remcos | hxxps://gofile[.]io/d/KRUCik

Resubmissions

18-12-2024 21:12

241218-z16hva1ray 8

18-12-2024 21:04

241218-zwqa3asmeq 10

Analysis

max time kernel
136s
max time network
137s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-12-2024 21:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://gofile.io/d/KRUCik

Score

10^/10

remcos wavesourceleaked discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

WaveSourceLeaked

204.10.194.175:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-46FS9Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	WaveSourceInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

pid	Process
4596	WaveSourceInstaller.exe
3652	remcos.exe
2500	WaveSourceInstaller.exe
700	WaveSourceInstaller.exe
4544	WaveSourceInstaller.exe
2080	remcos.exe
908	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	WaveSourceInstaller.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3652 set thread context of 4260	3652	remcos.exe	105

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveSourceInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133790294721304258"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "71"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	WaveSourceInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
3652	remcos.exe
3652	remcos.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3044	chrome.exe
3044	chrome.exe
3448	taskmgr.exe
3044	chrome.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3652	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe
3448	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4124	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2232	4604	chrome.exe	82
PID 4604 wrote to memory of 2232	4604	chrome.exe	82
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 3368	4604	chrome.exe	83
PID 4604 wrote to memory of 4660	4604	chrome.exe	84
PID 4604 wrote to memory of 4660	4604	chrome.exe	84
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85
PID 4604 wrote to memory of 3576	4604	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/KRUCik
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb76bfcc40,0x7ffb76bfcc4c,0x7ffb76bfcc58
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4916,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4844,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5408,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5420,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5448,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3488
- C:\Users\Admin\Downloads\WaveSourceInstaller.exe
  "C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1184
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3652
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5656,i,11128612884602873877,893156406329036665,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3776

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
PID:700

C:\Users\Admin\Downloads\WaveSourceInstaller.exe
"C:\Users\Admin\Downloads\WaveSourceInstaller.exe"
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:2876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3448

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5c435d1b8846868a13482a833c5718b5

SHA1
ad99f0acbfefac978a7becffe17b1c3de00fb181

SHA256
8d7d786f096a12e2a59dbd7f0f2e8b665996c01be0d857b5453bf05b7676e5f9

SHA512
5819058182abf5aff31dcd6f93fe9b17fe5716851725aa973ea273880656e34b88601f99240354ad78a28ba486aa3c23ba621107b8ed4cf6c08d960968ed9dce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a727f26a004a7c1be938bbc84dd77524

SHA1
b3da04c522070cc74c0c7de63a6f22b01b922fa2

SHA256
a1616af5cf6affe0351dbbb6b194e81cec3984fafd1551b385be9e0358ab8778

SHA512
7313776cf23d6fe7de0ceb82a8146a8f97e878c1fc66fb55551392ba28d37eb97dc812d2056cf4d5e6b82ed75de39e25a3b9dc82a2d736015126af003bfd4546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7660f3c58ecfbbcd44a3438550e51f62

SHA1
73419ef164f25e2ee4c151ddffdf9264ed584b77

SHA256
0055712d07f282c2d2ab71b0332bbaf38b996f4ef728b8f8815dc00d627dacf2

SHA512
d714a87f2f841302c81c0b14014a252d7f8a885a6bcf61688eefa018a2f8195191c627dc8b25ee95073d9ac507b17783238ce4e9d142e160f20ee544ebc84560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e6b9c457ec85fed5f89066a0f36fa861

SHA1
c929e1d72613ef3725313d92ef7269055b14250d

SHA256
dd34fc3b12b901ebf67dd25913e0dd16a52b592f448859a3d715f84b90726545

SHA512
980c3cf650aa078923d6439e54acfd3a791a2c632ce837f29e7c752bbb889945b19083ef3bdcbcaf1b893c849c46d601ff1a0259ea2c10a646cd8715cf48001d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
1f01ae189443b717477ce94ae29f0076

SHA1
cf07d6bc46d07c676c4edff2084baa14db0dbe36

SHA256
ec9e1eb3ade5ca50e184c4382b0ab0178bb083b939b991d4f4d10cf06273537e

SHA512
314a1a2423432c6d8710385a3bccf0e4ab9deae3190b3943a23135c2428943cd59af1f89cf7e805584c435d9f65cabc913a550b14fff64277aa9c833cc1957d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0a9f4b4970c12c93621295f95851683

SHA1
526ba794cd0986fc9cb76fce4f052b168b83c641

SHA256
da0f11ea6774343fd779d0e7c6680d304e091587e8be4fd67dce2157c6acb1f8

SHA512
afb6b5c8d95b9c41f943cbd459965f0777d3e6f175d49cf0c2dcda628339141f985d6cab8d2333c9064d7287989eac13e20d8f9871b0252800c6121a6903ff86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5dbe7ae420eede4e9383b8e96c94cd1e

SHA1
32b11aadc3d79c0db1ab0a966eed1ac385390c26

SHA256
8fe2d2f46de5bbdfb95e935ddf5cd6581fe5acaaf17faf83f948679f87940abc

SHA512
a07eab14433b96ce830c48bdad6b7bd2a6288b90897a70074de9e8dc0a62c16edbe2db09ca3fea3af0a520d4017757a1724c11ce409006d275f0f63ee6d5f0be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10bc5416847825994b6cd4dfabc32e0f

SHA1
ea6285741816456b92e162c05900c49f6978e46c

SHA256
a26d352d17082b76e38c2c3e0b719209da89aea62719bb662396eef3423b64c8

SHA512
6e3afd0987365bfad713be6f3998970d320288325789e955b0a144ffa8f8bd894686d63cca4f3f68c95f143ab17a073698a878e2c96a1207bc5e546c07a54b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9b5e90d038f45ef50441f6291a864c9

SHA1
cd0cc155984c78200b3e5082493c12a2b5a5cc77

SHA256
3a39f287dfd13e0aafb6863403882ebdf569463ba425c07c7b65b1544237c1b2

SHA512
896f6cb26828b9cceb8e2d60f20f9f443da8c47cdf0b49abb983f1ebf436179478f02af56c6e24da81abfa1e699e5619b72d122231f824ddf60e9c9c7e860389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a7959bbfd3b1128aa9c06e56f473356

SHA1
de0b8add2dfc95c3d30b82118b27038c7816396d

SHA256
804fa28ef12f56bed6023888f905da29707611b64b9dc6ab622343b6ecec5a71

SHA512
2a8e70bb8da44a090057e908fb32c443a0fcb20c17c0eabc24c121161756f8507dbe335c48a715df791d7d94682e0be44d9d4da521fb762f0227579bd5c90641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f99303aeb8f044bbcc8d6af64c25acac

SHA1
bca739ddf81cb44eaeb9a12379b4c821c5ef39da

SHA256
fdf456e8ae16b86b4b316587b130ada9aba8f503b74dcbb55f93b2cfdced9c2d

SHA512
f8a50bf79f5f5b3f07dfdac5d3501fba7cb38146c34c3346453e7416afd73ebf56016656a58e11e1dbabbd9169e14a835d8c0a94df6705a9946a342dc930ea5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36b6648b63923ef920cfa89bc45ab983

SHA1
e6e6e4a1e3e4491165da3a4beda23d67f070af04

SHA256
081bbbd717d9159b57b9b201de49fe3afede69f3540206cd4227758cfa02d049

SHA512
0c10470878499e7a968411ddfc563cec6b3619e1470c9463edf92399015af5cb16c087fb96f701f96f375b32fc28931982d4fd5b71b0acb7c61dbcc553214092

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41759a2591a107cb0fc1318418fda351

SHA1
05091085cf3f8ad5d26c9f51c3e5f259a6abd032

SHA256
1da7976bb952fe4a6c405ba139713baba7c6f1776179d4bd241a790b00f2f965

SHA512
154398b89275e2ab739e517c29b7c7913d6b65ae8da674af109a14505decfc21cb709f74a685d858075556e79970b30fc536238777c3682802d121eefb4d6186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3469954acf3de87669bd0c530647d7ee

SHA1
b4399b021200225e51a6c43a91f45af2497c616c

SHA256
ada92c14745e4b844b6f326da9bee99229216d56183d06bface1504c2b556b8e

SHA512
878e508b7709ba3deea97f18efff7dcf8072c43b4bec7fbe5930e3c2536a66bdfcf5ad8e0f60cbf8e53a7b53684d28b950b316a24d701319ee394e94f034b1a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
5a21f5dc2d71fb06f97efc0f64759f76

SHA1
be941a1cf81f4c32bc19ebd87a3284507c3fd6e6

SHA256
576f25eee76eba9824c43263f23b5b2251b6e96aad79309fc94f1d09792aa8c0

SHA512
4f126142ad096e0c06f7a1d3904a5bc75a81b2707fcc6a4e513d5de4880556e1a41ac6c3a5de7b2c8730ffb5161266252555463b2f3f54ba17b858a6377aa900

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
3a83178d90af5e3d6ef35e0bad689407

SHA1
01971c115d68b9003c6db6a82f3b68affc11773d

SHA256
8fd750224df1dbd3d7fb48cf21dbb27542c4449ba5a34b37a29ecbe6e2507994

SHA512
0b1e2d4ec2ba40fd8a789af79937d1379a88ffbfeb9db1269e8be655016a585d0640d68ed06aa03e03691bc881fa457ba45d575c074816eb1d81f57ae2f57fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
cccd299af9b3476f023e525bc1375f41

SHA1
e0bf2c82019bd072a1d68020ac6626594025d6ec

SHA256
9b1082da77e63758d0a0f99d827912fa8bc04eed8c5331a6be3c329e2e6b04b8

SHA512
e4e74f238eb68600d629ace744d2098f3f087ec4bcf83c52b7e3b387e7bbad2edcc991e8636af07dcc8a723814165beaee74dd8b53fac05c13ef1f03c8f075b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\Downloads\WaveSourceInstaller.exe

Filesize
469KB

MD5
e468b718e67495ea73c85d8258059adf

SHA1
dcad70f5c39ab85f900ef1288067dbf51eaeb503

SHA256
fa9f629254a8bbe915bbd587c0c060de580a18992103858a1d16686de8bd717e

SHA512
b4eb6cc848b5ebfc6bab7e1cc033ec468bc8cf2fed72ea912f9fc60d6eaab75664f4627646960dccab2aceefeab9c5acbd2fe1b57d992c62358929b4d840dedb

Download Submit
memory/3448-168-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-167-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-169-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-170-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-160-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-159-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-158-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-164-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-165-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/3448-166-0x000001FA75590000-0x000001FA75591000-memory.dmp

Filesize
4KB

Download
memory/4260-114-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-190-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-117-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-119-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-156-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-115-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-155-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-189-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-116-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-113-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-209-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-210-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-112-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-111-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-243-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download
memory/4260-110-0x0000000001200000-0x000000000127F000-memory.dmp

Filesize
508KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads