remcos | hxxps://docs[.]google[.]com/uc?export=download&id=1FWxHhPUUcEJ-St9h2BfZ6DFsQ2S_mFZu

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
23-01-2025 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1FWxHhPUUcEJ-St9h2BfZ6DFsQ2S_mFZu

Score

10^/10

remcos linin discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LININ

axaxdad.ydns.eu:4070

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B1NSAB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LLFTOOL = "C:\\Users\\Admin\\Documents\\KCSoftwares\\sdk\\mdb2db.exe"	21012155658988785118165116519817611651651351651651.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21012155658988785118165116519817611651651351651651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21012155658988785118165116519817611651651351651651.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821241151119927"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe
320	21012155658988785118165116519817611651651351651651.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	21012155658988785118165116519817611651651351651651.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2356	21012155658988785118165116519817611651651351651651.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3868	3148	chrome.exe	82
PID 3148 wrote to memory of 3868	3148	chrome.exe	82
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 1004	3148	chrome.exe	83
PID 3148 wrote to memory of 228	3148	chrome.exe	84
PID 3148 wrote to memory of 228	3148	chrome.exe	84
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85
PID 3148 wrote to memory of 944	3148	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=1FWxHhPUUcEJ-St9h2BfZ6DFsQ2S_mFZu
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd5c83cc40,0x7ffd5c83cc4c,0x7ffd5c83cc58
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4464,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4452,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2276,i,3486578121404341467,5976294843012842229,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Drops file in Windows directory
  PID:4172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\Temp1_21012155658988785118165116519817611651651351651651.zip\21012155658988785118165116519817611651651351651651.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_21012155658988785118165116519817611651651351651651.zip\21012155658988785118165116519817611651651351651651.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:320
- C:\Users\Admin\AppData\Local\Temp\Temp1_21012155658988785118165116519817611651651351651651.zip\21012155658988785118165116519817611651651351651651.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_21012155658988785118165116519817611651651351651651.zip\21012155658988785118165116519817611651651351651651.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
222B

MD5
496e0dcfee429ebfde818f0825c4495c

SHA1
d134a824e79f3fa544c528c76d3aba601cca4be4

SHA256
5b0ac0585b0eb857e9c85e6c74ce0b7eff7471701174b8dfdc2e7ed54abfb769

SHA512
774904f5cd2189badf36318339193c7d3d43f33d8ba906d2a2f02fe55a0941c6c213522bdb6310158d0bcc8b20ffe9d87ed00a5355e94ca3b0dd86b99599df64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
464dcd94d5602e855d92e622be641f82

SHA1
9dbe0c186ddf949c1b192c424426bd79b61f9ef2

SHA256
d39a89162d68dbadd4d746983f6424f2576aba1a924aeba77bbee434e49a265b

SHA512
885171de1b16bccd1ad3d4007e64fc6286006813c134880f09ab85ce5e04e0ddc31b427d3a39b599c605bbb8908e966c5f5f2f3541f413072aebbe3f5b0b9199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
17210363ea7864d4c43a51050abe1f04

SHA1
0b480a4234501971e020749d68a112b3b5c31978

SHA256
70082ef89c338479ff259bf9830b1c99032b8a94265408278226b6613dee3598

SHA512
2b7d15d9b0bf26e6e514debc571b29fddd6aed1f262885db4e2e2f579f2a0e28ee63e44cb368be2fc75d411c6381a2a967800253ccd1e0648180eb1cbf3564ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
e81350dfb47bbb1f4415d20bebe5cf8a

SHA1
bfe9ebff113f35e4ec059b725ed57ad410d21a76

SHA256
8982fe309dcee52d5e00ca0f4fdf2ee8a5a483e258d3ca57eb54de34b54ea241

SHA512
a84aa06c2fdcecb7add8b4a560a4f8dd87b0733c424919654e28a265ae17460e60ce3bc7b15bc3de6670dff1d6c49a527f94e9bea2d5e340b9bfaffb42fc8725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffe083354c0a765a401b4c826aa14213

SHA1
c2e5aae0713e90f687a0d07ae043dec695b3f512

SHA256
ddc7ca32f329e26f58c53347beaa5340b86a9ab68cc14097327180b08de9347e

SHA512
8c629dc6454e524526799c27faf42a933db0189eb8473e74e23f98b8d2ba9932c923db4b4eb3ce4f51360e6a571c46056ca212230848c61e86df8a4f0c8bee5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6556c6a4a4b8f5c1941b9001bb0a6847

SHA1
a78c1b3c18b6172706b078c5f5e9b8b8866860e1

SHA256
a53a1ad11de8d153ea47ccc89822a8af203fcbfbd05572f1c903ae0229c51446

SHA512
316384f7bffdc5e379c1b334a0f5898ecb324dcfe9ddb5a67b9b85091ba541bdbb99970b2ba7955279444c198f6ad3a0d23aedc372a5fdd02fb31d50eb689409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0649ffa0ff6b2244baf491aeb5127439

SHA1
635cbe41c2c2cd6e2a9e10a4cea08e57180a6f74

SHA256
59b786e4b61eb696490e518adf8beb05bed5ad7b067aae52a07ac3efdc324070

SHA512
71bee38d5f3fb1dc9e5dcb3438ccd24a9801b1417fc032d241fc343c18607798ebeea61f96dbca149fccaba1d8a255b1314e5d55c0fd256302dc5cc27e577d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
466983f8602d245a81c89230ecee5395

SHA1
3225e274466ec0f906c5fe73a5b103266583b0e9

SHA256
d8dd22671586f89d720e173ae5f6137979cabd84f91c5c820c7fe402cc9345b9

SHA512
e8e339d48b0af34b9152ca1b355ab8ad856abc1ed575571b9d4bd1d1ebba82093978f98bfccbaba690c929f5ae51428fd29c5260c672a7ca801e6a8b00b1971e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db7bf931fa039f08c27d14875d05f8d0

SHA1
a7c3acb7ad237754e2568941bea2849917659831

SHA256
32f14d94cecaf4aeb9fdac12106c0fbe3f64f123439b6a0f41dc40737b39c2c4

SHA512
aa261cb3b5b19408dfc5a118677222ec3da1fe4678996d55facea165b299438ff2c6015d4d358d6007bce638928424c889587c4633f2a0d538556f3bfbd6a4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a68ef781eeaa86d20c414cfc0a0b514

SHA1
42e66c1d81932c32498bde45ad752240e0f311d5

SHA256
c22d2f947bf038a48c868827fba3b3d0c573fa44dfba743d0d3a1dca6c25a06a

SHA512
9a1621d902eb8b859677c874e80f436f9870bd21c748ccb83703181f31e015193745893195903b804bc012e90dd61628bb65bc157d1d5e0b1e2332ddfca8a075

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85f8130d9a8a49848a225572a96f6336

SHA1
e7cc77d3a27bd44cc4621389e61d7ddabd9b4ef2

SHA256
0106837bb204c9efbacd4521b6bbcf12244198edaed37ca8db396556cec02e87

SHA512
fbff73454c94e9d17812df659aa0bd659057cfdba3b388441019b8c3fd05d2f1be01e3bc7af0d419571c06dfb1dd828d3bdcebe0bb580a56a24782b2a551130c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5d0ccc312ba75a7a768d93a7deddfb5a

SHA1
02871ebc1a932b913d5c8db0ee3b6717416122ac

SHA256
03928b52c43b85996fb55998efb58b0f704b2a55f40e51b7306f88991ae85536

SHA512
f674ea4407fd86c479ff3ff7c3a0c4994db59c6e911360109d589158074010edce5536291a32c390439add871a2f1d46d5a6b66e7fd6131efe0ad5613916d07f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
40f5f4c3502ed323508a028b889a2fe2

SHA1
fe73d6b12f7a35e5c23b1c84d4e955da1aa89b8f

SHA256
061e147c1a50e98eeb5c5013cb1d5b083778d9f152f89affb7a07375f991a029

SHA512
8f7cd07dfadddfc75d8bbc875512e2a80936e85710c3a440178646b755db9b912fdfeaff2bc969d67479a92727446622b19d0f8fecb4d077693e1b8069141d0b

Download Submit
C:\Users\Admin\Downloads\21012155658988785118165116519817611651651351651651.zip.crdownload

Filesize
2.5MB

MD5
559a3972d188519b791dd804e144f8ea

SHA1
2e6fe234eb8fa3f5b2a83eea9a2d2a6c1f5a39d6

SHA256
134b29b5801de30fe03b486c89435c90fa53e7156600757fd13b878a91f11c08

SHA512
413f168920fb2434865ae9e9c89cfff92f801ed36113223a587adacf322d9d3649cd307a63b62e4ff8a92cb4b83ef57709862338bee6f847f1da814b253a8ae1

Download Submit
memory/320-81-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/320-62-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/320-106-0x0000000002740000-0x000000000276D000-memory.dmp

Filesize
180KB

Download
memory/320-136-0x0000000002770000-0x00000000027CC000-memory.dmp

Filesize
368KB

Download
memory/2356-129-0x000000000090E000-0x000000000090F000-memory.dmp

Filesize
4KB

Download
memory/2356-115-0x0000000000919000-0x000000000091A000-memory.dmp

Filesize
4KB

Download
memory/2356-130-0x0000000000906000-0x0000000000907000-memory.dmp

Filesize
4KB

Download
memory/2356-132-0x000000000090D000-0x000000000090E000-memory.dmp

Filesize
4KB

Download
memory/2356-128-0x0000000000909000-0x000000000090A000-memory.dmp

Filesize
4KB

Download
memory/2356-127-0x0000000000908000-0x0000000000909000-memory.dmp

Filesize
4KB

Download
memory/2356-122-0x0000000000903000-0x0000000000904000-memory.dmp

Filesize
4KB

Download
memory/2356-121-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2356-120-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2356-119-0x0000000000915000-0x0000000000916000-memory.dmp

Filesize
4KB

Download
memory/2356-118-0x0000000000916000-0x0000000000917000-memory.dmp

Filesize
4KB

Download
memory/2356-117-0x000000000091A000-0x000000000091B000-memory.dmp

Filesize
4KB

Download
memory/2356-116-0x0000000000918000-0x0000000000919000-memory.dmp

Filesize
4KB

Download
memory/2356-131-0x000000000090C000-0x000000000090D000-memory.dmp

Filesize
4KB

Download
memory/2356-114-0x0000000000917000-0x0000000000918000-memory.dmp

Filesize
4KB

Download
memory/2356-113-0x0000000000914000-0x0000000000915000-memory.dmp

Filesize
4KB

Download
memory/2356-112-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/2356-111-0x0000000000913000-0x0000000000914000-memory.dmp

Filesize
4KB

Download
memory/2356-108-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/2356-125-0x0000000000907000-0x0000000000908000-memory.dmp

Filesize
4KB

Download
memory/2356-124-0x0000000000901000-0x0000000000902000-memory.dmp

Filesize
4KB

Download
memory/2356-123-0x0000000000912000-0x0000000000913000-memory.dmp

Filesize
4KB

Download
memory/2356-133-0x000000000090B000-0x000000000090C000-memory.dmp

Filesize
4KB

Download
memory/2356-134-0x000000000090F000-0x0000000000910000-memory.dmp

Filesize
4KB

Download
memory/2356-135-0x00000000008F1000-0x00000000008F2000-memory.dmp

Filesize
4KB

Download
memory/2356-126-0x000000000090A000-0x000000000090B000-memory.dmp

Filesize
4KB

Download
memory/2356-107-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download