remcos | hxxps://file-eu-par-2[.]gofile[.]io/download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller[.]exe

Analysis

max time kernel
52s
max time network
54s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file-eu-par-2.gofile.io/download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller.exe

Score

10^/10

remcos wavesourceleaked defense_evasion discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1472	WaveSourceInstaller.exe
2524	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 1540	2524	remcos.exe	102

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133790307164243019"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	WaveSourceInstaller.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier	chrome.exe
File created	C:\ProgramData\Remcos\remcos.exe\:Zone.Identifier:$DATA	WaveSourceInstaller.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
2524	remcos.exe
2524	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2524	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeBackupPrivilege	4944	svchost.exe
Token: SeRestorePrivilege	4944	svchost.exe
Token: SeSecurityPrivilege	4944	svchost.exe
Token: SeTakeOwnershipPrivilege	4944	svchost.exe
Token: 35	4944	svchost.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2376	1616	chrome.exe	77
PID 1616 wrote to memory of 2376	1616	chrome.exe	77
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1356	1616	chrome.exe	78
PID 1616 wrote to memory of 1352	1616	chrome.exe	79
PID 1616 wrote to memory of 1352	1616	chrome.exe	79
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80
PID 1616 wrote to memory of 3184	1616	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://file-eu-par-2.gofile.io/download/web/e711f4dd-0b98-41dd-96cd-9140df9c1bdc/WaveSourceInstaller.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a8e3cc40,0x7ff9a8e3cc4c,0x7ff9a8e3cc58
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1820,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4400,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3156,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4864,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5172,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5188,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5328,i,16586987126396891662,17630255095964734835,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:576

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:1472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356
  - - C:\ProgramData\Remcos\remcos.exe
      C:\ProgramData\Remcos\remcos.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2524
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4c1088e25d3ba8f0958314c94acc00ef

SHA1
27b47ba3d2a430a89741ea9bb62aa9c514eca6a7

SHA256
9c8a1c7f5accec9e1e3f9f7ee883cb1c042915ec05348c7d35907776cf0e1f96

SHA512
518b243012e462b2a41d6a7bb3acf6b33bedb9af4defd59a4c465d70f286f276a63f713a652f356aa95273a2fa81c6fd7af5673de1314e1dbcd2937de217a728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
0e7955baf9ca28c1932059297544dbed

SHA1
ba2817674be0989336348acfc6287695eba9750c

SHA256
bcfe832611f73dd084de392a8fde2f07ee8ef470436a8b84758c5a1d0a92eeab

SHA512
d17290a6f843b3259bdd42e66c9dd7f08120a0ba862f6b1886d2956dc8fbcee06831f508580931ebfc1fbbd3cfc37bea1c3f48cc64020d5f87b783a76ccdba5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\017955c4-ceff-43b1-830e-28dba9d0c48e.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6ad685f072c75662de08b49d58c7dd33

SHA1
8eb80c0d876e083af2c03f2b1ed80459b167a0f4

SHA256
5afa1c34e9981bcb999a5c32fe5c4ca0302e82b4c6909075cd798b69cd189ea1

SHA512
a2f40b3973f137d8658b55b72674475841e6083f24bdf6a3b25387aa7379e1045a005a2902baa29a13aba2b0fa922bee71c772191b0acb5c37246a5c8adcc308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
c59c079daf424b497207b86163285aba

SHA1
8a72781cfd01e47f722d85443597ebba5c20abc1

SHA256
ebef4c666417792990c1bc112d8698906c40afbd6d75de6f6993475260b666a5

SHA512
904bc2aff58b4ce43163f39ee4700d82eea8301ca17d9de7d0646cfb7347bcc5b0d69ef0cfa00ef7f13417e34e29cc01812a673c55055adea876538042c50045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8227e7e7214411994d3f96be72d3f285

SHA1
ed6de6f0902561582ae6bcac130bf003ba3a7fb2

SHA256
28a664f3be2cc81bb7481c6076ad5561ffbc9e99140d79a065cf437eb6a38dd3

SHA512
384b20d03c892016e4b8ad7f828e95216ddf54ce9729a6862d4f1e26ef44dac535627b18b953e1d51169c3d10667706640c418115a48835ccb82edba4b73f34d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab4541ca9018d379bf4f82439f0c24d0

SHA1
b1cbc3bbb760e06eeb5edbef73f9b2b0d852edb1

SHA256
3f12506c3a03dc80a776a75a4aec3d59da07c86ea93a97fe5e2b3c29976272ac

SHA512
581bf588964a42c6aa17c7c561bff875d03a8f170253469816fbd1744acfa10f96cc854b4f3b8c64a9cd37c04208f92f354f7e87c119de13394a818f282b100e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4338d5d7ba29191941e37cb3ac5a8e4f

SHA1
b95d4bbd5f2cd6bef492f7f540bf3918d1e7311c

SHA256
3784dea1e92e221fc56ee7cc7a770afe0bacfcb86e403815a338120fb5960e5d

SHA512
527a0415aa56748106316a25cbcb566f4b3c1af1780889cf92621d599cfc0a77c5c90024aef996232dda35d98c3b3d664e133c149e7711f9c5dfe06db3004ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f6a68ebfa9092fbdbb98a91ec8a7b5f

SHA1
1fb37c63c3faa913ecd94f1a0132ef37ccd08d7f

SHA256
e67f2bfb2bade31d34941fb41e2e2e55d06323b192d7174710e3426a89ccc8dd

SHA512
269aa60522132de7b922ecb769fe602aabb5a6411401530332a54578f77c877c3d3c4380f86c31990cbc560b982acd0858bf7c41b4a09e5c9a926c35a7365f75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
16dfd584fea40ad00e94c4a06c4d81f6

SHA1
a3a576b3ea2bb07089ef1d9bdf7b7d6198aa4a37

SHA256
e78166cb3ab6db8d1df475ba4ab1d52e611c8d70bf3e815479ba848bd1a6adf2

SHA512
fdd22722739e7cb0cd56eeede50641f918d8b7a6d1a77be8f8da18dd1cb871a6c3d11b79a7eff5f2a22fe28d223e89e9e806dab074f98cb04b74b09985e8007d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
20cda2f60ad93cd0932b689aaca5ddda

SHA1
1b4509155d90fab07b2c32cd006775222dd74313

SHA256
a3223b218b2a9f40d0d3248afbe3b8c9c366cf99807525f7fbfaf1ee6f780103

SHA512
c2dfe7ec2e8b3e0d54cc0a1fdcd24d53618d5716e9f81b62a0c9c2798b25dc0f227ec29163f01e7a00bdf7ce85c901e6427cdf7ac1d55fddc0aeb5c4b84db852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
8b32cb1b6efe02613b8e6d1a947fb619

SHA1
c57a2d2c46c77f61f7d5eafddb3b3483b42a763e

SHA256
14bc3592ab8e6708a6c43cc50ac305d8345db9701088b3f1e0909a42f9cd714f

SHA512
9d0cba3fd8a4b13d8899eee3a90ccc3766246029af367649e08d7334273a0a0bcb7a49c2ff0ae12929cf27e5ee4e1fc9a8ddea9e6af9aabc4446b51d114b3596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
4b3ea0eae4f0649245040423d4767568

SHA1
86e9ccf8a9b623218a749e965fdca9e803b26218

SHA256
9983a90f16ecd4a5abf2961838e03d3a0a47c5f446cbff5ff50a38b1ea5dbf36

SHA512
86faa679512286f4cd818ef770f2f68cdbf515f1cabbd979092ce49b74c4f7fc3ba8899199ca71f3a0c4c83cb4281102ed4fb39c1016134282f1ae9cc97bfa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1540-107-0x0000000000350000-0x00000000003CF000-memory.dmp

Filesize
508KB

Download
memory/1540-106-0x0000000000350000-0x00000000003CF000-memory.dmp

Filesize
508KB

Download