ffde14c0a06ebe64914d6a6d97105e78

SHA1
b5c419c129d22fb2da3f3844814be4c4c2a4d908

SHA256
5cde4890a703b645739f5c12f326b74143a928eb2a3a14948e3bda8618afce26

SHA512
3e3d918c5d30341824a2dc8b3893a69d5b97b483656a92fa75099f810af0fa7d3f357f9d0f55dd9a879518d7c11244b6599c16110de74d9df00db21e8f149b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beda44e2e358622372a2511c4b495079

SHA1
cbff7c99e3ace95cbdb22878905912a8bb01e3c8

SHA256
61af5a5326597e04041aad39ab76ebda4d2e7a3dd2e998ab241fe50b1614215d

SHA512
2fbd5d4d4adf7645e399103a1d76f2a456d251f93dc46e6d3475dad2a8fc4153d1241505c0b5ab735d95669753cf36af97035e243a70e997cc536dc0256de546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bfa7983583bae9feb75f7dd0dbd198f

SHA1
d0982004d5cd2ecabd7adf833904a9e3f7013ad4

SHA256
d9c4ef25166b96ace73294d205cea36c1f2ba9b9e8c314d4ef3de299b00988fa

SHA512
9f2534792fb3a7b7d7b16df9d46b06591ce393c25a0368689a712e466cefde35795975fc8eb96539b34384c3a41e9309a682a9591109ed5da8f142d612f265c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
872c4db588e96add00a634a0b8ad211c

SHA1
b3a2d17c427b23872cf9be7243167af181a8f3ba

SHA256
4a668fe9cf01ff399e6fc10e2384c3dc3a0778ab6ef4ee36b9a0d5ea6a7eed3c

SHA512
8640abb75bdd203ca32ffa3b7bb34c29d191fdb0f30e8658affff8fef457de5653218f013f57dce6d1d751f9cc5eafd5b26bc7d853a541c73bff9b5b6d7beba2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8830252c41c0495a2cb2020e4b319c01

SHA1
0ff4c91a304cae5eddaa78dad9eae58a867c0bea

SHA256
7ccc2a33c8086f974ab87043693a315ad305626323ece1ee8c8c1d6ebf1159fb

SHA512
d96b66ce5ac2120dafb342c905da393187ea78503eb288cfc4df13603edc264e36342c085b438b4dae4df1fdc79ddde9cb23f312edc6f3f97d63e3ac79cbea3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c913669a1503874d060f185415e2296

SHA1
1d92eab7ae8a9301a88eaa28f2aa818718386c76

SHA256
d30045d22a1ed84e1702c40e0dca61b37154a91bb7ccb8ba7fa8b057511f154a

SHA512
e7acdf8e8b9b059bfd0c5bb2c33a156ef8d65c700facd895afc3e362e5dd06d3fbf1963f46d721dbe1538ad390fd7f57f79e00e90a86a15f6baa440182206523

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
788d76e38e57d18c3b40db5dd5e19f23

SHA1
9f8ba72fa6cfc94ba5c85a9981a46c57814deb0d

SHA256
e22198ec8a5a584a15bfe241a85fc91fb4104cdbbbc574410cb7f20cf3d28ba4

SHA512
a998da5fdecbfdb69ec4f4ceaa8831264f87a4302043f6bf30654992031764ae8d6bd8dc39f25e3b602cf4b521f2afd0238a0373e7b2f4eaf5d3cd0533d3386b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a8d1bc1c45a4486aba3fb9196337ba2

SHA1
32f4a7c8661ec3641a5e7ce67cb45c48bb1a2ab1

SHA256
65a135eeeb509d2f4ab50492d96e48be6d87b58a6eb9f7a5ea05c229c3006d34

SHA512
0b9a45224317b68b75cff550822d46929c3545dce5dec773407aef1dc872c65335405b014cc8df4c52fb20d60212c9b422b584d2bc738aabb4a9e108b6f9a4a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d525a1ee6a9139d61411257323ab276

SHA1
8f85aeb21abd715b5489507e69f30114989a5c79

SHA256
eaf986efaca2e732aa73763bec9d1ed9e4e181a921bb8b60db13ae47aef05df4

SHA512
3909247e4dc2f422d72ae87b875a8428654f91c4c680e622249e8e4760b082bc3e3fc373a38ee25ade969f58832fbf792b9d6e3831fadb72bab797bf979db16c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c61a6806acb702e65c23e41fdaf9cf

SHA1
b00c1d43f5a2af75c565b3040cd26a0e7b6a894f

SHA256
e33427dd47247768b45f4653aac678dc865e19fb83260d922d82637227bf1c73

SHA512
e58c34ed486143f7f270c805a3bd5a62d22702a3304a9aeda5d1094dcd5b98de91780ae8ca735ed31ca0e1af639eef78b941e6ee2dc804277070373b4815c18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35abdce0706906a6654ecf9671ed4b34

SHA1
f453eec610244873a0f92d2b313ab83b8f5c437d

SHA256
968f95d2084f77137e94d7d3ae4fe3a4d481a039735b51571873d599d0151979

SHA512
b194851143146bf5447b959f51ee6df59eacc6f66ddadd9c50dc2e2f2c7a556f742e40df2ac6471222257fcb1bf9cb458b4ea00259737579a1384fb12ed3e6a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d303ea8d4a0f7f74ad38b8a40a59c1f4

SHA1
191654b278439f61da9e8992ce48127e205c43a5

SHA256
2edffa51ff052c1291a82377ba6b4f1e6c3b1d0b55d94c49eca30f7d33cd2aaa

SHA512
3aff4bd104df967ff62ed7d5e99c4d8ba59c80095f241238d24030031b032031b73136e1126ca55e86f896c765b3cddd33a785658d773d6c09f082641fead94b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e50d973a314c9154f15b80dd8a1a0c5d

SHA1
230d968c1b192c4613f77d599378a37a7ce85c86

SHA256
09cb74b3be327a0689f0512c0d4ea76b27b98491dce518602ebf729150e5074c

SHA512
0c8e222d0694b4a1a9fa6976c246f0b51f02d75a81d0f0d9a1e4ff9bc42a2202657ae643ae9415e4ecb2d8da35f73712915ca858375ef180075a6e1931f803f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb202d9623d9887466150939cdcea4f8

SHA1
aaa60cc701dfa036917f6e7b8561abff68e5a7b3

SHA256
12493b5d4750c51b3c47a79b1b78388c5d73d329498bbe5592be5927b53361e7

SHA512
81568c2f15421dcf8f6a95c5854d8cf9f6199b14232c9a716381d71881290b1994d8f892ee2b3f23e372cba7f043fe5f18ab08e86053f9b770f3a19247314423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bae545f8897cc6a881227fedbddcafa5

SHA1
fcab7f5e28b8d0ebf4223f3a3849b7c9eb89e90d

SHA256
3a0bd0ad27b2c9eecfe592150e36e899a8461fc962065dda2e0f745eaa8e3b82

SHA512
5f5ba52a4dffc0b4f52f5f52e126a2546dd5346b190b755d1a59cdb027a2038aadfb68048ecb72c00516cea03c4ef34290029096ee2a9ea2ff424a7124d0fc03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc74985300302627fbbfbe414cd3e246

SHA1
038a9c9e5edaa7242770b94739e9262a328a9ccb

SHA256
57c1a53ead3249a7bf5e6222d05278048dca735b741406156b45cccf25e3c858

SHA512
7f58cee871a1cabcb79b7562a6ca7e83b722b117b52c2cc85b36366f3d2b7ddfdf576bf060bee33cdbaf5d98dba619e6af5806dd4dde10b2a8b843cb8321fce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9962342ee9c49b0fd6660ffbb6ce756

SHA1
42fa43237c288a85c58cfb8d29f469eb712f2dab

SHA256
c227e05b3db65a342e102145a0ce006069cf7011ddf147c54e680c36ef6a36be

SHA512
522ad6a1ec24d58a5fcfae6d5a45ddf0b87983d941294f1e6c3ada853db9c80e80c145ed0bf01a192e241f2b0bdcf22bbbebf666f66b6705d3747e9fc6555a2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d03609a7b1acb2e6e460262c454bf63

SHA1
cf4519edf0d7ca93a7d1706c5c84fa26465bdec8

SHA256
c894423fc083ee007abe286f470fdfdb9f7745e26a9f06ad10faa49495ed781d

SHA512
e8879c4814dec947e4a83d0dd38bb7d85792727c311924941f7c64f33563b2318d131debe1f49ffaae59995210cfa864c40032cdf983c37a02d516abbf672f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64790687260fe87f1bde48b02c201865

SHA1
df2616f4a89366552a8577446d98ac434e82a7f0

SHA256
be024305809898061ac38c36c4187118ff24667bc1bfee3c3e50d76a2f37cb31

SHA512
c38f53789dbfaadf5777d59a99a998c54312cc1c34c62ed6b661590bd1f66b02f7689013e62168c502a2738885ea9861ff94b52e75127d8db43014d503cd769a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c49c1c9fd6cedecf2c3618bb5c78405

SHA1
3f2f3739eddbf26ba08721d61e13e0b118ff3f98

SHA256
9e744f1377778a57a17248dc763e60e157289682a1ef6c0419d64ddf0447499f

SHA512
592c16ed4d718064af99078ef4b292fb8096a04dcf38195c2dcbbdfe3d6c480818e29a84c95d68456be11c7a0e53d0b5b5206f676f447fd5e9020643f6c186ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c99957b6b61becf3e1c7d7942e6235c4

SHA1
84b12d8278931abf5413967c802bb83c69794893

SHA256
6ba67f41dd1563a0177995e58c02780d029542ae3dc2db25d9a0ea551772dd28

SHA512
486e559f9bdd77f7e34ede95554c23a98c05415665be159739ef552e8e4cc7993be8ddf9ed893f97b8a2ad2431bc0462bfef021a2cc3ea817d1dd3d369a4a8d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b18760b7c9c53c705f36273bef8b6818

SHA1
978b595303c2a46340a16957dd447aab9f5bdad3

SHA256
47cf149e4bef51680002aa823f5ef352b7716f088022a7c7b00fcd0154de9012

SHA512
68cd4748b1ea032a582ecd502c3ed681562f367b32b3ed21e8a6567cae6f1ce47675ffdc1ce10a1eb61a0131f849bdb49b69780d7aedad286d8786be1682ce9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6314933ffb6c7ed398b724dad081dd4

SHA1
415c7a91558fd868513ebc742c804a5c03421b36

SHA256
12ed37e06fa93518013ab5dab3ff18e266256f08495f5b0afedd6a07f846c556

SHA512
84c7538df7187aa6e34657aea6d2295400e6d1a7ad25ba378417b4424debf2beea7e1c944c576f1904281e9336d3c9e1d14c669ad6b83195f24cc6b03fb17954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c63dcabefc01016ae3e72bee90f47c0

SHA1
22c43b33e0c743641fd2e24be0c34955b3334a1f

SHA256
24cfda621452776e614c2447442fdd2d292b36a5737e780cb1bfbe8d0ec07fe1

SHA512
109ee113f294e2137aa98945d277bf670e811cc68cb514d757c8c66d1201ffa45f4781d864eb6abf522ee049c038b9a92f7b7341d72acfb53f4e96acce7faf21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e54f782455963a7bb8065c54d703591

SHA1
a948991d1a62630c15c9c713edef4e8de6f7eb52

SHA256
1e19812fe1e8911bf2d4d1c957b4174e765de08fe0d279598389d08bb1e9ef1c

SHA512
bb6e87f51390d606c3df72d683c4e98d96edfc80b2df70a38b20bcbd6508bc2e2301dadec316118f53938a3a46b6e879a0018688096940f97ea7c49a6156cc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A64.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AE3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AC1.tmp

Filesize
1KB

MD5
8919f3696e2371cf18a9a9830294424f

SHA1
74e150d8c41d50440b43be41bcc568642774d633

SHA256
a3a575864d1964841ec9c439cf432c79abac979371879b8d4a3b95473b154b39

SHA512
7111bbc9a2b3f3be3d503854daa43071bc1482229ba456985eda2737d811728b13124299953435ced40e35cdf19dc60b18651c42762a1025f4d48ab96cc9504c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2446188535431114205a94ffad776c76

SHA1
2f81707fd06e3a004340f2afa045bb20dfd7b8f8

SHA256
7a21600b69fdb9fca72945de18e7d2a6f208282bec3e8bf8f7117d3e3c9e7c75

SHA512
61266ad1f98c80e3de83a34bc4cc5fe7a7717e213763524f493b7db259be0bbab4e9146c772987f70b5328a2d4d6e98f1eb1ef9fd6789d10b30ad5a59f033ab3

Download Submit
memory/236-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/236-42-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-1-0x00000000009E0000-0x0000000000ADE000-memory.dmp

Filesize
1016KB

Download
memory/236-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-3-0x0000000000940000-0x0000000000958000-memory.dmp

Filesize
96KB

Download
memory/236-4-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/236-5-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/236-6-0x0000000005050000-0x0000000005114000-memory.dmp

Filesize
784KB

Download
memory/1568-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1568-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1568-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2956-39-0x0000000000080000-0x000000000017E000-memory.dmp

Filesize
1016KB

Download
memory/2956-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-41-0x0000000000080000-0x000000000017E000-memory.dmp

Filesize
1016KB

Download
memory/2956-40-0x0000000000080000-0x000000000017E000-memory.dmp

Filesize
1016KB

Download