remcos | 9273e6c9157cc1846b6b236bc59914161ec91fdfdfe1979090bfabdf0ad06543

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
14-04-2021 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
Size

2.9MB
MD5

21948d42c2c1e49cadea88e80dfe6880
SHA1

d7f6837f76f3785eef87048c4a28c4b664f99dbd
SHA256

2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7
SHA512

14054453d259e53d88881a6b50061960befc06309fc14d1f557d5cb3cbc2ac7e855a805cc483915e8b5ce737c328dd03a8cfbc9a68a670e0238896009befa863

Score

10^/10

remcos webmonitor backdoor infostealer link pdf persistence rat upx

Malware Config

Extracted

Family

remcos

daya4659.ddns.net:8282

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

Executes dropped EXE 10 IoCs

pid	Process
3300	remcos_agent_Protected.exe
1360	remcos_agent_Protected.exe
2820	remcos.exe
2376	remcos.exe
4132	driverquery.exe
4156	sfc.exe
4188	driverquery.exe
4312	sfc.exe
4496	sfc.exe
4520	sfc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4188-183-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4188-187-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-9923 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-9923.exe관"	driverquery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3300 set thread context of 1360	3300	remcos_agent_Protected.exe	86
PID 2820 set thread context of 2376	2820	remcos.exe	93
PID 4132 set thread context of 4188	4132	driverquery.exe	109
PID 4156 set thread context of 4312	4156	sfc.exe	112
PID 4496 set thread context of 4520	4496	sfc.exe	116

HTTP links in PDF interactive object 4 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x000100000001ab54-133.dat	pdf_with_link_action
behavioral2/files/0x000100000001ab56-179.dat	pdf_with_link_action
behavioral2/files/0x000100000001ab56-180.dat	pdf_with_link_action
behavioral2/files/0x000100000001ab56-186.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1828	schtasks.exe
4248	schtasks.exe
4384	schtasks.exe
4596	schtasks.exe
2936	schtasks.exe
1492	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2376	remcos.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2376	remcos.exe
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 3300	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	75
PID 848 wrote to memory of 3300	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	75
PID 848 wrote to memory of 3300	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	75
PID 848 wrote to memory of 2588	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	77
PID 848 wrote to memory of 2588	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	77
PID 848 wrote to memory of 2588	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	77
PID 848 wrote to memory of 204	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	78
PID 848 wrote to memory of 204	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	78
PID 848 wrote to memory of 204	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	78
PID 848 wrote to memory of 192	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	79
PID 848 wrote to memory of 192	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	79
PID 848 wrote to memory of 192	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	79
PID 848 wrote to memory of 3048	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	80
PID 848 wrote to memory of 3048	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	80
PID 848 wrote to memory of 3048	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	80
PID 848 wrote to memory of 1928	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	81
PID 848 wrote to memory of 1928	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	81
PID 848 wrote to memory of 1928	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	81
PID 848 wrote to memory of 2312	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	82
PID 848 wrote to memory of 2312	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	82
PID 848 wrote to memory of 2312	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	82
PID 848 wrote to memory of 2176	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	83
PID 848 wrote to memory of 2176	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	83
PID 848 wrote to memory of 2176	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	83
PID 848 wrote to memory of 2936	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	84
PID 848 wrote to memory of 2936	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	84
PID 848 wrote to memory of 2936	848	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	84
PID 3300 wrote to memory of 1360	3300	remcos_agent_Protected.exe	86
PID 3300 wrote to memory of 1360	3300	remcos_agent_Protected.exe	86
PID 3300 wrote to memory of 1360	3300	remcos_agent_Protected.exe	86
PID 3300 wrote to memory of 1360	3300	remcos_agent_Protected.exe	86
PID 3300 wrote to memory of 1360	3300	remcos_agent_Protected.exe	86
PID 1360 wrote to memory of 2252	1360	remcos_agent_Protected.exe	87
PID 1360 wrote to memory of 2252	1360	remcos_agent_Protected.exe	87
PID 1360 wrote to memory of 2252	1360	remcos_agent_Protected.exe	87
PID 3300 wrote to memory of 1492	3300	remcos_agent_Protected.exe	88
PID 3300 wrote to memory of 1492	3300	remcos_agent_Protected.exe	88
PID 3300 wrote to memory of 1492	3300	remcos_agent_Protected.exe	88
PID 2252 wrote to memory of 3920	2252	WScript.exe	90
PID 2252 wrote to memory of 3920	2252	WScript.exe	90
PID 2252 wrote to memory of 3920	2252	WScript.exe	90
PID 3920 wrote to memory of 2820	3920	cmd.exe	92
PID 3920 wrote to memory of 2820	3920	cmd.exe	92
PID 3920 wrote to memory of 2820	3920	cmd.exe	92
PID 2820 wrote to memory of 2376	2820	remcos.exe	93
PID 2820 wrote to memory of 2376	2820	remcos.exe	93
PID 2820 wrote to memory of 2376	2820	remcos.exe	93
PID 2820 wrote to memory of 2376	2820	remcos.exe	93
PID 2820 wrote to memory of 2376	2820	remcos.exe	93
PID 2376 wrote to memory of 772	2376	remcos.exe	94
PID 2376 wrote to memory of 772	2376	remcos.exe	94
PID 2376 wrote to memory of 772	2376	remcos.exe	94
PID 2820 wrote to memory of 1828	2820	remcos.exe	95
PID 2820 wrote to memory of 1828	2820	remcos.exe	95
PID 2820 wrote to memory of 1828	2820	remcos.exe	95
PID 2588 wrote to memory of 1492	2588	AcroRd32.exe	97
PID 2588 wrote to memory of 1492	2588	AcroRd32.exe	97
PID 2588 wrote to memory of 1492	2588	AcroRd32.exe	97
PID 1492 wrote to memory of 1012	1492	RdrCEF.exe	98
PID 1492 wrote to memory of 1012	1492	RdrCEF.exe	98
PID 1492 wrote to memory of 1012	1492	RdrCEF.exe	98
PID 1492 wrote to memory of 1012	1492	RdrCEF.exe	98
PID 1492 wrote to memory of 1012	1492	RdrCEF.exe	98
PID 1492 wrote to memory of 1012	1492	RdrCEF.exe	98

C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
"C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:1828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1492
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=13B573C94CF666E732A57874DDF3C230 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1012
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CD1AA85F87190D47A4902E3FC5EC8544 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CD1AA85F87190D47A4902E3FC5EC8544 --renderer-client-id=2 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3048
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=56457EC840C7E8394BF2CFEFE111D98E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=56457EC840C7E8394BF2CFEFE111D98E --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3396
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7CBB0771DA1A70D4A0C84C2A461511AD --mojo-platform-channel-handle=1656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2584
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=32C774F9A67013012F7EC6609A2483E8 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3948
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4990A6FDDC14A28D503C3C375A308C52 --mojo-platform-channel-handle=2516 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3920
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:204
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:192
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2936

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4132
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4188
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4248

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4156
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4384

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4496
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-127-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1012-151-0x0000000077722000-0x000000007772200C-memory.dmp

Filesize
12B

Download
memory/1360-129-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/1360-119-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/2376-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2376-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2584-167-0x0000000077722000-0x000000007772200C-memory.dmp

Filesize
12B

Download
memory/3048-155-0x0000000077722000-0x000000007772200C-memory.dmp

Filesize
12B

Download
memory/3300-128-0x0000000000C80000-0x0000000000DCA000-memory.dmp

Filesize
1.3MB

Download
memory/3396-161-0x0000000077722000-0x000000007772200C-memory.dmp

Filesize
12B

Download
memory/3920-175-0x0000000077722000-0x000000007772200C-memory.dmp

Filesize
12B

Download
memory/3948-171-0x0000000077722000-0x000000007772200C-memory.dmp

Filesize
12B

Download
memory/4188-191-0x0000000000401000-0x0000000000476000-memory.dmp

Filesize
468KB

Download
memory/4188-190-0x0000000000476000-0x00000000004BF000-memory.dmp

Filesize
292KB

Download
memory/4188-183-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4188-187-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download