remcos | 4e8b3c07043d58d62d456ddb7201ad7b14578df119f005a8b441885b8208114b

Analysis

max time kernel
52s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.pdf.pif.exe
Size

492KB
MD5

5ae083acb92a7e6dfe29b4edb7ec20fb
SHA1

c12a45b9cf33a1881c34e0e3d469e7d039130426
SHA256

7390d25410ff7cf2690c1d340f46578881687443fd3653283cf3818769bbb848
SHA512

75b23e5f3a1fb90424932a211cbdac7c8c3c078a57d8d6754e15d9bdaa4cd7b58ff91abb36a20639597a149b2aa8a1a4feec75a31233afb02a7e4d303f497f5b
SSDEEP

3072:kMSncRzAOP4g5IdrO79+lHNNqqRPsO98bx0NO4lzv:XSncRlPbI1O7kNPRPp98V0xl

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

192.168.168.154:5555

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_lxuvlzlakuvlhki
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	main.pdf.pif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	BACKDOOR.EXE

Executes dropped EXE 4 IoCs

pid	Process
1512	BACKDOOR.EXE
1948	remcos.exe
396	remcos.exe
1492	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	BACKDOOR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping436_1259683874\_locales\pa\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.pdf.pif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BACKDOOR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4896	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876670639247819"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{638FBADA-1CE1-420D-B52A-37D745EAEC2C}	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4896	PING.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
436	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1512	3028	main.pdf.pif.exe	88
PID 3028 wrote to memory of 1512	3028	main.pdf.pif.exe	88
PID 3028 wrote to memory of 1512	3028	main.pdf.pif.exe	88
PID 3028 wrote to memory of 436	3028	main.pdf.pif.exe	91
PID 3028 wrote to memory of 436	3028	main.pdf.pif.exe	91
PID 436 wrote to memory of 1692	436	msedge.exe	92
PID 436 wrote to memory of 1692	436	msedge.exe	92
PID 1512 wrote to memory of 4104	1512	BACKDOOR.EXE	93
PID 1512 wrote to memory of 4104	1512	BACKDOOR.EXE	93
PID 1512 wrote to memory of 4104	1512	BACKDOOR.EXE	93
PID 5608 wrote to memory of 1948	5608	cmd.exe	95
PID 5608 wrote to memory of 1948	5608	cmd.exe	95
PID 5608 wrote to memory of 1948	5608	cmd.exe	95
PID 4104 wrote to memory of 4896	4104	cmd.exe	98
PID 4104 wrote to memory of 4896	4104	cmd.exe	98
PID 4104 wrote to memory of 4896	4104	cmd.exe	98
PID 436 wrote to memory of 4904	436	msedge.exe	99
PID 436 wrote to memory of 4904	436	msedge.exe	99
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100
PID 436 wrote to memory of 4912	436	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\main.pdf.pif.exe
"C:\Users\Admin\AppData\Local\Temp\main.pdf.pif.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\BACKDOOR.EXE
  "C:\Users\Admin\AppData\Local\Temp\BACKDOOR.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4896
  - - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\PDF.PDF
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x368,0x7ffc0d42f208,0x7ffc0d42f214,0x7ffc0d42f220
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1764,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=2596 /prefetch:3
    3⤵
    PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2564,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:2
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2248,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:8
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --init-isolate-as-foreground --pdf-shared-library --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4912,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:2
    3⤵
    PID:4152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --renderer-sub-type=pdf-renderer --pdf-renderer --pdf-shared-library --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags="--ms-user-locale= --jitless" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5208,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:8
    3⤵
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3420,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:8
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5092,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
    3⤵
    PID:3424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5976,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6032 /prefetch:8
    3⤵
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    PID:5160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:8
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6392,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6240,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
    3⤵
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6244,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6488,i,9723709053836079918,6144067376614852078,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
    3⤵
    PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5608
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5456
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
939d4f029a1dc989cfb89070a069ac2a

SHA1
c71a98a5999dfaa12e97832e11dd662df114869a

SHA256
251059cca7afefb5e7d23cf1385b1e2e22ce47526b886205933a5ea90168809c

SHA512
db940a0495ba77604bb4e61cd530b94e2a33dd917b560532ce35cd14f9cece90bbdc2e884afbb31c2076c4e43ec24ce57f7c0dc21dea4ee8007e99cfc7e88c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c870.TMP

Filesize
3KB

MD5
11ee83dc074045225db41ec345fbbbf2

SHA1
8f6e44e43ed48011f6bbcd4f5998022bc5cfca10

SHA256
7eb1280190a89d791f2bb5826ddff7c433282d49e5a6fdb15292d3bda6f6e835

SHA512
eea41b0f73a783a354f720accd0e8b338eeb4e62987a464c186b318e06027b572db2f3aae209e46633e6e70b2561b5a31c2760827f5728ba66032fb186307d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
3f90121a7a2f9efe5fd2551fe7c1d128

SHA1
aa86c64094f689f842541f58fc4b6dc7db304117

SHA256
81970b9ad9eb85c4010a00b2c68fd310ebbe3e59d153e55e888514b566d13f2d

SHA512
b247284c9e34fc70b60ca1ae5f5848412689d57d437453a42334574b99bd51885e121d57fd3d5ea501cdb28eeb848bd0bc7e01d980548660fc6d917bb90c6111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
053ffd63cc59ca499074f8ec399f7444

SHA1
d4084c65c1e70e164ddd159278cbff3c389aa9cf

SHA256
0b02cfae142985c795bb5b083633cd4c15db01173507746f12521cf1325c01c4

SHA512
5e6a718d4cf15d66f80bebc0cba7ff3f29226b7a7cdf77fe4af069671318003947f8413283594ecea8e99c5aeed480f2a8dad090f76e40bd9bcdf835ebb92e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
e6c4040359cf96d1f8613f89e8bc874f

SHA1
7c0c095e63cd98f60fc52546e4594ae3a33911c3

SHA256
fddd4a29632d85b0831e9779424e08978414e78c9c82b27bf1b43f276e72565e

SHA512
5f2804bc04850303cfc487881cec1a4397d998edd0c757f02c9ba71ebbf13a9eb25bec8f44d4bf56360e68211c49450c72c9913d839b11da63b151e4a88111ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
0cbb1cc52f28b0397071d37fdb8c5d24

SHA1
55a3727122dec1a3b232f16886e553c69566b216

SHA256
d6dc23951c9a8efed6bac062dadd2ba7f2e30bb5a1d380d5f297570f2dd70c5b

SHA512
beaced6fb84f2ab1d707f491ec8f22c582efbaf1979d1b501b2c40fc415f5191d943cd437a58bb96c4ae3d81f58ba06cfa20cbb337565b85a065acfefa3e7eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
58a4610d0851bd718a5e9537894af423

SHA1
830a67b15f41726af0ee09240a352eb44b6f96d4

SHA256
adf264c0c7d7b2174f74b688407b14ec8a25bae9142f0ec381d68c34b5840697

SHA512
5c100991921b65a81c38f0623785a18d9563d33c442bd1a691cca4c418cd6cba8df7cc8b456b06c9fc9ae491d1ce68100a84b768e305681a67a4d33f61d989e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
850ce90ed5b41d6b0b0104e3953a8227

SHA1
fb4cd492f464d73ceacda88a35c89563aa5a7c5e

SHA256
325705fc480e7b0aae12cacd8611e0ebddce8e75d0d3263d927aadb1852133e9

SHA512
8db5abb9360a2423ddcc94bf0adab7fa261f38ce8e81160abab5cdbbc6f6ee25c583f6e704d02fd48ec1596a09f2659c22b34d58b198bd9bdc4b6321c71598b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BACKDOOR.EXE

Filesize
36KB

MD5
cffddc7c3177706625765eb684410c7d

SHA1
04d82ea5e2b0e8e06a3284715146e11148209d2d

SHA256
39ecab5ce3b3d2049f707937f679015daf7b3bb56a313cf44683d75887511166

SHA512
2165e1553c40291f49823e7fac5454d137f1d2170e54c1e237afe62f2fc43361db8dadd4c1bed5c61aed8c4ee4c9a405685f7620f5f25efada7bc33957cb2765

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDF.PDF

Filesize
40KB

MD5
7b3c39fbf5b0b43b3c01d00c1e065366

SHA1
a425c056d064305e394e92b055043272c4d89ee7

SHA256
a4f71b309275fa1c9aba3dbb96ccba45ec6f18e57a99e8bf31607931e3a0494e

SHA512
f2d763ad3804bb450b9c8646482cf1ac0da9e00b4769a711971083ad963c484f6f6b44a61414f299a7eedcca2b454e0715b6c09869f6f22f4bd04b15a92b3ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
memory/396-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1492-91-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1512-17-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1512-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1948-482-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1948-499-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1948-529-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads