remcos | hxxps://drive[.]google[.]com/file/d/1Azba2b4roguHreqHkI0rq7BYzOSVa0_A/view

Analysis

max time kernel
148s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Azba2b4roguHreqHkI0rq7BYzOSVa0_A/view

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

gato87630.mypsx.net:2019

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KPIKXR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

DEMANDA POR DAÑOS.exeDEMANDA POR DAÑOS.exe

pid process

1396 DEMANDA POR DAÑOS.exe
3936 DEMANDA POR DAÑOS.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1396	DEMANDA POR DAÑOS.exe
3936	DEMANDA POR DAÑOS.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DEMANDA POR DAÑOS.exeDEMANDA POR DAÑOS.exe

description	pid	process	target process
PID 1396 set thread context of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 set thread context of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3732 schtasks.exe
1908 schtasks.exe
912 schtasks.exe

pid	process
3732	schtasks.exe
1908	schtasks.exe
912	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d42e80ebae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023708"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000e7e574e51438520d48b17c7eb4bd40a48c648d893e3dcb4770c3fb6c9608fda0000000000e800000000200002000000033871b0cd1eb83e40ee791b1dac4b05d0519c0d12bb17b6857aed113b6bebbf820000000c91f6dd765dcaa72938503581308fc8dc6a2f1ddd9867afa569faf9ca1dd65de40000000983f997a9a02d3f06cc9baef3527faba196e542b3ed83de5c87f7fa73e3aa0ce9cc1c23d633f5af7c75145edd03f872158bee531688599526026402cd9053267	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2639494735"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe3000000000200000000001066000000010000200000005479900441f6c025fe54c34c61e810d7498467e9c4f60d6e3632506bb4ee12b0000000000e8000000002000020000000a3c57a3ba999c92b93c11dd5407bb353d89ea813cc995d3857f3bb126c12b42520000000137dacb5a787c8bef0f57da56def9bc6850516e13c8dcb6e14ecf19075a8b8ed400000000a2baf121a40fc223a89b28e83a1d7e2868a90c08287a2e1a356ebafa2f0ad6026bb8a6012817280cbae15b338e24f4edb2a77875ad202c57be60cacac4b149f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C7B4D2A3-CE4F-11ED-9EF6-6A765FEA1DF2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386872732"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31023708"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023708"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8090cda05c62d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2629964736"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e8dba05c62d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{74209F34-CC6E-489F-9EBE-FCF0E72C01B4}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2629964736"	iexplore.exe

Modifies registry class 2 IoCs

Processes:

iexplore.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2812 OpenWith.exe

pid	process
2812	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	3404	7zG.exe
Token: 35	3404	7zG.exe
Token: SeSecurityPrivilege	3404	7zG.exe
Token: SeSecurityPrivilege	3404	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe7zG.exe

pid process

3808 iexplore.exe
3808 iexplore.exe
3808 iexplore.exe
3404 7zG.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.execsc.exe

pid	process
3808	iexplore.exe
3808	iexplore.exe
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
2812	OpenWith.exe
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
4012	csc.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

iexplore.exeDEMANDA POR DAÑOS.exeDEMANDA POR DAÑOS.execmd.exe

description	pid	process	target process
PID 3808 wrote to memory of 1144	3808	iexplore.exe	IEXPLORE.EXE
PID 3808 wrote to memory of 1144	3808	iexplore.exe	IEXPLORE.EXE
PID 3808 wrote to memory of 1144	3808	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4012	1396	DEMANDA POR DAÑOS.exe	csc.exe
PID 1396 wrote to memory of 4596	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 4596	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 4596	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 2352	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 2352	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 2352	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 2496	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 2496	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 1396 wrote to memory of 2496	1396	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 544	3936	DEMANDA POR DAÑOS.exe	csc.exe
PID 3936 wrote to memory of 4076	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 4076	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 4076	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 1784	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 1784	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 1784	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 1512	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 1512	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 3936 wrote to memory of 1512	3936	DEMANDA POR DAÑOS.exe	cmd.exe
PID 2352 wrote to memory of 3732	2352	cmd.exe	schtasks.exe
PID 2352 wrote to memory of 3732	2352	cmd.exe	schtasks.exe
PID 2352 wrote to memory of 3732	2352	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1Azba2b4roguHreqHkI0rq7BYzOSVa0_A/view
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7062:96:7zEvent24628
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3404

C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
"C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fndv"
2⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe" "C:\Users\Admin\AppData\Roaming\fndv\fndv.exe"
2⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fndv\fndv.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
"C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe" "C:\Users\Admin\AppData\Roaming\fndv\fndv.exe"
2⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fndv\fndv.exe'" /f
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fndv"
2⤵
PID:4076

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fndv\fndv.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fndv\fndv.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1908

C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
"C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe"
1⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe" "C:\Users\Admin\AppData\Roaming\fndv\fndv.exe"
2⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fndv\fndv.exe'" /f
2⤵
PID:4128

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fndv\fndv.exe'" /f
3⤵
- Creates scheduled task(s)
PID:912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fndv"
2⤵
PID:3364

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5056

C:\Users\Admin\AppData\Roaming\fndv\fndv.exe
C:\Users\Admin\AppData\Roaming\fndv\fndv.exe
1⤵
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
27eeb470ea47791b773b0c543d47d7c0

SHA1
cf692b6241651b506a7639c0c02f4ab582b728bb

SHA256
887291e1eaf9e037071221908bc110ee40235c5d9c6dd4001699cdbfd55c9cd4

SHA512
23f1b1f25ca82aa1b9a235921ba87b86f61e58a1d19b031547144a6035144b14c0ca1f7a9391c00eca50c0be4f35a161d0b4402cdff37f1c9350a368ce3f1321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
3633bec6bd54807a23b18075d7fafd33

SHA1
bbd0d9673ff65f01c182999160b69d8490ca0a91

SHA256
2d0ba0f5526b1efad83e252947dbce7cfe15ebcaa644f116387dfdcebbda2e50

SHA512
5a6d1f67682edadc28973c82037e78c5ef967b758eb2840106090f15e3701025f7d156c01f466a49e0f92f9e69ce6aaf738c3e7aab7b3aaf76500c87c42ac070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEMANDA POR DAÑOS.exe.log
Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat
Filesize
1021B

MD5
37193abd66aa60c2d0c0cf49b856ae94

SHA1
6ccdf62e35bf4ad3cf042b861228edd58e5d4a03

SHA256
8074032c2c5d0b3d2d2290da90699684f175d87b680de069fe1c18805046aaf8

SHA512
81ea6ab086c6fbc250f1c0396e6a29053b2e950972459af51bba1d25c3a725b86077dae20004ba8c987819b9daecc2a8004add23e2e186f0283199cc738668f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\DEMANDA%20POR%20DAÑOS[1].Uue
Filesize
618KB

MD5
56cd3d9300f17337a73691e6f96209dd

SHA1
b684acf41d1892a6edf057ace8ddf0bb2e8d0d94

SHA256
499dc10f8076cf940ca9014ec3d43cd86a37b1c79738dcc6f37720a1ffbcd7f0

SHA512
88a381d5a6bc6e1ef6e76feadabc0ba315274a175545dd195b3eb081031786455e0ffc35cf5b5f657772328051a6489fe9340b50f0e5eaaf919dbf7fc5022578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\DEMANDA POR DAÑOS.Uue.bwjw7y2.partial
Filesize
618KB

MD5
56cd3d9300f17337a73691e6f96209dd

SHA1
b684acf41d1892a6edf057ace8ddf0bb2e8d0d94

SHA256
499dc10f8076cf940ca9014ec3d43cd86a37b1c79738dcc6f37720a1ffbcd7f0

SHA512
88a381d5a6bc6e1ef6e76feadabc0ba315274a175545dd195b3eb081031786455e0ffc35cf5b5f657772328051a6489fe9340b50f0e5eaaf919dbf7fc5022578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\cb=gapi[2].js
Filesize
70KB

MD5
357e6c63623f248d99478c9cc7770a73

SHA1
07baeceba09ff600b7c8d3b5b238ac433f5d7e0a

SHA256
f9947608a0a19db721e12ac4d74f17fb5774d1b191c5d0191a7cdbc8df5cf0cd

SHA512
e639cf0c8d6c18eae7ab26ad6c406e1babb382c8355951d39f605d82bf8587c4bfa85d7a1fbc6864337f095d4030b09320ddb2b4120b875097ae92d9dddfa3ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\drive_2020q4_32dp[1].png
Filesize
831B

MD5
916c9bcccf19525ad9d3cd1514008746

SHA1
9ccce6978d2417927b5150ffaac22f907ff27b6e

SHA256
358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50

SHA512
b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPCK8CWE\cleardot[1].gif
Filesize
43B

MD5
fc94fb0c3ed8a8f909dbc7630a0987ff

SHA1
56d45f8a17f5078a20af9962c992ca4678450765

SHA256
2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

SHA512
c87bf81fd70cf6434ca3a6c05ad6e9bd3f1d96f77dddad8d45ee043b126b2cb07a5cf23b4137b9d8462cd8a9adf2b463ab6de2b38c93db72d2d511ca60e3b57e

Download Submit
C:\Users\Admin\Downloads\DEMANDA POR DAÑOS.Uue.c1asa8s.partial
Filesize
618KB

MD5
56cd3d9300f17337a73691e6f96209dd

SHA1
b684acf41d1892a6edf057ace8ddf0bb2e8d0d94

SHA256
499dc10f8076cf940ca9014ec3d43cd86a37b1c79738dcc6f37720a1ffbcd7f0

SHA512
88a381d5a6bc6e1ef6e76feadabc0ba315274a175545dd195b3eb081031786455e0ffc35cf5b5f657772328051a6489fe9340b50f0e5eaaf919dbf7fc5022578

Download Submit
C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
Filesize
310.7MB

MD5
948e73ee34b42f6db9c8e2f4a7fe70b1

SHA1
7f8829bbc35a8ee6ba2722b80e08d0f908251eda

SHA256
d898d517d290a76b6b925db772a6da1643dabc85de97c64c23aae9b30a60d60d

SHA512
da90dfc679002be190b64dcc10da71031862029ac96a500b86ba60b5a29104167f048f7f781114b2030d5d76efa7284d0b02e4c8718ce1a6a4cd5a4ad3d3796b

Download Submit
C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
Filesize
302.3MB

MD5
0fbb7df237a17075e3fd5401b0bfe92c

SHA1
20d2497c3391d33321cf5d49004e3ad1e15d470b

SHA256
ce1466f193088918c7394585e854a862873329b7ed860533290fa07c550eac84

SHA512
501c924b3aab5958ed9ec392b83aed3264801421be3133bca98b2ab260b3a0cb8184694d702be7b67edef3fd42b2879eeb3250d387d5ec6abd66b0db901fd047

Download Submit
C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
Filesize
189.3MB

MD5
40a3cee393873131cf81b3f2f954a48b

SHA1
16e977c9bf48c750068dfd9be3a343ae8cd4edcd

SHA256
35e6efaa7ad52739f0cd138e836297c4e3a3fcb457542fd8e8466e9fb827bc55

SHA512
42417998e5fdbc5e4ad7b3b23cf52d62b086ea903264abe1bbc1708b99674e70682a86563925c00f8ba23b0e0935b78e17e3fba930f08d113e6c739eee19b974

Download Submit
C:\Users\Admin\Downloads\DEMANDA POR DAÑOS\DEMANDA POR DAÑOS.exe
Filesize
156.6MB

MD5
0e92de5b7431a0db8055063b342da15e

SHA1
1aa019b13f97f9ef649316f3bcea1d68b2a58628

SHA256
7a3f65ddf0869f56f963cb40f0c1ecc84b4f5345f073cbf588b50a77e98db8f0

SHA512
34bd9d30f0ab3e299ee730f597693cb8b4010d67f3e1b87eff739af46cb4f0fbd6e829602690a8adc81f5023a6eacb933699366e4cf4f414fba0c5b914ef086b

Download Submit
memory/544-287-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-285-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/544-283-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1396-273-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/1396-271-0x0000000000EC0000-0x0000000000F76000-memory.dmp

Filesize
728KB

Download
memory/4012-307-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-321-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-280-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-286-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-277-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-289-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-290-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-291-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-292-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-293-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-295-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-275-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-362-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-361-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-301-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-360-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-302-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-303-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-304-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-306-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-274-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-308-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-309-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-311-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-312-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-313-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-316-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-317-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-318-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-288-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-322-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-323-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-324-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-325-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-330-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-331-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-332-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-333-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-334-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-338-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-359-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-357-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-356-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-344-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-354-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-353-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4012-352-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4316-299-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4316-298-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4316-300-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-345-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-348-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-347-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-349-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-340-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-339-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-337-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-346-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-351-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download
memory/5056-350-0x000002062D070000-0x000002062D071000-memory.dmp

Filesize
4KB

Download