remcos | 99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
08-05-2021 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
Size

2.9MB
MD5

14e8869c598322275ae390eb2e6f36af
SHA1

e904d47a554aea9ea53d85eeaf1d9bac939e9e09
SHA256

99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7
SHA512

a7017b5be156634afdf218e2b2b50633ba2b27492ddce9fa07bca1ed8237fa981667596a4777864cf475858ab0885f257819bacfe94d321293f6cce6c790d3ff

Score

10^/10

remcos webmonitor backdoor infostealer link pdf persistence rat upx

Malware Config

Extracted

Family

remcos

daya4659.ddns.net:8282

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

Executes dropped EXE 19 IoCs

Processes:

remcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeremcos.exedriverquery.exesfc.exedriverquery.exedriverquery.exesfc.exesfc.exedriverquery.exedriverquery.exedriverquery.exesfc.exesfc.exedriverquery.exedriverquery.exedriverquery.exesfc.exe

pid	process
2880	remcos_agent_Protected.exe
2132	remcos_agent_Protected.exe
3416	remcos.exe
3848	remcos.exe
2876	driverquery.exe
1196	sfc.exe
4524	driverquery.exe
4536	driverquery.exe
4664	sfc.exe
4976	sfc.exe
4996	driverquery.exe
5024	driverquery.exe
5036	driverquery.exe
4224	sfc.exe
4336	sfc.exe
4400	driverquery.exe
4392	driverquery.exe
4364	driverquery.exe
4480	sfc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3196-118-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3196-121-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos_agent_Protected.exeremcos.exe99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-9923 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-9923.exe"	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exeremcos_agent_Protected.exeremcos.exedriverquery.exesfc.exedriverquery.exesfc.exedriverquery.exesfc.exe

description	pid	process	target process
PID 4024 set thread context of 3196	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
PID 2880 set thread context of 2132	2880	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 3416 set thread context of 3848	3416	remcos.exe	remcos.exe
PID 2876 set thread context of 4536	2876	driverquery.exe	driverquery.exe
PID 1196 set thread context of 4664	1196	sfc.exe	sfc.exe
PID 4996 set thread context of 5036	4996	driverquery.exe	driverquery.exe
PID 4976 set thread context of 4224	4976	sfc.exe	sfc.exe
PID 4400 set thread context of 4364	4400	driverquery.exe	driverquery.exe
PID 4336 set thread context of 4480	4336	sfc.exe	sfc.exe

HTTP links in PDF interactive object 11 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2336	schtasks.exe
4596	schtasks.exe
5096	schtasks.exe
4248	schtasks.exe
4508	schtasks.exe
4532	schtasks.exe
3680	schtasks.exe
4736	schtasks.exe
2144	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exeremcos_agent_Protected.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	remcos_agent_Protected.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AcroRd32.exe

pid	process
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos.exe

pid process

3848 remcos.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe

pid process

3196 99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3036 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeremcos.exe

pid process

3036 AcroRd32.exe
3036 AcroRd32.exe
3036 AcroRd32.exe
3036 AcroRd32.exe
3848 remcos.exe
3036 AcroRd32.exe
3036 AcroRd32.exe

pid	process
3848	remcos.exe

pid	process
3196	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.execmd.exeremcos.exeremcos.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4024 wrote to memory of 2880	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	remcos_agent_Protected.exe
PID 4024 wrote to memory of 2880	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	remcos_agent_Protected.exe
PID 4024 wrote to memory of 2880	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	remcos_agent_Protected.exe
PID 4024 wrote to memory of 3036	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	AcroRd32.exe
PID 4024 wrote to memory of 3036	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	AcroRd32.exe
PID 4024 wrote to memory of 3036	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	AcroRd32.exe
PID 4024 wrote to memory of 3196	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
PID 4024 wrote to memory of 3196	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
PID 4024 wrote to memory of 3196	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
PID 4024 wrote to memory of 3196	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
PID 4024 wrote to memory of 3196	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
PID 4024 wrote to memory of 3680	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	schtasks.exe
PID 4024 wrote to memory of 3680	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	schtasks.exe
PID 4024 wrote to memory of 3680	4024	99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe	schtasks.exe
PID 2880 wrote to memory of 2132	2880	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2880 wrote to memory of 2132	2880	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2880 wrote to memory of 2132	2880	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2880 wrote to memory of 2132	2880	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2880 wrote to memory of 2132	2880	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2880 wrote to memory of 2336	2880	remcos_agent_Protected.exe	schtasks.exe
PID 2880 wrote to memory of 2336	2880	remcos_agent_Protected.exe	schtasks.exe
PID 2880 wrote to memory of 2336	2880	remcos_agent_Protected.exe	schtasks.exe
PID 2132 wrote to memory of 2504	2132	remcos_agent_Protected.exe	WScript.exe
PID 2132 wrote to memory of 2504	2132	remcos_agent_Protected.exe	WScript.exe
PID 2132 wrote to memory of 2504	2132	remcos_agent_Protected.exe	WScript.exe
PID 2504 wrote to memory of 3464	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 3464	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 3464	2504	WScript.exe	cmd.exe
PID 3464 wrote to memory of 3416	3464	cmd.exe	remcos.exe
PID 3464 wrote to memory of 3416	3464	cmd.exe	remcos.exe
PID 3464 wrote to memory of 3416	3464	cmd.exe	remcos.exe
PID 3416 wrote to memory of 3848	3416	remcos.exe	remcos.exe
PID 3416 wrote to memory of 3848	3416	remcos.exe	remcos.exe
PID 3416 wrote to memory of 3848	3416	remcos.exe	remcos.exe
PID 3416 wrote to memory of 3848	3416	remcos.exe	remcos.exe
PID 3416 wrote to memory of 3848	3416	remcos.exe	remcos.exe
PID 3848 wrote to memory of 200	3848	remcos.exe	svchost.exe
PID 3848 wrote to memory of 200	3848	remcos.exe	svchost.exe
PID 3848 wrote to memory of 200	3848	remcos.exe	svchost.exe
PID 3416 wrote to memory of 2144	3416	remcos.exe	schtasks.exe
PID 3416 wrote to memory of 2144	3416	remcos.exe	schtasks.exe
PID 3416 wrote to memory of 2144	3416	remcos.exe	schtasks.exe
PID 3036 wrote to memory of 3916	3036	AcroRd32.exe	RdrCEF.exe
PID 3036 wrote to memory of 3916	3036	AcroRd32.exe	RdrCEF.exe
PID 3036 wrote to memory of 3916	3036	AcroRd32.exe	RdrCEF.exe
PID 3036 wrote to memory of 3144	3036	AcroRd32.exe	RdrCEF.exe
PID 3036 wrote to memory of 3144	3036	AcroRd32.exe	RdrCEF.exe
PID 3036 wrote to memory of 3144	3036	AcroRd32.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe
PID 3916 wrote to memory of 1188	3916	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
"C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
8⤵
PID:200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
7⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:2336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D224846A73737267DF950F66D441002 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2BF509ED7533F92B625271A09AD3584A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2BF509ED7533F92B625271A09AD3584A --renderer-client-id=2 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AD83F96B7459ACFE1A7C8D3CC7FC4F6E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AD83F96B7459ACFE1A7C8D3CC7FC4F6E --renderer-client-id=4 --mojo-platform-channel-handle=2076 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2108

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8BF8D5F5FFDB1FF39E8F3A715982606 --mojo-platform-channel-handle=2472 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4228

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DB24B0EE240D1C86EE3BD2ED27352E05 --mojo-platform-channel-handle=1604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4324

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BE22E822CEC475824A0417B81B5E3351 --mojo-platform-channel-handle=2492 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4420

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
"C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
PID:3196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3680

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
2⤵
- Executes dropped EXE
PID:4524

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
2⤵
- Executes dropped EXE
PID:4536

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4596

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1196

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
2⤵
- Executes dropped EXE
PID:4664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4736

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4976

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4248

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4996

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
2⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
2⤵
- Executes dropped EXE
PID:5036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:5096

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4336

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
2⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4532

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4400

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
2⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf
MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
MD5
b668da261d3b0e02a68c78037ec1cc4b

SHA1
efe4951c045a28a9775c07c43cf871f2e8fbe161

SHA256
947b5822e8761d09955b195f0401bef2b3fff56d9775a55c7df32128779c8071

SHA512
08fdebca87586c1cbaa56b4f9e1d4c01f1d1011f4c65790263b9e3793919e106f0c0c8ce236b0f4de52105a958ffe46164fbb06059445b03551b3da6c2dcbf4a

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
MD5
ebe5cd55ea5bb3d90f2c26a6c67a7ace

SHA1
0138c7a89c46367b8431aca971a85b664d58cbb9

SHA256
bb3c022b9c25b69d778703766ac5316b896e73ce71e31e974a2413e46dd41acd

SHA512
2d8f65b7c18af8a52ea7ddc8b1f286852617e6ca8f2902d8a94f67bbbccb56ba1ca23133daa8ce3999acf1a1cc57afc7f38c41c451676dc11f2940117e4142d0

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1188-158-0x0000000076EF2000-0x0000000076EF200C-memory.dmp

Filesize
12B

Download
memory/1188-160-0x0000000000000000-mapping.dmp

Download
memory/2108-170-0x0000000076EF2000-0x0000000076EF200C-memory.dmp

Filesize
12B

Download
memory/2108-172-0x0000000000000000-mapping.dmp

Download
memory/2132-132-0x0000000000413614-mapping.dmp

Download
memory/2132-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2132-126-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2144-154-0x0000000000000000-mapping.dmp

Download
memory/2336-136-0x0000000000000000-mapping.dmp

Download
memory/2432-163-0x0000000076EF2000-0x0000000076EF200C-memory.dmp

Filesize
12B

Download
memory/2432-165-0x0000000000000000-mapping.dmp

Download
memory/2504-137-0x0000000000000000-mapping.dmp

Download
memory/2880-134-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2880-114-0x0000000000000000-mapping.dmp

Download
memory/3036-117-0x0000000000000000-mapping.dmp

Download
memory/3144-157-0x0000000000000000-mapping.dmp

Download
memory/3196-118-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3196-124-0x0000000000476000-0x00000000004BF000-memory.dmp

Filesize
292KB

Download
memory/3196-125-0x0000000000401000-0x0000000000476000-memory.dmp

Filesize
468KB

Download
memory/3196-120-0x00000000004BE2D0-mapping.dmp

Download
memory/3196-121-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3416-141-0x0000000000000000-mapping.dmp

Download
memory/3464-140-0x0000000000000000-mapping.dmp

Download
memory/3680-122-0x0000000000000000-mapping.dmp

Download
memory/3848-144-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/3848-150-0x0000000000173614-mapping.dmp

Download
memory/3848-152-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/3916-156-0x0000000000000000-mapping.dmp

Download
memory/4024-123-0x0000000001E80000-0x0000000001F3D000-memory.dmp

Filesize
756KB

Download
memory/4224-230-0x0000000000413614-mapping.dmp

Download
memory/4228-180-0x0000000000000000-mapping.dmp

Download
memory/4228-178-0x0000000076EF2000-0x0000000076EF200C-memory.dmp

Filesize
12B

Download
memory/4248-234-0x0000000000000000-mapping.dmp

Download
memory/4324-182-0x0000000076EF2000-0x0000000076EF200C-memory.dmp

Filesize
12B

Download
memory/4324-184-0x0000000000000000-mapping.dmp

Download
memory/4336-253-0x0000000000CB0000-0x0000000000DFA000-memory.dmp

Filesize
1.3MB

Download
memory/4364-241-0x00000000004BE2D0-mapping.dmp

Download
memory/4420-188-0x0000000000000000-mapping.dmp

Download
memory/4420-186-0x0000000076EF2000-0x0000000076EF200C-memory.dmp

Filesize
12B

Download
memory/4480-250-0x0000000000413614-mapping.dmp

Download
memory/4508-247-0x0000000000000000-mapping.dmp

Download
memory/4532-252-0x0000000000000000-mapping.dmp

Download
memory/4536-193-0x00000000004BE2D0-mapping.dmp

Download
memory/4596-196-0x0000000000000000-mapping.dmp

Download
memory/4664-206-0x0000000000413614-mapping.dmp

Download
memory/4664-208-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4736-209-0x0000000000000000-mapping.dmp

Download
memory/4976-233-0x0000000000D50000-0x0000000000E9A000-memory.dmp

Filesize
1.3MB

Download
memory/5036-217-0x00000000004BE2D0-mapping.dmp

Download
memory/5096-220-0x0000000000000000-mapping.dmp

Download