remcos | 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a

Analysis

max time kernel
152s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
09-05-2021 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
Size

2.9MB
MD5

c7022a3694ea7867e1b3d92f3e9a9b28
SHA1

ecf16ede30e2923a6d68579a5c603c4b43de0b13
SHA256

082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a
SHA512

0d9f178cc9e85bf66906ca1a1f458c2388897c549fc0ccf436025164964f087eff69c7767783b8c9c32b540a75c67f144c74cc5a481eada204d740815b073c61

Score

10^/10

remcos webmonitor backdoor infostealer link pdf persistence rat upx

Malware Config

Extracted

Family

remcos

daya4659.ddns.net:8282

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

Executes dropped EXE 12 IoCs

Processes:

remcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeremcos.exedriverquery.exesfc.exedriverquery.exesfc.exesfc.exedriverquery.exedriverquery.exesfc.exe

pid	process
1072	remcos_agent_Protected.exe
3724	remcos_agent_Protected.exe
1688	remcos.exe
212	remcos.exe
1116	driverquery.exe
3604	sfc.exe
3764	driverquery.exe
4148	sfc.exe
4440	sfc.exe
4464	driverquery.exe
4488	driverquery.exe
4608	sfc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3044-118-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/3044-121-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

remcos_agent_Protected.exeremcos.exe082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-9923 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-9923.exe"	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exeremcos_agent_Protected.exeremcos.exedriverquery.exesfc.exedriverquery.exesfc.exe

description	pid	process	target process
PID 1108 set thread context of 3044	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1072 set thread context of 3724	1072	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1688 set thread context of 212	1688	remcos.exe	remcos.exe
PID 1116 set thread context of 3764	1116	driverquery.exe	driverquery.exe
PID 3604 set thread context of 4148	3604	sfc.exe	sfc.exe
PID 4464 set thread context of 4488	4464	driverquery.exe	driverquery.exe
PID 4440 set thread context of 4608	4440	sfc.exe	sfc.exe

HTTP links in PDF interactive object 6 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2844 schtasks.exe
3960 schtasks.exe
904 schtasks.exe
4100 schtasks.exe
4224 schtasks.exe
4560 schtasks.exe
4680 schtasks.exe

pid	process
2844	schtasks.exe
3960	schtasks.exe
904	schtasks.exe
4100	schtasks.exe
4224	schtasks.exe
4560	schtasks.exe
4680	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exeremcos_agent_Protected.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	remcos_agent_Protected.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe
344	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

remcos.exe

pid process

212 remcos.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe

pid process

3044 082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

344 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeremcos.exe

pid process

344 AcroRd32.exe
344 AcroRd32.exe
212 remcos.exe
344 AcroRd32.exe
344 AcroRd32.exe
344 AcroRd32.exe
344 AcroRd32.exe

pid	process
212	remcos.exe

pid	process
3044	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.execmd.exeremcos.exeremcos.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1108 wrote to memory of 1072	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	remcos_agent_Protected.exe
PID 1108 wrote to memory of 1072	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	remcos_agent_Protected.exe
PID 1108 wrote to memory of 1072	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	remcos_agent_Protected.exe
PID 1108 wrote to memory of 344	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	AcroRd32.exe
PID 1108 wrote to memory of 344	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	AcroRd32.exe
PID 1108 wrote to memory of 344	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	AcroRd32.exe
PID 1108 wrote to memory of 3880	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3880	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3880	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3044	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3044	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3044	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3044	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 3044	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
PID 1108 wrote to memory of 2844	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	schtasks.exe
PID 1108 wrote to memory of 2844	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	schtasks.exe
PID 1108 wrote to memory of 2844	1108	082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe	schtasks.exe
PID 1072 wrote to memory of 3724	1072	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1072 wrote to memory of 3724	1072	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1072 wrote to memory of 3724	1072	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1072 wrote to memory of 3724	1072	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1072 wrote to memory of 3724	1072	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1072 wrote to memory of 3960	1072	remcos_agent_Protected.exe	schtasks.exe
PID 1072 wrote to memory of 3960	1072	remcos_agent_Protected.exe	schtasks.exe
PID 1072 wrote to memory of 3960	1072	remcos_agent_Protected.exe	schtasks.exe
PID 3724 wrote to memory of 1732	3724	remcos_agent_Protected.exe	WScript.exe
PID 3724 wrote to memory of 1732	3724	remcos_agent_Protected.exe	WScript.exe
PID 3724 wrote to memory of 1732	3724	remcos_agent_Protected.exe	WScript.exe
PID 1732 wrote to memory of 692	1732	WScript.exe	cmd.exe
PID 1732 wrote to memory of 692	1732	WScript.exe	cmd.exe
PID 1732 wrote to memory of 692	1732	WScript.exe	cmd.exe
PID 692 wrote to memory of 1688	692	cmd.exe	remcos.exe
PID 692 wrote to memory of 1688	692	cmd.exe	remcos.exe
PID 692 wrote to memory of 1688	692	cmd.exe	remcos.exe
PID 1688 wrote to memory of 212	1688	remcos.exe	remcos.exe
PID 1688 wrote to memory of 212	1688	remcos.exe	remcos.exe
PID 1688 wrote to memory of 212	1688	remcos.exe	remcos.exe
PID 1688 wrote to memory of 212	1688	remcos.exe	remcos.exe
PID 1688 wrote to memory of 212	1688	remcos.exe	remcos.exe
PID 212 wrote to memory of 1456	212	remcos.exe	svchost.exe
PID 212 wrote to memory of 1456	212	remcos.exe	svchost.exe
PID 212 wrote to memory of 1456	212	remcos.exe	svchost.exe
PID 1688 wrote to memory of 904	1688	remcos.exe	schtasks.exe
PID 1688 wrote to memory of 904	1688	remcos.exe	schtasks.exe
PID 1688 wrote to memory of 904	1688	remcos.exe	schtasks.exe
PID 344 wrote to memory of 3860	344	AcroRd32.exe	RdrCEF.exe
PID 344 wrote to memory of 3860	344	AcroRd32.exe	RdrCEF.exe
PID 344 wrote to memory of 3860	344	AcroRd32.exe	RdrCEF.exe
PID 344 wrote to memory of 2320	344	AcroRd32.exe	RdrCEF.exe
PID 344 wrote to memory of 2320	344	AcroRd32.exe	RdrCEF.exe
PID 344 wrote to memory of 2320	344	AcroRd32.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe
PID 3860 wrote to memory of 1276	3860	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
"C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:904
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:3960
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1157296227436D723313DB47A6E7A1EE --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1276
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C93CEB6F7C8628C85079B0B6ECB72567 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C93CEB6F7C8628C85079B0B6ECB72567 --renderer-client-id=2 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:996
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8348B6778DA452EF33B3E828FD0DA3DE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8348B6778DA452EF33B3E828FD0DA3DE --renderer-client-id=4 --mojo-platform-channel-handle=2064 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1800
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82E609F6B03C0AD34966E8A1090A566E --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2116
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1220421CE3EFA90F8CAF556E6F2FBE11 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C39E1CC84E476F6788425136AE569B22 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3844
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:2320
- C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
  "C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"
  2⤵
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe
  "C:\Users\Admin\AppData\Local\Temp\082e8b6b74753482bca3797cb17c79e93f7f4fac591bd9a20239235b3595473a.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: RenamesItself
  PID:3044
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2844

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1116
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4100

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3604
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4224

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4440
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4680

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4464
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf

MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
6e79388e553e581180246186679696a5

SHA1
c4bfea3d095ea67478511654e5972b345beaaa97

SHA256
1d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee

SHA512
728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
6e79388e553e581180246186679696a5

SHA1
c4bfea3d095ea67478511654e5972b345beaaa97

SHA256
1d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee

SHA512
728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
6e79388e553e581180246186679696a5

SHA1
c4bfea3d095ea67478511654e5972b345beaaa97

SHA256
1d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee

SHA512
728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
6e79388e553e581180246186679696a5

SHA1
c4bfea3d095ea67478511654e5972b345beaaa97

SHA256
1d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee

SHA512
728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
6e79388e553e581180246186679696a5

SHA1
c4bfea3d095ea67478511654e5972b345beaaa97

SHA256
1d5d6368ed03ae98580e102c5e53310c21a21916e5f55815e89f27724d3ddbee

SHA512
728ca24c51e3d47af7af118725f91974184ba334bfe3d4624c5fa5c715f6e46b5336a29edf61da0068807b2228cf4aa5c7c80cbb6758f70c5fd439c645bd0fdf

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

MD5
754ff16bed1f2d3c4867d0c0928c8ee5

SHA1
f7485d901ece8ef19c4f1e1fc39fc562dc3486b3

SHA256
3a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9

SHA512
f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

MD5
754ff16bed1f2d3c4867d0c0928c8ee5

SHA1
f7485d901ece8ef19c4f1e1fc39fc562dc3486b3

SHA256
3a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9

SHA512
f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

MD5
754ff16bed1f2d3c4867d0c0928c8ee5

SHA1
f7485d901ece8ef19c4f1e1fc39fc562dc3486b3

SHA256
3a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9

SHA512
f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

MD5
754ff16bed1f2d3c4867d0c0928c8ee5

SHA1
f7485d901ece8ef19c4f1e1fc39fc562dc3486b3

SHA256
3a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9

SHA512
f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

MD5
754ff16bed1f2d3c4867d0c0928c8ee5

SHA1
f7485d901ece8ef19c4f1e1fc39fc562dc3486b3

SHA256
3a8834514f022637acea1b3227b46d07ef77586da2fb8386538c1a97ce9892a9

SHA512
f0927c16c78057d1ca39a71d1abf156bfa7b0cac57470419f0d73af5cf3a2751a7c18b60ccbc8fdb9b9466f3091658cc41909b2fc36bc282b8cc3669c43a8412

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-152-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/212-150-0x0000000000393614-mapping.dmp

Download
memory/212-144-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/344-117-0x0000000000000000-mapping.dmp

Download
memory/692-139-0x0000000000000000-mapping.dmp

Download
memory/904-154-0x0000000000000000-mapping.dmp

Download
memory/996-162-0x0000000077912000-0x000000007791200C-memory.dmp

Filesize
12B

Download
memory/996-164-0x0000000000000000-mapping.dmp

Download
memory/1072-135-0x0000000000560000-0x0000000000583000-memory.dmp

Filesize
140KB

Download
memory/1072-114-0x0000000000000000-mapping.dmp

Download
memory/1108-122-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/1276-158-0x0000000077912000-0x000000007791200C-memory.dmp

Filesize
12B

Download
memory/1276-160-0x0000000000000000-mapping.dmp

Download
memory/1468-178-0x0000000077912000-0x000000007791200C-memory.dmp

Filesize
12B

Download
memory/1468-180-0x0000000000000000-mapping.dmp

Download
memory/1688-140-0x0000000000000000-mapping.dmp

Download
memory/1688-155-0x0000000000A90000-0x0000000000AB3000-memory.dmp

Filesize
140KB

Download
memory/1732-137-0x0000000000000000-mapping.dmp

Download
memory/1800-170-0x0000000000000000-mapping.dmp

Download
memory/1800-168-0x0000000077912000-0x000000007791200C-memory.dmp

Filesize
12B

Download
memory/2116-174-0x0000000077912000-0x000000007791200C-memory.dmp

Filesize
12B

Download
memory/2116-176-0x0000000000000000-mapping.dmp

Download
memory/2320-157-0x0000000000000000-mapping.dmp

Download
memory/2844-125-0x0000000000000000-mapping.dmp

Download
memory/3044-118-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3044-124-0x0000000000401000-0x0000000000476000-memory.dmp

Filesize
468KB

Download
memory/3044-120-0x00000000004BE2D0-mapping.dmp

Download
memory/3044-121-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3044-123-0x0000000000476000-0x00000000004BF000-memory.dmp

Filesize
292KB

Download
memory/3724-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3724-132-0x0000000000413614-mapping.dmp

Download
memory/3724-126-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3764-192-0x00000000004BE2D0-mapping.dmp

Download
memory/3844-184-0x0000000000000000-mapping.dmp

Download
memory/3844-182-0x0000000077912000-0x000000007791200C-memory.dmp

Filesize
12B

Download
memory/3860-156-0x0000000000000000-mapping.dmp

Download
memory/3960-136-0x0000000000000000-mapping.dmp

Download
memory/4100-198-0x0000000000000000-mapping.dmp

Download
memory/4148-199-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/4148-205-0x0000000000123614-mapping.dmp

Download
memory/4148-207-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/4224-209-0x0000000000000000-mapping.dmp

Download
memory/4440-232-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/4488-215-0x00000000004BE2D0-mapping.dmp

Download
memory/4560-221-0x0000000000000000-mapping.dmp

Download
memory/4608-222-0x00000000008B0000-0x00000000008D0000-memory.dmp

Filesize
128KB

Download
memory/4608-228-0x00000000008C3614-mapping.dmp

Download
memory/4608-230-0x00000000008B0000-0x00000000008D0000-memory.dmp

Filesize
128KB

Download
memory/4680-231-0x0000000000000000-mapping.dmp

Download