remcos | 65054687e67c867b4f3a1fe66888dbc1e43f1152d44ba8a82e98f4374d54ec1d

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/11/2022, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e70d59aaab1fda4f504e32e547329a5b.exe
Size

596KB
MD5

e70d59aaab1fda4f504e32e547329a5b
SHA1

ccac646868b072edac45d52afad293b21d6f6f6c
SHA256

65054687e67c867b4f3a1fe66888dbc1e43f1152d44ba8a82e98f4374d54ec1d
SHA512

10263b2d2a9a518dc99fadc7e7746d349706a188ee95f8f0be0d2713060a8683e2d6abe0d25060bec8078315176570ca84996ef99b589dfb76d92e3a483bb9a9
SSDEEP

12288:R/Jd9DZtfiv/gaORm9ZpSjV6BK6KFuApvsch/U2Ci/4m:lHnZUpSjoBK6KQLcZU2NQm

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.137.22.236:5890

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
windows-P9KT1G
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sycxbhdfhdhstem.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sycxbhdfhdhstem.exe	Powershell.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1512 set thread context of 1404	1512	RegSvcs.exe	31
PID 1512 set thread context of 960	1512	RegSvcs.exe	36
PID 1512 set thread context of 1588	1512	RegSvcs.exe	38
PID 1512 set thread context of 948	1512	RegSvcs.exe	43
PID 1512 set thread context of 1368	1512	RegSvcs.exe	47
PID 1512 set thread context of 2132	1512	RegSvcs.exe	50
PID 1512 set thread context of 2212	1512	RegSvcs.exe	53
PID 1512 set thread context of 2424	1512	RegSvcs.exe	56
PID 1512 set thread context of 2504	1512	RegSvcs.exe	59
PID 1512 set thread context of 2776	1512	RegSvcs.exe	63
PID 1512 set thread context of 2880	1512	RegSvcs.exe	66
PID 1512 set thread context of 1684	1512	RegSvcs.exe	70
PID 1512 set thread context of 2156	1512	RegSvcs.exe	72
PID 1512 set thread context of 596	1512	RegSvcs.exe	77
PID 1512 set thread context of 2744	1512	RegSvcs.exe	79

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000527aa2c38c529ecfdc9ca906e367633c1e58bffa11e11f725fc43fb761f64eff000000000e80000000020000200000004c93c5bd332b338bcf68245f256ca80c595f4650fcc9b2d6a244b2e859bbcdef90000000fbe5f6f1253be6cc49203c96425c93cf99ade06a6563457427fc651ef51a11298be06efc998a23de0f1c0f3f73b535888a41b3543569234f617e4a2fb3fecc1d146ae28e869c6c6a7a695c3d1f88ba07a46898a6a68573292889b58a5c967d8c2797d4cee047801401dc600599ace8652afb67e6dd3d31191ae25ad1c23b39b4c389529bee175a73e5b17e8484c2304440000000e10405f159ae44907373bb3250e8d5ed83746a9613459d6e4c63289776f1985ba0b89a6100f86f20029e6d78449b09e6fba57e6bad976c350c7943e123d3c8b8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70755fee99eed801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D5B1B41-5A8D-11ED-8413-C22E595EE768} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374144741"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000006cf6a2501f795782076d94b1896a37527a429b2dbce5189aa69db73971652698000000000e80000000020000200000007ef874a4b3e0ed8fc42132c87c326c0403e1d51b2eb831e08376e70f32c9e5cc20000000951e087516a91b0edde888af3e92f0abcfc65ebf16c6decebb74eae4ec005e5c40000000f6712f074f84efc7fe092c6d9af8f69953dfb94d165ef8b5b7138482f52131483f4b18aaff2cffd874674cbc49d0b6b9888a157ed5c15b4425734d996b313a7b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	Powershell.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe

Suspicious behavior: MapViewOfSection 15 IoCs

pid	Process
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	e70d59aaab1fda4f504e32e547329a5b.exe
Token: SeDebugPrivilege	1580	Powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1212	iexplore.exe

Suspicious use of SetWindowsHookEx 55 IoCs

pid	Process
1512	RegSvcs.exe
1212	iexplore.exe
1212	iexplore.exe
956	IEXPLORE.EXE
956	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
956	IEXPLORE.EXE
956	IEXPLORE.EXE
956	IEXPLORE.EXE
956	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1580	1624	e70d59aaab1fda4f504e32e547329a5b.exe	28
PID 1624 wrote to memory of 1580	1624	e70d59aaab1fda4f504e32e547329a5b.exe	28
PID 1624 wrote to memory of 1580	1624	e70d59aaab1fda4f504e32e547329a5b.exe	28
PID 1624 wrote to memory of 1580	1624	e70d59aaab1fda4f504e32e547329a5b.exe	28
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1624 wrote to memory of 1512	1624	e70d59aaab1fda4f504e32e547329a5b.exe	30
PID 1512 wrote to memory of 1404	1512	RegSvcs.exe	31
PID 1512 wrote to memory of 1404	1512	RegSvcs.exe	31
PID 1512 wrote to memory of 1404	1512	RegSvcs.exe	31
PID 1512 wrote to memory of 1404	1512	RegSvcs.exe	31
PID 1512 wrote to memory of 1404	1512	RegSvcs.exe	31
PID 1404 wrote to memory of 1212	1404	svchost.exe	33
PID 1404 wrote to memory of 1212	1404	svchost.exe	33
PID 1404 wrote to memory of 1212	1404	svchost.exe	33
PID 1404 wrote to memory of 1212	1404	svchost.exe	33
PID 1212 wrote to memory of 956	1212	iexplore.exe	35
PID 1212 wrote to memory of 956	1212	iexplore.exe	35
PID 1212 wrote to memory of 956	1212	iexplore.exe	35
PID 1212 wrote to memory of 956	1212	iexplore.exe	35
PID 1512 wrote to memory of 960	1512	RegSvcs.exe	36
PID 1512 wrote to memory of 960	1512	RegSvcs.exe	36
PID 1512 wrote to memory of 960	1512	RegSvcs.exe	36
PID 1512 wrote to memory of 960	1512	RegSvcs.exe	36
PID 1512 wrote to memory of 960	1512	RegSvcs.exe	36
PID 1512 wrote to memory of 1588	1512	RegSvcs.exe	38
PID 1512 wrote to memory of 1588	1512	RegSvcs.exe	38
PID 1512 wrote to memory of 1588	1512	RegSvcs.exe	38
PID 1512 wrote to memory of 1588	1512	RegSvcs.exe	38
PID 1512 wrote to memory of 1588	1512	RegSvcs.exe	38
PID 1212 wrote to memory of 1680	1212	iexplore.exe	41
PID 1212 wrote to memory of 1680	1212	iexplore.exe	41
PID 1212 wrote to memory of 1680	1212	iexplore.exe	41
PID 1212 wrote to memory of 1680	1212	iexplore.exe	41
PID 1212 wrote to memory of 1624	1212	iexplore.exe	42
PID 1212 wrote to memory of 1624	1212	iexplore.exe	42
PID 1212 wrote to memory of 1624	1212	iexplore.exe	42
PID 1212 wrote to memory of 1624	1212	iexplore.exe	42
PID 1512 wrote to memory of 948	1512	RegSvcs.exe	43
PID 1512 wrote to memory of 948	1512	RegSvcs.exe	43
PID 1512 wrote to memory of 948	1512	RegSvcs.exe	43
PID 1512 wrote to memory of 948	1512	RegSvcs.exe	43
PID 1512 wrote to memory of 948	1512	RegSvcs.exe	43
PID 1212 wrote to memory of 1708	1212	iexplore.exe	46
PID 1212 wrote to memory of 1708	1212	iexplore.exe	46
PID 1212 wrote to memory of 1708	1212	iexplore.exe	46
PID 1212 wrote to memory of 1708	1212	iexplore.exe	46
PID 1512 wrote to memory of 1368	1512	RegSvcs.exe	47
PID 1512 wrote to memory of 1368	1512	RegSvcs.exe	47
PID 1512 wrote to memory of 1368	1512	RegSvcs.exe	47
PID 1512 wrote to memory of 1368	1512	RegSvcs.exe	47

C:\Users\Admin\AppData\Local\Temp\e70d59aaab1fda4f504e32e547329a5b.exe
"C:\Users\Admin\AppData\Local\Temp\e70d59aaab1fda4f504e32e547329a5b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\e70d59aaab1fda4f504e32e547329a5b.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sycxbhdfhdhstem.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:956
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:4207618 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1680
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:275470 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1624
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:472090 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1708
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:603180 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2220
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:275529 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2512
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:865361 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2892
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:1324089 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2148
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:1258570 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2712
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:960
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:596
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FI3SE4KL.txt

Filesize
603B

MD5
6f10d03cf1fecbf4aae7c2a955a01b5d

SHA1
684f34ca35ba62ab8a2ad3036222403f5af57c48

SHA256
18c60c9da7bc314ce930fcb97202ac64dcb233b63879a363b177a81852a223ac

SHA512
0ce1e4734357f2b6e18c7c346cd901eaedbb5fff304304fa37e7c602e80a64abfd08b89aba462b25e3df26e15a448a6bf919e67fe2dedbfc44bfcd3e17e3c514

Download Submit
memory/1512-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-59-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1580-79-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-80-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-54-0x0000000001200000-0x0000000001298000-memory.dmp

Filesize
608KB

Download
memory/1624-58-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/1624-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download