hawkeye | a83b02d1f55f1654d0b38aceb0efe068b62e2d19dcf625af3649bff0fda2b885

Analysis

max time kernel
148s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server_protected.exe
Size

2.8MB
MD5

6c322fce42cecda6465e34424a2071d8
SHA1

b60d414f2a0047fc64066cb321e60149c91abfb3
SHA256

a83b02d1f55f1654d0b38aceb0efe068b62e2d19dcf625af3649bff0fda2b885
SHA512

f1e39bc9253e7ceefb21759e75a0352f65b454b55e5dc6adc098f5ba050fd1da879d8501eb054f920f8a37a0bf5a68c34394089c570af3b3ce12ad14e8bafb71
SSDEEP

49152:ZkpBXL0eovOeG1ahNMWlAUlYoZpwO6v3xOO5UuyYqFSMsyuRjguT3c5gDejqEVLV:ZkpBXLwKwN5pn4xOsNKFNjYxLcmFq0Y

Score

10^/10

hawkeye remcos hosting evasion keylogger persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

remcos

Botnet

Hosting

outdoor-mailed.gl.at.ply.gg:13031

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BrowsersDLLPackes.exe
copy_folder
Setup
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FWVKXO
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
VFilesUpdates
screenshot_path
%WinDir%\System32
screenshot_time
10
startup_value
Windows UAC
take_screenshot_option
false
take_screenshot_time
5

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Server_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowsersDLLPackes.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Server_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowsersDLLPackes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowsersDLLPackes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Server_protected.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	Server_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	BrowsersDLLPackes.exe

Executes dropped EXE 31 IoCs

pid	Process
2572	BrowsersDLLPackes.exe
2292	BrowsersDLLPackes.exe
2344	BrowsersDLLPackes.exe
1924	BrowsersDLLPackes.exe
1836	BrowsersDLLPackes.exe
3580	BrowsersDLLPackes.exe
4816	BrowsersDLLPackes.exe
3740	BrowsersDLLPackes.exe
3832	BrowsersDLLPackes.exe
3972	BrowsersDLLPackes.exe
3692	BrowsersDLLPackes.exe
1072	BrowsersDLLPackes.exe
4752	BrowsersDLLPackes.exe
64	BrowsersDLLPackes.exe
4852	BrowsersDLLPackes.exe
3920	BrowsersDLLPackes.exe
536	BrowsersDLLPackes.exe
780	BrowsersDLLPackes.exe
2052	BrowsersDLLPackes.exe
2836	BrowsersDLLPackes.exe
2820	BrowsersDLLPackes.exe
432	BrowsersDLLPackes.exe
4848	BrowsersDLLPackes.exe
4960	BrowsersDLLPackes.exe
2148	BrowsersDLLPackes.exe
2552	BrowsersDLLPackes.exe
4536	BrowsersDLLPackes.exe
1164	BrowsersDLLPackes.exe
5052	BrowsersDLLPackes.exe
3060	BrowsersDLLPackes.exe
4024	BrowsersDLLPackes.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/5056-0-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-2-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-3-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-4-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-5-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-6-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-7-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-8-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-9-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/memory/5056-15-0x0000000000020000-0x0000000000744000-memory.dmp	themida
behavioral1/files/0x000700000002334d-18.dat	themida
behavioral1/memory/2572-20-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-21-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-22-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-23-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-24-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-25-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-26-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-27-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-28-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-32-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-35-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-37-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-39-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-54-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-74-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-95-0x0000000000340000-0x0000000000A64000-memory.dmp	themida
behavioral1/memory/2572-231-0x0000000000340000-0x0000000000A64000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows UAC = "\"C:\\Windows\\SysWOW64\\Setup\\BrowsersDLLPackes.exe\""	Server_protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UAC = "\"C:\\Windows\\SysWOW64\\Setup\\BrowsersDLLPackes.exe\""	Server_protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows UAC = "\"C:\\Windows\\SysWOW64\\Setup\\BrowsersDLLPackes.exe\""	BrowsersDLLPackes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UAC = "\"C:\\Windows\\SysWOW64\\Setup\\BrowsersDLLPackes.exe\""	BrowsersDLLPackes.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Server_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BrowsersDLLPackes.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe	Server_protected.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\Setup	BrowsersDLLPackes.exe
File opened for modification	C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe	BrowsersDLLPackes.exe
File created	C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe	Server_protected.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\Setup	Server_protected.exe
File created	C:\Windows\SysWOW64\VFilesUpdates\time_20240329_165909.dat	BrowsersDLLPackes.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5056	Server_protected.exe
2572	BrowsersDLLPackes.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2292	2572	BrowsersDLLPackes.exe	110
PID 2572 set thread context of 2344	2572	BrowsersDLLPackes.exe	111
PID 2572 set thread context of 1924	2572	BrowsersDLLPackes.exe	113
PID 2572 set thread context of 1836	2572	BrowsersDLLPackes.exe	114
PID 2572 set thread context of 3580	2572	BrowsersDLLPackes.exe	115
PID 2572 set thread context of 4816	2572	BrowsersDLLPackes.exe	116
PID 2572 set thread context of 3740	2572	BrowsersDLLPackes.exe	117
PID 2572 set thread context of 3832	2572	BrowsersDLLPackes.exe	118
PID 2572 set thread context of 3972	2572	BrowsersDLLPackes.exe	119
PID 2572 set thread context of 3692	2572	BrowsersDLLPackes.exe	129
PID 2572 set thread context of 1072	2572	BrowsersDLLPackes.exe	130
PID 2572 set thread context of 4752	2572	BrowsersDLLPackes.exe	132
PID 2572 set thread context of 64	2572	BrowsersDLLPackes.exe	135
PID 2572 set thread context of 4852	2572	BrowsersDLLPackes.exe	136
PID 2572 set thread context of 3920	2572	BrowsersDLLPackes.exe	137
PID 2572 set thread context of 536	2572	BrowsersDLLPackes.exe	141
PID 2572 set thread context of 780	2572	BrowsersDLLPackes.exe	142
PID 2572 set thread context of 2052	2572	BrowsersDLLPackes.exe	144
PID 2572 set thread context of 2836	2572	BrowsersDLLPackes.exe	147
PID 2572 set thread context of 2820	2572	BrowsersDLLPackes.exe	148
PID 2572 set thread context of 432	2572	BrowsersDLLPackes.exe	150
PID 2572 set thread context of 4848	2572	BrowsersDLLPackes.exe	153
PID 2572 set thread context of 4960	2572	BrowsersDLLPackes.exe	154
PID 2572 set thread context of 2148	2572	BrowsersDLLPackes.exe	156
PID 2572 set thread context of 2552	2572	BrowsersDLLPackes.exe	162
PID 2572 set thread context of 4536	2572	BrowsersDLLPackes.exe	163
PID 2572 set thread context of 1164	2572	BrowsersDLLPackes.exe	165
PID 2572 set thread context of 5052	2572	BrowsersDLLPackes.exe	169
PID 2572 set thread context of 3060	2572	BrowsersDLLPackes.exe	170
PID 2572 set thread context of 4024	2572	BrowsersDLLPackes.exe	172

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4440	4848	WerFault.exe	153
1104	2148	WerFault.exe	156
1000	4960	WerFault.exe	154
3268	2552	WerFault.exe	162

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{D40AB85A-B2D3-4821-B863-FD2113A5B6CD}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	BrowsersDLLPackes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	Server_protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4152	dxdiag.exe
4152	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	BrowsersDLLPackes.exe

Suspicious behavior: MapViewOfSection 30 IoCs

pid	Process
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe
2572	BrowsersDLLPackes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2572	BrowsersDLLPackes.exe
4152	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3740	5056	Server_protected.exe	96
PID 5056 wrote to memory of 3740	5056	Server_protected.exe	96
PID 5056 wrote to memory of 3740	5056	Server_protected.exe	96
PID 3740 wrote to memory of 4192	3740	WScript.exe	97
PID 3740 wrote to memory of 4192	3740	WScript.exe	97
PID 3740 wrote to memory of 4192	3740	WScript.exe	97
PID 4192 wrote to memory of 2572	4192	cmd.exe	99
PID 4192 wrote to memory of 2572	4192	cmd.exe	99
PID 4192 wrote to memory of 2572	4192	cmd.exe	99
PID 2572 wrote to memory of 4152	2572	BrowsersDLLPackes.exe	109
PID 2572 wrote to memory of 4152	2572	BrowsersDLLPackes.exe	109
PID 2572 wrote to memory of 4152	2572	BrowsersDLLPackes.exe	109
PID 2572 wrote to memory of 2292	2572	BrowsersDLLPackes.exe	110
PID 2572 wrote to memory of 2292	2572	BrowsersDLLPackes.exe	110
PID 2572 wrote to memory of 2292	2572	BrowsersDLLPackes.exe	110
PID 2572 wrote to memory of 2292	2572	BrowsersDLLPackes.exe	110
PID 2572 wrote to memory of 2344	2572	BrowsersDLLPackes.exe	111
PID 2572 wrote to memory of 2344	2572	BrowsersDLLPackes.exe	111
PID 2572 wrote to memory of 2344	2572	BrowsersDLLPackes.exe	111
PID 2572 wrote to memory of 2344	2572	BrowsersDLLPackes.exe	111
PID 2572 wrote to memory of 1924	2572	BrowsersDLLPackes.exe	113
PID 2572 wrote to memory of 1924	2572	BrowsersDLLPackes.exe	113
PID 2572 wrote to memory of 1924	2572	BrowsersDLLPackes.exe	113
PID 2572 wrote to memory of 1924	2572	BrowsersDLLPackes.exe	113
PID 2572 wrote to memory of 1836	2572	BrowsersDLLPackes.exe	114
PID 2572 wrote to memory of 1836	2572	BrowsersDLLPackes.exe	114
PID 2572 wrote to memory of 1836	2572	BrowsersDLLPackes.exe	114
PID 2572 wrote to memory of 1836	2572	BrowsersDLLPackes.exe	114
PID 2572 wrote to memory of 3580	2572	BrowsersDLLPackes.exe	115
PID 2572 wrote to memory of 3580	2572	BrowsersDLLPackes.exe	115
PID 2572 wrote to memory of 3580	2572	BrowsersDLLPackes.exe	115
PID 2572 wrote to memory of 3580	2572	BrowsersDLLPackes.exe	115
PID 2572 wrote to memory of 4816	2572	BrowsersDLLPackes.exe	116
PID 2572 wrote to memory of 4816	2572	BrowsersDLLPackes.exe	116
PID 2572 wrote to memory of 4816	2572	BrowsersDLLPackes.exe	116
PID 2572 wrote to memory of 4816	2572	BrowsersDLLPackes.exe	116
PID 2572 wrote to memory of 3740	2572	BrowsersDLLPackes.exe	117
PID 2572 wrote to memory of 3740	2572	BrowsersDLLPackes.exe	117
PID 2572 wrote to memory of 3740	2572	BrowsersDLLPackes.exe	117
PID 2572 wrote to memory of 3740	2572	BrowsersDLLPackes.exe	117
PID 2572 wrote to memory of 3832	2572	BrowsersDLLPackes.exe	118
PID 2572 wrote to memory of 3832	2572	BrowsersDLLPackes.exe	118
PID 2572 wrote to memory of 3832	2572	BrowsersDLLPackes.exe	118
PID 2572 wrote to memory of 3832	2572	BrowsersDLLPackes.exe	118
PID 2572 wrote to memory of 3972	2572	BrowsersDLLPackes.exe	119
PID 2572 wrote to memory of 3972	2572	BrowsersDLLPackes.exe	119
PID 2572 wrote to memory of 3972	2572	BrowsersDLLPackes.exe	119
PID 2572 wrote to memory of 3972	2572	BrowsersDLLPackes.exe	119
PID 2572 wrote to memory of 3692	2572	BrowsersDLLPackes.exe	129
PID 2572 wrote to memory of 3692	2572	BrowsersDLLPackes.exe	129
PID 2572 wrote to memory of 3692	2572	BrowsersDLLPackes.exe	129
PID 2572 wrote to memory of 3692	2572	BrowsersDLLPackes.exe	129
PID 2572 wrote to memory of 1072	2572	BrowsersDLLPackes.exe	130
PID 2572 wrote to memory of 1072	2572	BrowsersDLLPackes.exe	130
PID 2572 wrote to memory of 1072	2572	BrowsersDLLPackes.exe	130
PID 2572 wrote to memory of 1072	2572	BrowsersDLLPackes.exe	130
PID 2572 wrote to memory of 4752	2572	BrowsersDLLPackes.exe	132
PID 2572 wrote to memory of 4752	2572	BrowsersDLLPackes.exe	132
PID 2572 wrote to memory of 4752	2572	BrowsersDLLPackes.exe	132
PID 2572 wrote to memory of 4752	2572	BrowsersDLLPackes.exe	132
PID 2572 wrote to memory of 64	2572	BrowsersDLLPackes.exe	135
PID 2572 wrote to memory of 64	2572	BrowsersDLLPackes.exe	135
PID 2572 wrote to memory of 64	2572	BrowsersDLLPackes.exe	135
PID 2572 wrote to memory of 64	2572	BrowsersDLLPackes.exe	135

C:\Users\Admin\AppData\Local\Temp\Server_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Server_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
      C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\dxdiag.exe
        
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        5⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4152
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\gepdwuedebeltxqkvld"
        5⤵
        Executes dropped EXE
        
        PID:2292
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\igvoxmpxsjwyddewmwqjrwh"
        5⤵
        Executes dropped EXE
        
        PID:2344
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\taagyfhygrodfraavgkkcbbwmb"
        5⤵
        Executes dropped EXE
        
        PID:1924
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\npwyuduktnswrsf"
        5⤵
        Executes dropped EXE
        
        PID:1836
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykbqvwedhvkbcytkgd"
        5⤵
        Executes dropped EXE
        
        PID:3580
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\amhjwopfddcoefpoxoyyg"
        5⤵
        Executes dropped EXE
        
        PID:4816
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\fviltfukfizma"
        5⤵
        Executes dropped EXE
        
        PID:3740
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppvduyfmtqrrdawk"
        5⤵
        Executes dropped EXE
        
        PID:3832
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\srawuqqfhyjengsoiyyo"
        5⤵
        Executes dropped EXE
        
        PID:3972
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\mgonrxkr"
        5⤵
        Executes dropped EXE
        
        PID:3692
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\xacgrpvtqdf"
        5⤵
        Executes dropped EXE
        
        PID:1072
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\hvhrsafmelxhmbh"
        5⤵
        Executes dropped EXE
        
        PID:4752
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\mmibpzc"
        5⤵
        Executes dropped EXE
        
        PID:64
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\ogntqrntuy"
        5⤵
        Executes dropped EXE
        
        PID:4852
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\ziterkguigexn"
        5⤵
        Executes dropped EXE
        
        PID:3920
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\tppvnjsgdciqzwoiodhkcgzlzlpnjlfft"
        5⤵
        Executes dropped EXE
        
        PID:536
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\druoo"
        5⤵
        Executes dropped EXE
        
        PID:780
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmzgouob"
        5⤵
        Executes dropped EXE
        
        PID:2052
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\lvaqmltghxogzxrizohailmccqesxxy"
        5⤵
        Executes dropped EXE
        
        PID:2836
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\vxobmdeivfglklfmiycbtqhtlwvbyipthb"
        5⤵
        Executes dropped EXE
        
        PID:2820
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\yrttnwo"
        5⤵
        Executes dropped EXE
        
        PID:432
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\sghljujnekdrytfwtvdouefjwo"
        5⤵
        Executes dropped EXE
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 12
        6⤵
        Program crash
        
        PID:4440
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\cauekntpssvwizuakgppxrasfvbxs"
        5⤵
        Executes dropped EXE
        
        PID:4960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 12
        6⤵
        Program crash
        
        PID:1000
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\ncawlfeiganblnqetrcjiwujoblfmvpuw"
        5⤵
        Executes dropped EXE
        
        PID:2148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 12
        6⤵
        Program crash
        
        PID:1104
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\hrvohmqutxruxomrvdqcx"
        5⤵
        Executes dropped EXE
        
        PID:2552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 12
        6⤵
        Program crash
        
        PID:3268
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\kmbyiebvhfjzhuiveoddajtaz"
        5⤵
        Executes dropped EXE
        
        PID:4536
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\uogrjpupdnbmjawzvqpflonjiaqb"
        5⤵
        Executes dropped EXE
        
        PID:1164
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\zxhbgorufaxkghxjgnqs"
        5⤵
        Executes dropped EXE
        
        PID:5052
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\brnlhgcwtippivlnpyltppo"
        5⤵
        Executes dropped EXE
        
        PID:3060
    - - C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe
        
        C:\Windows\SysWOW64\Setup\BrowsersDLLPackes.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtaehzmphqicschzgjxnzubalf"
        5⤵
        Executes dropped EXE
        
        PID:4024
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gaoveyhbummvede.vbs"
        5⤵
        
        PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2344 -ip 2344
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2292 -ip 2292
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3832 -ip 3832
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3580 -ip 3580
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3740 -ip 3740
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4816 -ip 4816
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1924 -ip 1924
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3972 -ip 3972
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1836 -ip 1836
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3692 -ip 3692
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1072 -ip 1072
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4752 -ip 4752
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4852 -ip 4852
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3920 -ip 3920
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 64 -ip 64
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 536 -ip 536
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 780 -ip 780
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2052 -ip 2052
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2836 -ip 2836
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2820 -ip 2820
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 432 -ip 432
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4848 -ip 4848
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4960 -ip 4960
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2148 -ip 2148
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2552 -ip 2552
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4536 -ip 4536
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1164 -ip 1164
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5052 -ip 5052
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3060 -ip 3060
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4024 -ip 4024
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
318B

MD5
90c7199ff1727bbd4598a4a12b1fed6f

SHA1
d7fa87182b74eb31626533775c4b7f6be35052d7

SHA256
a829bc8cc30a62848cb1816d51117055c2211fab7788a65a45e014a6bba2257c

SHA512
66095d1e74c93452bea77b9d8d69e64aaa5dea0f74a5d624aa76c2c80ede004530a7ddaa9b1a5a96b1074465f3247959c78610d2847cc8ac851fb91fa095b808

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c714b748f261ffc0698472b4ef3c26e0

SHA1
70906426a3b2c73d38481ce71ba64faab986e50b

SHA256
0ce9bc1459968207f3110179a2bfadbc827a82bf1a65c515f7aaa3c0124da0ea

SHA512
101bfd085120f96b715483ee57a901286dc66530a309810218710b66ec772a968041ea914ee2294ffc29bfac14db06c39f435c82f920f80928767746fa36d4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
416B

MD5
2770b9ac8ae3548fc320ea972daed85a

SHA1
82eab73cf16c9dcbfdfc668e83c8f008877c450f

SHA256
09da2742db7671ba6be09b5a4801f1f57ed15691a751ce928c53a5197c4f932d

SHA512
df4a88353c28663e2cfacb525c17f584c32e2d3bd5b3dd9c4ebf55628bd7080b1462c18e8c662ac8df252129cd56e4d7ba48b3723d9f1d328372a2814909a01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdtoeqrcqveahjajrg.vbs

Filesize
598B

MD5
1afdecb2abcd68b6fedd1a751a53251a

SHA1
0139fb1dfa1833c37383897ae2df12492f588125

SHA256
73a5be62bbe6a5b6d0dc09ad48c142f466559746e9210164e98fcb24625148f6

SHA512
a0aa43bf1569d77b7bbf0a43fdf3391c707d0ec715850d02a2917236c878768524a83886e9aa9526ff7b3889f62ab17d74b2a2e7c4e3445bda77833e15aa1afa

Download Submit
C:\Windows\SysWOW64\setup\BrowsersDLLPackes.exe

Filesize
2.8MB

MD5
6c322fce42cecda6465e34424a2071d8

SHA1
b60d414f2a0047fc64066cb321e60149c91abfb3

SHA256
a83b02d1f55f1654d0b38aceb0efe068b62e2d19dcf625af3649bff0fda2b885

SHA512
f1e39bc9253e7ceefb21759e75a0352f65b454b55e5dc6adc098f5ba050fd1da879d8501eb054f920f8a37a0bf5a68c34394089c570af3b3ce12ad14e8bafb71

Download Submit
memory/1924-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2344-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2572-25-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-32-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-231-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-95-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-20-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-21-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-22-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-23-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-24-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-74-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-26-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-27-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-28-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-54-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-35-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-37-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/2572-39-0x0000000000340000-0x0000000000A64000-memory.dmp

Filesize
7.1MB

Download
memory/5056-7-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-6-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-5-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-4-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-15-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-3-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-0-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-8-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-2-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download
memory/5056-1-0x0000000077D24000-0x0000000077D26000-memory.dmp

Filesize
8KB

Download
memory/5056-9-0x0000000000020000-0x0000000000744000-memory.dmp

Filesize
7.1MB

Download