remcos | d9c227ed57ca134b518a38f74580faf7f3c5e05c5caae3ed3166641341950ee7

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
26-04-2021 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
Size

260KB
MD5

84bc6ece04588d297e5f957f8c0eed1a
SHA1

47b0cfaaef2a8dceeb377e822094fd8a97b6fc0b
SHA256

d9c227ed57ca134b518a38f74580faf7f3c5e05c5caae3ed3166641341950ee7
SHA512

83c546bebebe502a4239c18e29230dec4a3df29568ff97cec6b64fa00801b2572ee738b0f74d9a11f693fff34f6b23db8edbfc16a4b5baa1482ff604314600f1

Score

10^/10

remcos rat

Malware Config

Extracted

Family

remcos

188.72.124.143:2858

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr

pid	process
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr

Suspicious use of SetThreadContext 64 IoCs

Processes:

TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scrapplaunch.exe

description	pid	process	target process
PID 1824 set thread context of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 336 set thread context of 1192	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1756	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1068	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1180	336	applaunch.exe	svchost.exe
PID 336 set thread context of 928	336	applaunch.exe	svchost.exe
PID 336 set thread context of 300	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1416	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1648	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1608	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1212	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1588	336	applaunch.exe	svchost.exe
PID 336 set thread context of 324	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1092	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1480	336	applaunch.exe	svchost.exe
PID 336 set thread context of 2044	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1956	336	applaunch.exe	svchost.exe
PID 336 set thread context of 936	336	applaunch.exe	svchost.exe
PID 336 set thread context of 348	336	applaunch.exe	svchost.exe
PID 336 set thread context of 440	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1800	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1340	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1940	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1696	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1136	336	applaunch.exe	svchost.exe
PID 336 set thread context of 896	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1388	336	applaunch.exe	svchost.exe
PID 336 set thread context of 968	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1112	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1896	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1672	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1748	336	applaunch.exe	svchost.exe
PID 336 set thread context of 868	336	applaunch.exe	svchost.exe
PID 336 set thread context of 912	336	applaunch.exe	svchost.exe
PID 336 set thread context of 2000	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1544	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1548	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1604	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1324	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1952	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1912	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1044	336	applaunch.exe	svchost.exe
PID 336 set thread context of 2032	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1164	336	applaunch.exe	svchost.exe
PID 336 set thread context of 952	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1528	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1556	336	applaunch.exe	svchost.exe
PID 336 set thread context of 864	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1936	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1532	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1832	336	applaunch.exe	svchost.exe
PID 336 set thread context of 108	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1376	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1600	336	applaunch.exe	svchost.exe
PID 336 set thread context of 844	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1076	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1580	336	applaunch.exe	svchost.exe
PID 336 set thread context of 2028	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1976	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1968	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1680	336	applaunch.exe	svchost.exe
PID 336 set thread context of 1772	336	applaunch.exe	svchost.exe
PID 336 set thread context of 2060	336	applaunch.exe	svchost.exe
PID 336 set thread context of 2068	336	applaunch.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1652 1824 WerFault.exe TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

112 timeout.exe

pid	pid_target	process	target process
1652	1824	WerFault.exe	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr

pid	process
112	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scrWerFault.exe

pid	process
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1652 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scrWerFault.exe

description pid process

Token: SeDebugPrivilege 1824 TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
Token: SeDebugPrivilege 1652 WerFault.exe

pid	process
1652	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
Token: SeDebugPrivilege	1652	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scrcmd.exeapplaunch.exe

description	pid	process	target process
PID 1824 wrote to memory of 1664	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	cmd.exe
PID 1824 wrote to memory of 1664	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	cmd.exe
PID 1824 wrote to memory of 1664	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	cmd.exe
PID 1824 wrote to memory of 1664	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	cmd.exe
PID 1664 wrote to memory of 112	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 112	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 112	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 112	1664	cmd.exe	timeout.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 1824 wrote to memory of 336	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	applaunch.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1192	336	applaunch.exe	svchost.exe
PID 1824 wrote to memory of 1652	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	WerFault.exe
PID 1824 wrote to memory of 1652	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	WerFault.exe
PID 1824 wrote to memory of 1652	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	WerFault.exe
PID 1824 wrote to memory of 1652	1824	TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr	WerFault.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1756	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe
PID 336 wrote to memory of 1068	336	applaunch.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr
"C:\Users\Admin\AppData\Local\Temp\TPE-CHESTERFIELD, MI 48051 (DDP)駿得5008.scr" /S
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1192

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:324

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1480

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1136

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1324

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1276
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-231-0x000000000040F2B0-mapping.dmp

Download
memory/112-65-0x0000000000000000-mapping.dmp

Download
memory/300-93-0x000000000040F2B0-mapping.dmp

Download
memory/324-117-0x000000000040F2B0-mapping.dmp

Download
memory/336-67-0x000000000042EEEF-mapping.dmp

Download
memory/336-68-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/336-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/336-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/348-141-0x000000000040F2B0-mapping.dmp

Download
memory/440-145-0x000000000040F2B0-mapping.dmp

Download
memory/844-237-0x000000000040F2B0-mapping.dmp

Download
memory/864-223-0x000000000040F2B0-mapping.dmp

Download
memory/868-193-0x000000000040F2B0-mapping.dmp

Download
memory/896-169-0x000000000040F2B0-mapping.dmp

Download
memory/912-195-0x000000000040F2B0-mapping.dmp

Download
memory/928-89-0x000000000040F2B0-mapping.dmp

Download
memory/936-137-0x000000000040F2B0-mapping.dmp

Download
memory/952-217-0x000000000040F2B0-mapping.dmp

Download
memory/968-177-0x000000000040F2B0-mapping.dmp

Download
memory/1044-211-0x000000000040F2B0-mapping.dmp

Download
memory/1068-81-0x000000000040F2B0-mapping.dmp

Download
memory/1076-239-0x000000000040F2B0-mapping.dmp

Download
memory/1076-240-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1092-121-0x000000000040F2B0-mapping.dmp

Download
memory/1112-181-0x000000000040F2B0-mapping.dmp

Download
memory/1136-165-0x000000000040F2B0-mapping.dmp

Download
memory/1164-215-0x000000000040F2B0-mapping.dmp

Download
memory/1180-85-0x000000000040F2B0-mapping.dmp

Download
memory/1192-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-70-0x000000000040F2B0-mapping.dmp

Download
memory/1192-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1212-109-0x000000000040F2B0-mapping.dmp

Download
memory/1324-205-0x000000000040F2B0-mapping.dmp

Download
memory/1340-153-0x000000000040F2B0-mapping.dmp

Download
memory/1376-233-0x000000000040F2B0-mapping.dmp

Download
memory/1388-173-0x000000000040F2B0-mapping.dmp

Download
memory/1416-97-0x000000000040F2B0-mapping.dmp

Download
memory/1480-125-0x000000000040F2B0-mapping.dmp

Download
memory/1528-219-0x000000000040F2B0-mapping.dmp

Download
memory/1532-227-0x000000000040F2B0-mapping.dmp

Download
memory/1544-199-0x000000000040F2B0-mapping.dmp

Download
memory/1548-201-0x000000000040F2B0-mapping.dmp

Download
memory/1556-221-0x000000000040F2B0-mapping.dmp

Download
memory/1580-241-0x000000000040F2B0-mapping.dmp

Download
memory/1588-113-0x000000000040F2B0-mapping.dmp

Download
memory/1600-235-0x000000000040F2B0-mapping.dmp

Download
memory/1604-203-0x000000000040F2B0-mapping.dmp

Download
memory/1608-105-0x000000000040F2B0-mapping.dmp

Download
memory/1648-101-0x000000000040F2B0-mapping.dmp

Download
memory/1652-75-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1652-72-0x0000000000000000-mapping.dmp

Download
memory/1664-64-0x0000000000000000-mapping.dmp

Download
memory/1672-189-0x000000000040F2B0-mapping.dmp

Download
memory/1680-249-0x000000000040F2B0-mapping.dmp

Download
memory/1696-161-0x000000000040F2B0-mapping.dmp

Download
memory/1748-191-0x000000000040F2B0-mapping.dmp

Download
memory/1756-77-0x000000000040F2B0-mapping.dmp

Download
memory/1800-149-0x000000000040F2B0-mapping.dmp

Download
memory/1824-60-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1824-62-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1824-63-0x0000000000B90000-0x0000000000C10000-memory.dmp

Filesize
512KB

Download
memory/1832-229-0x000000000040F2B0-mapping.dmp

Download
memory/1896-185-0x000000000040F2B0-mapping.dmp

Download
memory/1912-209-0x000000000040F2B0-mapping.dmp

Download
memory/1936-225-0x000000000040F2B0-mapping.dmp

Download
memory/1940-157-0x000000000040F2B0-mapping.dmp

Download
memory/1952-207-0x000000000040F2B0-mapping.dmp

Download
memory/1956-133-0x000000000040F2B0-mapping.dmp

Download
memory/1968-247-0x000000000040F2B0-mapping.dmp

Download
memory/1976-245-0x000000000040F2B0-mapping.dmp

Download
memory/2000-197-0x000000000040F2B0-mapping.dmp

Download
memory/2028-243-0x000000000040F2B0-mapping.dmp

Download
memory/2032-213-0x000000000040F2B0-mapping.dmp

Download
memory/2044-129-0x000000000040F2B0-mapping.dmp

Download