remcos | 4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a

Analysis

max time kernel
62s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KRUCik.html
Size

7KB
MD5

aa5d13590623abb5d3963a8af5dfb85d
SHA1

8dcb62e75f970ac4f9f78e2558f335951b599774
SHA256

4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a
SHA512

94899bfebc29d4d76c1a8d0e9b787ae50386a5e8718194791d27d86eb7e67e1b0e1a9b0a4e68031905c767419bd767b9d2666ac5ffd0a8dd87c0bf842ac7282b
SSDEEP

96:CMq9SlLh2B3Zq36uWl/PtxyjttJQ8Maoah3vL5LaNclmnU1Eh2sS:T1lLhwJrPahtJxMaoah3vG12sS

Score

10^/10

remcos wavesourceleaked defense_evasion discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3668	WaveSourceInstaller.exe
4228	remcos.exe
2676	dwn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4228 set thread context of 2552	4228	remcos.exe	108

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 226199.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Remcos\remcos.exe\:SmartScreen:$DATA	WaveSourceInstaller.exe
File created	C:\ProgramData\Remcos\remcos.exe\:Zone.Identifier:$DATA	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3484	msedge.exe
3484	msedge.exe
4284	msedge.exe
4284	msedge.exe
4708	msedge.exe
4708	msedge.exe
1028	identity_helper.exe
1028	identity_helper.exe
3356	msedge.exe
3356	msedge.exe
4228	remcos.exe
4228	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4228	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	dwn.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4904	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3988	4284	msedge.exe	77
PID 4284 wrote to memory of 3988	4284	msedge.exe	77
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 1720	4284	msedge.exe	78
PID 4284 wrote to memory of 3484	4284	msedge.exe	79
PID 4284 wrote to memory of 3484	4284	msedge.exe	79
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80
PID 4284 wrote to memory of 2104	4284	msedge.exe	80

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3356	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\KRUCik.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fc6a3cb8,0x7ff9fc6a3cc8,0x7ff9fc6a3cd8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,341344547364267705,883467595797545193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Users\Admin\Downloads\WaveSourceInstaller.exe
  "C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  PID:3668
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4228
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\dwn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\dwn.exe
        8⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
61bd747a7cb7345acfc8888a8de77d67

SHA1
e7dcba35a875bc9bbb985aa0da3a362bc4330fb5

SHA256
6900cea65e5e61a4539c595d6304f60b1eaaf19d9e6b42ec39f11afc89838245

SHA512
e03d1f3f0f7d7fd1596356690cf29df58ebcac8738bdb48500fbe7342953e390f161aa239814c83e940f8dcbbd6c6fe6975eb18663f495ffae5c5cc7ce0048b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d8bb38c6d0e9f92da0f40dc6fc5f7aa

SHA1
a44084bbded57df81a2faf05280e78957726aeb5

SHA256
1ef35731345d46e0e4b56a317b121a421ef0b8d31ed0e86d84355a4d472fb56e

SHA512
2cee49024ceb7ed5a9b6ca36cd7b2240eda89672732bffa6dfb2dc9d5750341a43a3c575b9f08d572e1b135378f7c5de31e89a24fdfb778aafcfb9989886ce4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9d2196b0c829af763867af02f30cebb

SHA1
61d86c612b199725226d6d77de0398f88486a4ad

SHA256
6c7e6c182eac8cb39b100751d49b9b1017982141b5a02b2936b21eb2123deb25

SHA512
2bf3c7d96d185504aba70c52492141e45cf31d54e03202d3e6fe5c8a6eb7e61d16736bfe3673e53ed30597d0b4bfc23043045dcea0c362d8949922d9a310c7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
06b9eb38452056a399c5a65f26a1f156

SHA1
eebcd7cf05af0f8d5329d80e072beb6f5b67c74f

SHA256
305f1753bf3799438908fbad0f714631e92535b84e59c6fef047161b3efe4e33

SHA512
3bd9c304b7a42edb12b03dbaaad326cd0c77c417862b369557312760b88c3aa5c8105cfb80b696507622f6678cf4b8603ab8266fb33836ea6838b57cd735d148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc5b3b28e872cdabd1af68ca19677d41

SHA1
e04b594051261566d45d2af0715f2d10e35fdec8

SHA256
03448f18cba9af72ef1e05f17ff6fcecb5ca09237e99efa9e738eb6664517bad

SHA512
335c7e418b36d06e6d81eccbd31d6d97ed588db21e701633d80cb48e1b9e74f695914d7280b7b7a838199fbd4399022c9f847470b588dde550bb97ec5c29d377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1768f23ab16ca235c6f29763788d21a5

SHA1
3712ad1fe65d4b9a85bfc44e0c35c3c53a09cb12

SHA256
41d6155aaca127deb26f1374f3622b08f7c677546acbe365e955453af51c6479

SHA512
bfbe5c556bf548bccbe7787b33137d9a01cc162181ceeb05fd323c07d926a8e465c8eeecf7e9eb20efb3cd09113f58ad3a5c2a40bd5b3fd60dea4b0eee69e243

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
eed640164203d0d0a2a1e7919a6fdbdf

SHA1
9af74121e090cf2970beee82d22ef4ebb886c0ae

SHA256
4ca7fe712b4322fdb497733e015f4ae4496d3998772a6c37305da3cbba3eb7ae

SHA512
1bf6de193ae00189525ea9a685bbe3dc7722eceb6ccfb83c70adc766b6301b4978abf73b2f8f41b865f1521925308e4f96285dca569e9c2b2c61e79db1100e3d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
069c37bf9e39b121efb7a28ece933aee

SHA1
eaef2e55b66e543a14a6780c23bb83fe60f2f04d

SHA256
485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

SHA512
f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
9.5MB

MD5
072973328deaba02a112a2fc8f60411f

SHA1
15ac4f0fd65e19fd358893e47dabb601db9de87b

SHA256
e817aa0ee9f05391d147550cea684eb4b929060643e181ac75d96f3f8a29af25

SHA512
c19ea06e9929dba58e48ab03cbc76de45f22a1bb2ca136117e21cec71cc828c099aa53ede2713fe4e81f30a91a407e15e7ec347389b5cc5df6dacc9fcb05f94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 226199.crdownload

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2552-180-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-175-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-178-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-179-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-181-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-176-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-183-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-177-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-198-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-199-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-200-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-201-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-202-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-174-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2552-220-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download