remcos | hxxps://gofile[.]io/d/KRUCik

Analysis

max time kernel
77s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/KRUCik

Score

10^/10

remcos wavesourceleaked defense_evasion discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3952	WaveSourceInstaller.exe
3992	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3992 set thread context of 4388	3992	remcos.exe	106

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 748523.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Remcos\remcos.exe\:SmartScreen:$DATA	WaveSourceInstaller.exe
File created	C:\ProgramData\Remcos\remcos.exe\:Zone.Identifier:$DATA	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
688	msedge.exe
688	msedge.exe
2976	identity_helper.exe
2976	identity_helper.exe
2004	msedge.exe
2004	msedge.exe
2060	msedge.exe
2060	msedge.exe
3992	remcos.exe
3992	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3992	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2304	688	msedge.exe	77
PID 688 wrote to memory of 2304	688	msedge.exe	77
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 4600	688	msedge.exe	78
PID 688 wrote to memory of 868	688	msedge.exe	79
PID 688 wrote to memory of 868	688	msedge.exe	79
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80
PID 688 wrote to memory of 3244	688	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/KRUCik
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7ffefe1d3cb8,0x7ffefe1d3cc8,0x7ffefe1d3cd8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,14021915347696548195,18264431890881805393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3576

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:3952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3992
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
69fbe8ffdb18ef45a6f8ec2d42661f9a

SHA1
30a84209df3ebed0ac49603dd816f87c1380ec5a

SHA256
e75b34c289eaf6848933c203135d78f122fcb86216084fc33ef3e2f80de7b344

SHA512
4d03576db71eba38d11843244396fff23caaeb39e72275281b5e2e3fafa3d24e93290e31b06b975b10adfedfdd581b6930e900a0ed66981207c8073e17baef79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
d6712d27913bee4f34788253c641e6c1

SHA1
792aa473ca6df73d328bd65a68dd4e25fb20e0bf

SHA256
7496693478f46ee0bc1752842e6c09a85770699a5975d680e7f0bc1c3106603d

SHA512
66ec9228f91eef062e6987363d0513a1bf301011a35f65e3cd10bf123f69e9e06b9c329b3502fb5902ca4c5c389572c5c9773aad0b55a6a2c96d59bc0a680dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33f9191d9c406d4f48cc44f511b4b3e9

SHA1
2f370a2b1a697a9ed4452e6dbbf9ead49a3fcfec

SHA256
1785bc1c86b744b5d69262efeb0114d9e01767211822031894080e1a1f7c49e1

SHA512
7a44c4db214a16e088eea80ac68da6cfac8027148f6be2d734745200728e4f2ca1d7b1e91a62e7156f89fd2a71ed090ca26cf09f5462903a418a77860f64c2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5f7ec7fe0b175ef2df873820ffa36d4

SHA1
bef532a5a1ef572b10565ef40a5e4642ca19616e

SHA256
7e1e05cdca376e998871d4b2f883f8c806e33a21498ab1bc034d86bf00572539

SHA512
211dd6e82be6535d13c21df2845af8f76ccdec81da0ff7a7b71ee2dc91ad5a2f6c645e720ff4af8f7c7b7246796b55ef2cbe5a3a678fba0c9f1131991826a54d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f5b854fd2c55ddd1059ff0f5db509989

SHA1
337b712d5548cf22ad8149c9e7eb7577b4be079f

SHA256
9d7bf2f9508245b35a0487f789159fe5561f5d41ec5ccfd5cf4e4973272ca512

SHA512
20562bef88d2ac96eea6a72fc67e64adab55a2c2009165a0e06380d4740bd4c05fd6f583293dff480a05732816f6c9b02ece075c5b9a678c88c79a7868ba4f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3cd2721d64f4b2002a96ecba33a0641

SHA1
0b7ceb4a0b7f5dccd009aad8249a6a0057f8bbdd

SHA256
9d42ab26d8c77b4a849634541b157eaa4f8c8285b1714f482803434266c2763f

SHA512
4b4eec27fbe20ba20d3ca314732d14e6b2e28e035972e0e8fd6e93c5f14d33f44ad3ef0f353fd9fdd0a082dd35c56aea7c2c5c2baaa9ada0195b87dbd1a8a443

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 748523.crdownload

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4388-178-0x0000000000B40000-0x0000000000BBF000-memory.dmp

Filesize
508KB

Download
memory/4388-179-0x0000000000B40000-0x0000000000BBF000-memory.dmp

Filesize
508KB

Download