remcos | hxxp://gofile[.]io/d/KRUCik

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://gofile.io/d/KRUCik

Score

10^/10

remcos wavesourceleaked discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WaveSourceInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4696	WaveSourceInstaller.exe
4456	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4456 set thread context of 3300	4456	remcos.exe	125

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 859062.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Remcos\remcos.exe\:SmartScreen:$DATA	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3056	msedge.exe
3056	msedge.exe
4576	msedge.exe
4576	msedge.exe
4876	identity_helper.exe
4876	identity_helper.exe
3644	msedge.exe
3644	msedge.exe
4456	remcos.exe
4456	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4456	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 2300	4576	msedge.exe	82
PID 4576 wrote to memory of 2300	4576	msedge.exe	82
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 2064	4576	msedge.exe	83
PID 4576 wrote to memory of 3056	4576	msedge.exe	84
PID 4576 wrote to memory of 3056	4576	msedge.exe	84
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85
PID 4576 wrote to memory of 3936	4576	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://gofile.io/d/KRUCik
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfe8646f8,0x7ffdfe864708,0x7ffdfe864718
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,9442426795693697771,7045064581796667379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1588

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:4696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4456
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
349d4bf513a31222922407002eb5d981

SHA1
f05d71ae32ecd483a709e001206f773adb1e9372

SHA256
808dd97b7aa04b08ce55fb230854603c3a06787b2fbecaace99e8b5f445ce80c

SHA512
8f1f94685c5148e54bc80ccb92f8e009541cc96ab8d28db28b28feb8a36804235c620844e4733ae9ed5d2cf6aa2834339c86c0750eb0c123b80ed4a367a3d112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
1608e1961c361c974ecf929468380bb2

SHA1
3c735241307f4f0653d2c48cad4455ccf4bd6cd9

SHA256
ba9120e46088d166e4a5f15ade2492e5763faa784c5dc39bbe6189bcf146ecdf

SHA512
ad3f6e379b33507d2153e67d3ecde74b9e49542ebc8186af7fd5814a89cf44f451e890e9b226ae3f60c529a187f30bcf3b9046ffe75848ce296adfc618280b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70758afd7fba464bcef77877bce14f03

SHA1
45311c6e3c3ce4b6801fabd6a76938e9c4a2d0a0

SHA256
47bb1df51afb934b9a853bbde01dfca797bf1478cfad71da6b46b78290776110

SHA512
dd66d50900580f668b1921e6e81994416023cd4ae281885532960c66059d2b79048edf7fa8f103163a73a70fda5bef09be0c60d444b188cb04f6a95a2a6459cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aace60653d603769bc337b86bc550629

SHA1
dd7188e18e4e15fcec40b5a1402f9460de61c11b

SHA256
9971aa621aee81290d98bb3402db4e781f5b9cf911a7d02a8c43fbb9784d3a11

SHA512
bd7458ae5593c8dd22026f3b8a0f052a80d831dcd0ef406bd941501c4eeee1880e8e3bc957d58cd5f383b199e7db148b6cfdaaf6bbd8584f0cf27ed1163541f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac1d5945d0d2bdc13474b2c07fb3e7ac

SHA1
ea8e368ec23085b4daa82340606f950ceb7a413c

SHA256
dc8184a9044b558bcaeab907148584faac5e29994448a47bda8fff71220c6765

SHA512
e8c35352e0e62f12e45149e60d10137a51d620a2e8f62cd9627bb4f0d0cc420d112f1efb2d9c662521d9a900279b7a5c807cbc7b6fcc98d50737020dc8eb1d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c5ab4694fa0e3d9ab0281283bc4c1ddd

SHA1
85675ce5da2e85ad49693659542001fc816395fa

SHA256
a3e38f639fcb7a646f5aebb89cf374bece7efb5c17c7a98350811199398410ee

SHA512
c8e02c79b6375d51d8dac5954a2c4f34bff70cbf1d5b8697d40621a29586a85fb732697aa92d1fa8eca737c92baed3b2b71b09b850c199af82a2bff8bfca87b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78b24fc2586b11c7bfbcdd33915dfbba

SHA1
b1d4d702fa5a105f15e532e26fe7d61c040debfd

SHA256
d57a14c42443dbf8f3662958bd3eb675bcbaad1b5c0da8a6bb7f983c96b38a66

SHA512
80b09de6cbc512e11c70d3eb4a434812b926bbe3655d9de4900c86dc4b6db54215c4fc4a04f995f2ce1d1efc468d755aaa9415ba6b459219b6ded864604471e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 859062.crdownload

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
memory/3300-169-0x0000000000B30000-0x0000000000BAF000-memory.dmp

Filesize
508KB

Download
memory/3300-170-0x0000000000B30000-0x0000000000BAF000-memory.dmp

Filesize
508KB

Download