remcos | 04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Size

988KB
MD5

b2618fbb2e344dbdc7d4b33947d71531
SHA1

a56c4724edef9a8fef490520ecaeb30c8356e314
SHA256

04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452
SHA512

1ca8727770d6458785c1206e81fa6f69675afb521944a9206197bcc9737a81afea2a462bf93bbfbe836b841038e01c354fd9d2abdd902f13187a970a4ede6b57
SSDEEP

24576:X2leFeHHdWGhuvZJY9JuynjHOMt33ylD9ESMAwL1zGUxj:GsFsHthuvZJunjHOY32nMAwxL

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.152:2559

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZFXG9Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
3020	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2672 set thread context of 672	2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000000393034e816e1ef18abfc5505ebddb2ed3355fa95de507815e9fed4ebc3642ff000000000e8000000002000020000000181b2fd1b8161f612b82ce762168f7b2615bb0f809e0e7a2835cd2bbf39388a62000000015283c4bffa7bc303cb8a6fbecd3267e7c4d6353ccf832bacaa8445be3180b514000000010041a06c959ffc44639eaf91aa99120843cdcd40e43e955ca8da19cb17d3e773e09afe3a8c92fb6c37322d7d75b139df63d919a78fc53208665d4588b83a034	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CC69411-B376-11EF-BCD1-4A40AE81C88C} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000003031d480c363bb227a542c766214fe2dbd2e6850e017b473f11bf3a736755010000000000e8000000002000020000000f19e0b93d5776ce91ca5e8ba4371f5010eb3bdd923b1c638cda74ec56718526f9000000078fb7617c5203b09497c2d605ee71eecb84517da847b7e95cc7d820ebf4c8a141e90bcb52a854e3d660139b788d3ac0505fcb442659b4094283afd5a609ff26564f3c2cb515af7c30d943dd5c97aa5832fd4056092cb392b62094a5e1a5ae41db03eb64c350d960d6a290b18e577bf4a8265c78f11b2d5dc5fc66087bc2fa2d2fef59ceebd6fdb2692c0ab33755c438d40000000b4e2c24d26962045f3ae3876d852c116384796c5955a83c4ae7c06fc3f4a7ad5b3239ecc6f21a4432ebde708cf40e6d9d68468683371c2642fbca1ba68d02791	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439612482"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f074b72c8347db01	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
3020	powershell.exe
2868	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
484	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
484	iexplore.exe
484	iexplore.exe
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2868	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2128 wrote to memory of 2868	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2128 wrote to memory of 2868	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2128 wrote to memory of 2868	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	31
PID 2128 wrote to memory of 3020	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 2128 wrote to memory of 3020	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 2128 wrote to memory of 3020	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 2128 wrote to memory of 3020	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	33
PID 2128 wrote to memory of 2668	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 2128 wrote to memory of 2668	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 2128 wrote to memory of 2668	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 2128 wrote to memory of 2668	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	34
PID 2128 wrote to memory of 2664	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 2128 wrote to memory of 2664	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 2128 wrote to memory of 2664	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 2128 wrote to memory of 2664	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	37
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2128 wrote to memory of 2672	2128	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	38
PID 2672 wrote to memory of 672	2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 2672 wrote to memory of 672	2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 2672 wrote to memory of 672	2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 2672 wrote to memory of 672	2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 2672 wrote to memory of 672	2672	04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe	39
PID 672 wrote to memory of 484	672	iexplore.exe	40
PID 672 wrote to memory of 484	672	iexplore.exe	40
PID 672 wrote to memory of 484	672	iexplore.exe	40
PID 672 wrote to memory of 484	672	iexplore.exe	40
PID 484 wrote to memory of 2416	484	iexplore.exe	41
PID 484 wrote to memory of 2416	484	iexplore.exe	41
PID 484 wrote to memory of 2416	484	iexplore.exe	41
PID 484 wrote to memory of 2416	484	iexplore.exe	41

C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
"C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DGlxtFUfY.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A25.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
  "C:\Users\Admin\AppData\Local\Temp\04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2672
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
063271ad2443f7ca309327738601ed0d

SHA1
01712908f676d6eb443f71678208f7700bddc3cc

SHA256
9f529877be1d2a70877d6ee4533b43aa3d420c361c8368d56a8275338bb71819

SHA512
2c63e5b2d759cc57f6121c221ab0995e60225b42641a3e32b8a13adb03d8313af716b33985bbe5741be0f6bce7fc8b1d059d2bcdee2d2562760c96760a0878b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e24ad230fb0f40595c2391c59d19b30

SHA1
d3ab8fbb5218c922d8054f9d4616cb3d1f121849

SHA256
22cd6d8d39d6377ff0b481bebfb33acd6f854b63f34b46782c8aa3ff46fa8624

SHA512
ce88307c4b81013ec7e7c0dfc4ed810caa219c0a83d9ed34eb0f51726efbbb183f2a08e81dd66e659b5362629d69d9d1854bf42ca646fe472f8fda99b3917c77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d22c2878b879bf1fff32aad84b2110b8

SHA1
257015c3ba35533dcfcd1b030b8c8c1eee488020

SHA256
fd663297b7bc6dbca730b0fc283119743a54443505fd7673a57acae9dd4db2a3

SHA512
9529f4c7ed2272d1170902012aea339880f0a8c9c71cb991d4ddcdd00b6529687311e1842a0403d1d12d63fdc4e9992a6b18edeec832a1df67b28a5f04824645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb72894826551ee89f565d613175b0be

SHA1
bc4a9f9e338b6168c83aeb8cfc9ade6103ac2b0c

SHA256
b98f5b70044feaeafff152233b4b2cfa79bffc1e29934f45e0b397e2d9921157

SHA512
51b2a6d4ba4c962ce6779928920774c303e8ad4354afd2c990c99319fdf0cff701ec72d9baaeacd06054a7decdd47c5349ce450a3b235afc8f5774752fee2957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f6b8355b2ca77aefc128577ca36df65

SHA1
41fd21e8fb7c7960c5611ffa9da2032a39744320

SHA256
9fd2fa65a10e45ecf81da5540bd225236c7b768347377c12c8d9754e8ecb849e

SHA512
7f6742338fb313cca8916b8bc59bcf799f36e01c82fe04228634b882575df233ea00492c1d483cacfbe2288e9bd8d04ea88c43bdff1375f7807bea53c4eabd9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0940a30f39b3b296c14cfaeada3c3147

SHA1
56c91392e592cdd18e480016584387d1224c1ce6

SHA256
0d76f90f9d54319329f31960142754b0a1df55fe4546a97028f0ed2e6beac7ca

SHA512
bc85ad8daec82d4aabaa0a536ba8acca78e262f6c40bfae28a3aec8ae7f93d1d3d14414f06a18ab12e278235a39629aafa72c9228d0d92b7c787dd572b5585ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49f00a7d3761d88b8456df3941010868

SHA1
ee5c2cef31c26d6bff3e6acae70ec2a8c0c454c9

SHA256
41b4fbc98d0594f245889e97d858573b5b0cb26c6a17e0178d0e5c0be354efd4

SHA512
4ab9361cf0a1fce54580ac08602c4e234338c29057cfe1fe95e656282e7e9b711b9dc48fd39bdb599984c5b25e046717c11fa7958671ad9a8605144a8efc3c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ff1e1085dfcae23cdf3543a2b46b12a

SHA1
2fa738b2569e6085c18f82c6c766d723bd6b361e

SHA256
e71b7ae9b82845f118a716fd8a3b762fc779b9cb8f0f9b2c9f9b4a631cad9471

SHA512
2fb6a2f0af78efd4d7f5e37d47ff9c9a84d6158bbb593d6821493cb6f020085a4ba21697322dcd330af0af9209fd79db428d7dcab3b44b6408a03b83dbeb26e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04dcf9932f5efdff9b45e96aac000887

SHA1
a53c7c1385ee0ffd78377bad25f3e2cc5d82d8c5

SHA256
8f3025a264286b4badce49f117a57ceb083c2fa59fdad4548e15f6f3c43a8bfa

SHA512
57ce8b2b98d22d02346d54ec37e92a4bcfc40a967831e53f3cd36a0a5135dd868fe8ba6d10e47a4e0815d8c84688b74f49e367dddba67a8ee2b7de5009f072f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74f744fa195b778f3504d43b65965b18

SHA1
2e63137ad979f55f023ac1875775b438fc555467

SHA256
469e67e40cfd5e447029d942eb5b61a65feff9495151a4f2d89f8ff12367051d

SHA512
cddb11ffce1ed35be80b6a70244c49b6dd1e9e9d096d50a50640f77eb760cce7fc619f41c117fe4531520362e0431d80889c41b9f186db9b0f322bff4424b9ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
366cfc6faed2e314e2c1078c36b8a67f

SHA1
dcaa4cd98186070c5cedb2760075b131efeca049

SHA256
9c4ba205282e234c9b0e6c181be50ad3f5649dc62398f7d4a5bbd2ecd3a523fc

SHA512
72ea15f1fcb395f18cedd79c1b05a981cc9c39e5ffefeb870e7c2bb34f48a78c90350aa47ecb802d4aae995f91b6a46e7624a1203c503a5db4ea463b6e9a79e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bfcdb20bd3fd9dcaec76e8f47a92666

SHA1
45da9be55dcb48f56a01bb434fd63f9e9816f9f6

SHA256
dbd6164cd93d4f1f424a6a230cd111f39469ab451257dc309a89772e766d685d

SHA512
c77a8feed8fed6294ad856067fc28a688e30e769d5f2de3b52e997bd1a8a0a92c7a7161a2135531587ad6c8dd7c3cf461a019fd9673c60d93af419945caded8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31e69851d6b6cb2de9047ce795e0e422

SHA1
6cda96b7f744f7c874609758aec394e3d33b70df

SHA256
ccd2e1b6434f65129a90a3faf96cd207d3cec334570d34f63c4f930a28fbc4c4

SHA512
8d261108dc1ffc63bbbc4ce36ef7a1250d14a9268b9717024206effde4436519a0ed134ce9dc10fb3d33f50f2b371762bcdb070aa6ed18dcb64d928d5886bec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d71b06bb01f0e67e8a139cb40e6e471c

SHA1
9b4325f192ebd38bcfa191c2f3ac8e3f5bea14d0

SHA256
5b81ee279fb8c4301d1fb45d0ed799d6e7fc654c4be4c1b85755f463616cedac

SHA512
78d5431d03c88067de944b2e706b3f8c7ff700d0cf2245169b0e338e0f2de58edec938d1bf1170bbfd69b84698ffa3dddd5b2d1dba92041330ab33648086b2eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4504e45617bd8f5b6092e6bc9e5d0f40

SHA1
1db99d1198574924323291d57fd79947a3318473

SHA256
4ba2d0c2a1bc9d460937b7e4c96751dead6ea1dbc536b80066d5bcce175bff74

SHA512
92d0f056c08b4996c4d5bbde4cecb49d76a9e02f7515ef75979f387d40c01bb825a3298320dd1536bc291764fd3841712476d4b1bd446a104ab720e15aeb683f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6048bfa9732b86f614a1173c46346fae

SHA1
eeefdda3aca198fc84c702f967bff521a3fa43ee

SHA256
eb617f663f7279ce35fdfa23743f6d78052155709c6f5b6973bc11e8f2da31df

SHA512
6e3c0fbcc4db35e63fd3b7d2f58f08237e9541dbdf9498d3985a94068063f98a4418e84a2db6f8a460e391c5b310607428036a727e634548cd001ed989bbe98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
198a2600a28920b2c6217101fee91fa3

SHA1
b9fb26e567677c53e7da2993041bc54255cac475

SHA256
b2f4cc3b2268a58bceb94a881620cb5f207bad89cae96f62b7e7e472915114a7

SHA512
cdff44aa56d967f63dd79f702129ec2f0f9f8cd423fd99b8c0f719bdd3e42bbfa6da35440acf9ca32a885f3646a318f1a55c3fe871eee97e373a139a96b2ec1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd9af32630f00e2cd6d699385491d9cb

SHA1
d5750e8b7b2a90515db3cb682eaf81a7fe941a00

SHA256
24fe6267ee525d681f4b86155026b24032d097d0936a44538b80c10dd0e55616

SHA512
d3661db3684927ed348c371d5f7f8e118c7381e718f5937f5d7031dd36848f2b1607b9446eab1d2d7459dc2fa51c198e2e84ae76dc61f3e21e663b4f7e8a3180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
641f32be5993116deb5c5a26f294a768

SHA1
dfd494eae3b2df248049b1d4954eef7dde482a75

SHA256
d33451fdee6fd405d6f0f38992b6a46c9297ebf0db0a77fcfa0947185057d978

SHA512
99bf050a4816991a6c0d0579edc87925789fde559913eabf52e11b46ca203d590750f555e0f18385cb3edd9985c9dd71281cc7f53ced5bcfa68a200669adae77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96d8fb7d571e220c5c8c8584fd370285

SHA1
c304b6b3c00f38312db9d31ec91ec30638c7f4aa

SHA256
99379593464dcb1ed27e35a1f1894c4aab2e732321c5754eed69db5086a498dc

SHA512
a5163d4fe232d4de2d29c0f0ed61d4eea31c8cd99c8cc42fbdcb9b1acdd41d0f514cd1b5af6873cfbdd7615fdd1c9ec0de574f30c0abf79d070e2d1e2ab1d4ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da39722e304d01a4aef363396a4f96e4

SHA1
87189910e695b2a1a873dfe8fa58d4f2fae98397

SHA256
ca9c75db744c5526912388c56a8714405de7fb187a766b4ba776ef47dbddda85

SHA512
87e500b036fc7a151c430747dacb8c6c21e1bd05da6b81162a1d853b8b3f92df239afbca451cd2f1fd94ecc682b63a0790744096d3f94f29541b610169337ca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e50dfde79c80496b8c5c1020e1df7664

SHA1
7973d7548c4e2fa41355c9dfb22a1cf27c330a4a

SHA256
2a6205ce62b260acac8eca80e975fdb6a9ae21f47ce330bc51e1571ebbb8d0f9

SHA512
36e690afe656b62dc2cde817aa08f0aa722a8ee861d67dfbe90d9664e6dc2363f39e9a1cefda51d5c64c7743367d41e2c893907f2048652a744be0d33d0209c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f5cf59d34e5825b6b694a4d2eec2c08

SHA1
c4aac7423ad3fb938977fe52132346fd368f9c29

SHA256
d14ad50fef33d52246279b1c80eb4dae3037e4ba871151d664b4318d6d1476dd

SHA512
d0e6863fd1ed4ba0783e1587b9707e0ee6c22214742d464f6bd1b043f8763aadef5908b58a6beb13e9a98f4f8bc13998115763e4c42115922952a7b1589eefbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B9C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3C5A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A25.tmp

Filesize
1KB

MD5
67daa1e2c4f21adfb22abcb3d8db9bdb

SHA1
a7297a709bdda7fb037c94e75d052e4cfe342d73

SHA256
ad761d0f94dc227b0ae9c76ddb46b47d094ae4763dbed6328e6c7a40154ffc45

SHA512
94fe5dcdb227524ab584a109e59cde160a0b65b7193cf2a215060a644e18d713f8e99413436974dc88faaf326e502bd43f6be3657c5b6d44ccb5301055db2271

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H13M0XX9P3U0GG2H6BUY.temp

Filesize
7KB

MD5
f4dae436ed8638bd550cb4f28dc9930a

SHA1
f4a6257724dbef1979b664bd4f7530ce7b844a0c

SHA256
223aede70109cc36ab6e41438ce025cb2e571b4dedf75bec86fc50d44fe1ba20

SHA512
87504d4bf3353c8eab9ce474e4a76cca38389e083c30e1b4671b5b3c906a12363de5392b7ad5370d25f685057a3aef5a5bc09ebdaec73cce765f92dab346bb00

Download Submit
memory/672-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/672-41-0x0000000000270000-0x000000000036E000-memory.dmp

Filesize
1016KB

Download
memory/672-39-0x0000000000270000-0x000000000036E000-memory.dmp

Filesize
1016KB

Download
memory/672-40-0x0000000000270000-0x000000000036E000-memory.dmp

Filesize
1016KB

Download
memory/2128-1-0x0000000000CE0000-0x0000000000DDE000-memory.dmp

Filesize
1016KB

Download
memory/2128-2-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-4-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/2128-42-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-5-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/2128-6-0x0000000005DA0000-0x0000000005E64000-memory.dmp

Filesize
784KB

Download
memory/2128-3-0x0000000000A30000-0x0000000000A48000-memory.dmp

Filesize
96KB

Download
memory/2672-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2672-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download