Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-05-2021 20:05
Behavioral task
behavioral1
Sample
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
Resource
win10v20210408
General
-
Target
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
-
Size
2.9MB
-
MD5
c7022a3694ea7867e1b3d92f3e9a9b28
-
SHA1
ecf16ede30e2923a6d68579a5c603c4b43de0b13
-
SHA256
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a
-
SHA512
0d9f178cc9e85bf66906ca1a1f458c2388897c549fc0ccf436025164964f087eff69c7767783b8c9c32b540a75c67f144c74cc5a481eada204d740815b073c61
Malware Config
Extracted
remcos
daya4659.ddns.net:8282
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
Executes dropped EXE 12 IoCs
Processes:
remcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeremcos.exedriverquery.exesfc.exedriverquery.exesfc.exesfc.exedriverquery.exedriverquery.exesfc.exepid process 1072 remcos_agent_Protected.exe 3724 remcos_agent_Protected.exe 1688 remcos.exe 212 remcos.exe 1116 driverquery.exe 3604 sfc.exe 3764 driverquery.exe 4148 sfc.exe 4440 sfc.exe 4464 driverquery.exe 4488 driverquery.exe 4608 sfc.exe -
Processes:
resource yara_rule behavioral2/memory/3044-118-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/3044-121-0x0000000000400000-0x00000000004C0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
remcos_agent_Protected.exeremcos.exe082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos_agent_Protected.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos_agent_Protected.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos_agent_Protected.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ remcos_agent_Protected.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-9923 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-9923.exe" 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exeremcos_agent_Protected.exeremcos.exedriverquery.exesfc.exedriverquery.exesfc.exedescription pid process target process PID 1108 set thread context of 3044 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1072 set thread context of 3724 1072 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1688 set thread context of 212 1688 remcos.exe remcos.exe PID 1116 set thread context of 3764 1116 driverquery.exe driverquery.exe PID 3604 set thread context of 4148 3604 sfc.exe sfc.exe PID 4464 set thread context of 4488 4464 driverquery.exe driverquery.exe PID 4440 set thread context of 4608 4440 sfc.exe sfc.exe -
HTTP links in PDF interactive object 6 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf pdf_with_link_action C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe pdf_with_link_action C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe pdf_with_link_action C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe pdf_with_link_action C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe pdf_with_link_action C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2844 schtasks.exe 3960 schtasks.exe 904 schtasks.exe 4100 schtasks.exe 4224 schtasks.exe 4560 schtasks.exe 4680 schtasks.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exeremcos_agent_Protected.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings remcos_agent_Protected.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
AcroRd32.exepid process 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
remcos.exepid process 212 remcos.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exepid process 3044 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 344 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeremcos.exepid process 344 AcroRd32.exe 344 AcroRd32.exe 212 remcos.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe 344 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.execmd.exeremcos.exeremcos.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1108 wrote to memory of 1072 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe remcos_agent_Protected.exe PID 1108 wrote to memory of 1072 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe remcos_agent_Protected.exe PID 1108 wrote to memory of 1072 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe remcos_agent_Protected.exe PID 1108 wrote to memory of 344 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe AcroRd32.exe PID 1108 wrote to memory of 344 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe AcroRd32.exe PID 1108 wrote to memory of 344 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe AcroRd32.exe PID 1108 wrote to memory of 3880 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3880 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3880 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3044 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3044 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3044 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3044 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 3044 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe PID 1108 wrote to memory of 2844 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe schtasks.exe PID 1108 wrote to memory of 2844 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe schtasks.exe PID 1108 wrote to memory of 2844 1108 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe schtasks.exe PID 1072 wrote to memory of 3724 1072 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1072 wrote to memory of 3724 1072 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1072 wrote to memory of 3724 1072 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1072 wrote to memory of 3724 1072 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1072 wrote to memory of 3724 1072 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1072 wrote to memory of 3960 1072 remcos_agent_Protected.exe schtasks.exe PID 1072 wrote to memory of 3960 1072 remcos_agent_Protected.exe schtasks.exe PID 1072 wrote to memory of 3960 1072 remcos_agent_Protected.exe schtasks.exe PID 3724 wrote to memory of 1732 3724 remcos_agent_Protected.exe WScript.exe PID 3724 wrote to memory of 1732 3724 remcos_agent_Protected.exe WScript.exe PID 3724 wrote to memory of 1732 3724 remcos_agent_Protected.exe WScript.exe PID 1732 wrote to memory of 692 1732 WScript.exe cmd.exe PID 1732 wrote to memory of 692 1732 WScript.exe cmd.exe PID 1732 wrote to memory of 692 1732 WScript.exe cmd.exe PID 692 wrote to memory of 1688 692 cmd.exe remcos.exe PID 692 wrote to memory of 1688 692 cmd.exe remcos.exe PID 692 wrote to memory of 1688 692 cmd.exe remcos.exe PID 1688 wrote to memory of 212 1688 remcos.exe remcos.exe PID 1688 wrote to memory of 212 1688 remcos.exe remcos.exe PID 1688 wrote to memory of 212 1688 remcos.exe remcos.exe PID 1688 wrote to memory of 212 1688 remcos.exe remcos.exe PID 1688 wrote to memory of 212 1688 remcos.exe remcos.exe PID 212 wrote to memory of 1456 212 remcos.exe svchost.exe PID 212 wrote to memory of 1456 212 remcos.exe svchost.exe PID 212 wrote to memory of 1456 212 remcos.exe svchost.exe PID 1688 wrote to memory of 904 1688 remcos.exe schtasks.exe PID 1688 wrote to memory of 904 1688 remcos.exe schtasks.exe PID 1688 wrote to memory of 904 1688 remcos.exe schtasks.exe PID 344 wrote to memory of 3860 344 AcroRd32.exe RdrCEF.exe PID 344 wrote to memory of 3860 344 AcroRd32.exe RdrCEF.exe PID 344 wrote to memory of 3860 344 AcroRd32.exe RdrCEF.exe PID 344 wrote to memory of 2320 344 AcroRd32.exe RdrCEF.exe PID 344 wrote to memory of 2320 344 AcroRd32.exe RdrCEF.exe PID 344 wrote to memory of 2320 344 AcroRd32.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe PID 3860 wrote to memory of 1276 3860 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:1456
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F7⤵
- Creates scheduled task(s)
PID:904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:3960 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1157296227436D723313DB47A6E7A1EE --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1276
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C93CEB6F7C8628C85079B0B6ECB72567 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C93CEB6F7C8628C85079B0B6ECB72567 --renderer-client-id=2 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:14⤵PID:996
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8348B6778DA452EF33B3E828FD0DA3DE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8348B6778DA452EF33B3E828FD0DA3DE --renderer-client-id=4 --mojo-platform-channel-handle=2064 --allow-no-sandbox-job /prefetch:14⤵PID:1800
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82E609F6B03C0AD34966E8A1090A566E --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2116
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1220421CE3EFA90F8CAF556E6F2FBE11 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1468
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C39E1CC84E476F6788425136AE569B22 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3844
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"2⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
PID:3044 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2844
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exeC:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1116 -
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4100
-
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exeC:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3604 -
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"2⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4224
-
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exeC:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4440 -
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"2⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4680
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exeC:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4464 -
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ff449f6f7bc5e2d800eb30e2d2c56611
SHA193419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA51202a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6
-
MD5
bb0aa1bade4df17033a05d8d682b44d2
SHA1bec4b0a8a7413d158cf6705a3c888bdf36a4371b
SHA25696d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764
SHA5126bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
6e79388e553e581180246186679696a5
SHA1c4bfea3d095ea67478511654e5972b345beaaa97
SHA2561d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee
SHA512728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf
-
MD5
6e79388e553e581180246186679696a5
SHA1c4bfea3d095ea67478511654e5972b345beaaa97
SHA2561d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee
SHA512728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf
-
MD5
6e79388e553e581180246186679696a5
SHA1c4bfea3d095ea67478511654e5972b345beaaa97
SHA2561d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee
SHA512728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf
-
MD5
6e79388e553e581180246186679696a5
SHA1c4bfea3d095ea67478511654e5972b345beaaa97
SHA2561d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee
SHA512728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf
-
MD5
6e79388e553e581180246186679696a5
SHA1c4bfea3d095ea67478511654e5972b345beaaa97
SHA2561d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee
SHA512728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf
-
MD5
754ff16bed1f2d3c4867d0c0928c8ee5
SHA1f7485d901ece8ef19c4f1e1fc39fc562dc3486b3
SHA2563a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9
SHA512f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412
-
MD5
754ff16bed1f2d3c4867d0c0928c8ee5
SHA1f7485d901ece8ef19c4f1e1fc39fc562dc3486b3
SHA2563a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9
SHA512f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412
-
MD5
754ff16bed1f2d3c4867d0c0928c8ee5
SHA1f7485d901ece8ef19c4f1e1fc39fc562dc3486b3
SHA2563a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9
SHA512f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412
-
MD5
754ff16bed1f2d3c4867d0c0928c8ee5
SHA1f7485d901ece8ef19c4f1e1fc39fc562dc3486b3
SHA2563a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9
SHA512f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412
-
MD5
754ff16bed1f2d3c4867d0c0928c8ee5
SHA1f7485d901ece8ef19c4f1e1fc39fc562dc3486b3
SHA2563a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9
SHA512f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412
-
MD5
d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6
-
MD5
d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6
-
MD5
d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6
-
MD5
d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6
-
MD5
d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6
-
MD5
d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e