remcos | 3123af93014a5a5c49aa6fd2118f6805041af178c222be27e30b2fd477085c19

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

06-08-2024 13:01

06-08-2024 12:52

06-08-2024 12:29

06-08-2024 12:26

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Size

1.3MB
MD5

73d006e33d8eda033e684c07b15c53ad
SHA1

e3e0a09b37beee1e19d5a6b9fd5322f906f4493d
SHA256

0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160
SHA512

1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db
SSDEEP

24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I

Score

10^/10

remcos remotehost discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.64.149:2888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7Q1GRN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 2276	1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe	31

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1764	NOTEPAD.EXE
1668	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2388	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2388	vlc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	mshta.exe
2388	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2276	1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe	31
PID 1976 wrote to memory of 2276	1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe	31
PID 1976 wrote to memory of 2276	1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe	31
PID 1976 wrote to memory of 2276	1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe	31
PID 1976 wrote to memory of 2276	1976	0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe	31
PID 2728 wrote to memory of 2568	2728	chrome.exe	34
PID 2728 wrote to memory of 2568	2728	chrome.exe	34
PID 2728 wrote to memory of 2568	2728	chrome.exe	34
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2772	2728	chrome.exe	36
PID 2728 wrote to memory of 2880	2728	chrome.exe	37
PID 2728 wrote to memory of 2880	2728	chrome.exe	37
PID 2728 wrote to memory of 2880	2728	chrome.exe	37
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38
PID 2728 wrote to memory of 1620	2728	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
"C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"
  2⤵
  PID:2276

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SendAdd.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6069758,0x7fef6069768,0x7fef6069778
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1960 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2028 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1640 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:2
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3168 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3664 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2380 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2604 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3356 --field-trial-handle=1368,i,8777965379259830316,14510511903253204263,131072 /prefetch:1
  2⤵
  PID:396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2080

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitAssert.3gpp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
PID:1760

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\AddCheckpoint.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:1764

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\AddPublish.ocx
1⤵
- Modifies registry class
PID:2948
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\AddPublish.ocx
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
540b8fcfb92294bf5f08159503186cef

SHA1
437cb35076f72f83691849d229d357e2e8ed2b10

SHA256
497e27bd45e1712b0f3b4b1c68dd33e78733f1ba9e75aecaf8d60ffba29db563

SHA512
067ca96e127b25966e1a4d216a2cbba14905c01c781269b8dd147f49f7bd109064c7f3881bfc8dc85cf8de9861decf0beae16d4048c9a9948651f14304e04faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
5754533136d4e6c2d67fc7276858ddc9

SHA1
2b887525ef6d47c36a92b07b7d253514f89777fc

SHA256
d1854fcc36092208f3f634f74627ed6bc80a01b543a62a83f03aac23e56d39ac

SHA512
c43d6171c0e3c0d040bff5e85b10400bc4008c52eb0852edc3da40285cffbcdda75468d80ccf126e2f8169706f4aaed29aeaf116585422c9b6cbb9f5623ab0ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ee75cea59fa40cc5173783388a9c71d7

SHA1
35c41fd3db919fe9049cc0ef7a0241e9f795e9d4

SHA256
2994378dc7a09e9f182b0c9cb6ef0235f44f421af27516f3708d8fcb1c982eb9

SHA512
30de3cbaa0f4a1e2b0f55652c5009174cbc708400d88f234fed05fa8c58a5d626684b63434632f31436a5e3d2fa90389a78056ce8c5990ec4b4aecb16986e7d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0458e229de5acc356631168bffa75e28

SHA1
49021c06080d029ccf0c9ad3ad03adf1c19c6297

SHA256
95875d8da330c031c36188fcc2f58303e7add7f33e3f91e49d01c4b97a56d0a9

SHA512
2cdff846ac98911233cd8adb3a1b654fe09ef16c8aca157e4aba8e13b479b229b70458e05f2beff9fa8f7797bfb75ac96532949e7834428919fde645cc209687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
330KB

MD5
372b2ef88877e245f30d762e4f9f5934

SHA1
fafa358a2cdf2180653d9897e9346ed473777970

SHA256
51765928a2e2d6cc3a107d74d30158a28ee0a8f17d8af1c8226b077889f77167

SHA512
e3fb3204bbe630d6e34e3fbd00ffac3732c666363000659c95ac03ef4a326f814304d44cc367cd6c05debc875a5644d57450ad328ec2a4d59034006af4f66c45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c5de1651-89a4-4ab9-a90b-fd250493b484.tmp

Filesize
330KB

MD5
e673895acde2e26076b691cea75904e9

SHA1
f32347f2c1ab6a29b6b52d2ee9589bfa4661d9e5

SHA256
58aa991c80c6836ea0189cb8b1b1015f607a6b18f92ace0046b62d886998fa02

SHA512
734dc48a95257e3ea45600209ecb03d681ce694270ea4bd9c86efb716e0f815f2480d1a218578338456eca3b7ce8f1e1049167f1bb0c37eed43b6488530155f7

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
76B

MD5
0c3d8396853f5b6fa9e859ca6748aedb

SHA1
b2b9e3eaa7b2da34edd5ce773e4af6554342f16b

SHA256
29eeea9beb54255ea178f134358f21d684799dc0cbd6a785c7e760f74dd90341

SHA512
560fd545509911d9b92686117a1c3614c574570a8a1d9ed190de056b58ca8a47fe7e282d6bc58319023a5f2535c80f4bbe6fa8eb77046571efd09f8323099533

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
9bcba6f30a416045bd03604e562c2f94

SHA1
cd8e69efac9d00ef2fd8974e37723882531dcfb8

SHA256
dd1da1076a1fe9f1c2c714df597432bc66003b06b68916003ec77143af8601fc

SHA512
215c4a7b79c24ca6d127df2542b37600d6f4f0445f30109232d527627932b80bc3817bafac3b89685f352546c57f414a1479eacecb2a8031bb50c13a9f53505a

Download Submit
memory/1976-10-0x0000000000210000-0x0000000000214000-memory.dmp

Filesize
16KB

Download
memory/2276-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2388-321-0x000007FEFA710000-0x000007FEFA727000-memory.dmp

Filesize
92KB

Download
memory/2388-325-0x000007FEF6A80000-0x000007FEF6A9D000-memory.dmp

Filesize
116KB

Download
memory/2388-320-0x000007FEFA750000-0x000007FEFA768000-memory.dmp

Filesize
96KB

Download
memory/2388-313-0x000007FEF6AE0000-0x000007FEF6B14000-memory.dmp

Filesize
208KB

Download
memory/2388-323-0x000007FEF6AC0000-0x000007FEF6AD7000-memory.dmp

Filesize
92KB

Download
memory/2388-324-0x000007FEF6AA0000-0x000007FEF6AB1000-memory.dmp

Filesize
68KB

Download
memory/2388-326-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp

Filesize
68KB

Download
memory/2388-312-0x000000013F8A0000-0x000000013F998000-memory.dmp

Filesize
992KB

Download
memory/2388-314-0x000007FEF5C80000-0x000007FEF5F36000-memory.dmp

Filesize
2.7MB

Download
memory/2388-322-0x000007FEF7840000-0x000007FEF7851000-memory.dmp

Filesize
68KB

Download
memory/2388-335-0x000007FEF5C80000-0x000007FEF5F36000-memory.dmp

Filesize
2.7MB

Download
memory/2388-333-0x000000013F8A0000-0x000000013F998000-memory.dmp

Filesize
992KB

Download
memory/2388-334-0x000007FEF6AE0000-0x000007FEF6B14000-memory.dmp

Filesize
208KB

Download
memory/2388-336-0x000007FEF45C0000-0x000007FEF5670000-memory.dmp

Filesize
16.7MB

Download