Analysis
-
max time kernel
55s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 02:05
Behavioral task
behavioral1
Sample
CameraCaptureUI.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
CameraCaptureUI.exe
Resource
win10v2004-20240802-en
General
-
Target
CameraCaptureUI.exe
-
Size
2.9MB
-
MD5
067027b5b20d0d80be90f41dc126fda3
-
SHA1
b7644f39188e8e8bcb41723833321a43f9474629
-
SHA256
3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
-
SHA512
a56fa19a0e6e4263a9d48e17e13ef76084808f98dfba1306feda58f64d92acb15c93794726697982f15cde699874407f7a991138de423eb5fa87b43d5084362a
-
SSDEEP
49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc9:C2cPK8YwjE2cPK8U
Malware Config
Extracted
webmonitor
snpandey4659.wm01.to:443
-
config_key
sFitr5r1ExCJl86X6inyc4qxlzwyw8fK
-
private_key
t1wG88poq
-
url_path
/recv4.php
Extracted
remcos
2.3.0 Pro
RemoteHost
daya4659.ddns.net:8282
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
3
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-S1KNPZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2360-20-0x0000000000400000-0x00000000004C0000-memory.dmp family_webmonitor behavioral2/memory/2360-19-0x0000000000400000-0x00000000004C0000-memory.dmp family_webmonitor -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CameraCaptureUI.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.exeremcos.exedriverquery.exesfc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation CameraCaptureUI.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation remcos_agent_Protected.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation remcos_agent_Protected.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation driverquery.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation sfc.exe -
Executes dropped EXE 8 IoCs
Processes:
remcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeremcos.exesfc.exedriverquery.exedriverquery.exesfc.exepid process 2944 remcos_agent_Protected.exe 1412 remcos_agent_Protected.exe 1476 remcos.exe 4428 remcos.exe 1408 sfc.exe 3888 driverquery.exe 3864 driverquery.exe 1524 sfc.exe -
Processes:
resource yara_rule behavioral2/memory/2360-18-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2360-20-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2360-19-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2360-17-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2360-13-0x0000000000400000-0x00000000004C0000-memory.dmp upx -
Unexpected DNS network traffic destination 16 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.141.152.26 Destination IP 114.114.114.114 Destination IP 1.2.4.8 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
remcos.exeCameraCaptureUI.exeremcos_agent_Protected.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebMonitor-ea8d = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-ea8d.exe" CameraCaptureUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos_agent_Protected.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos_agent_Protected.exe -
AutoIT Executable 21 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe autoit_exe behavioral2/memory/4996-70-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4996-71-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4700-86-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4076-88-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4320-90-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4404-99-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4072-114-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4536-194-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/5040-196-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/2360-197-0x0000000000C50000-0x0000000000F3B000-memory.dmp autoit_exe behavioral2/memory/2504-199-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4804-201-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/2780-204-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/1416-206-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/1820-208-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/964-213-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/8-215-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4036-218-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe autoit_exe C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe autoit_exe -
Suspicious use of SetThreadContext 28 IoCs
Processes:
CameraCaptureUI.exeremcos_agent_Protected.exeremcos.exeremcos.exedriverquery.exesfc.exedescription pid process target process PID 4216 set thread context of 2360 4216 CameraCaptureUI.exe CameraCaptureUI.exe PID 2944 set thread context of 1412 2944 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1476 set thread context of 4428 1476 remcos.exe remcos.exe PID 4428 set thread context of 4996 4428 remcos.exe svchost.exe PID 4428 set thread context of 4700 4428 remcos.exe svchost.exe PID 4428 set thread context of 4076 4428 remcos.exe svchost.exe PID 4428 set thread context of 4320 4428 remcos.exe svchost.exe PID 4428 set thread context of 4404 4428 remcos.exe svchost.exe PID 4428 set thread context of 4072 4428 remcos.exe svchost.exe PID 4428 set thread context of 4536 4428 remcos.exe svchost.exe PID 4428 set thread context of 5040 4428 remcos.exe svchost.exe PID 4428 set thread context of 2504 4428 remcos.exe svchost.exe PID 4428 set thread context of 4804 4428 remcos.exe svchost.exe PID 4428 set thread context of 2780 4428 remcos.exe svchost.exe PID 4428 set thread context of 1416 4428 remcos.exe svchost.exe PID 4428 set thread context of 1820 4428 remcos.exe svchost.exe PID 4428 set thread context of 964 4428 remcos.exe svchost.exe PID 4428 set thread context of 8 4428 remcos.exe svchost.exe PID 4428 set thread context of 4036 4428 remcos.exe svchost.exe PID 4428 set thread context of 2144 4428 remcos.exe svchost.exe PID 4428 set thread context of 1412 4428 remcos.exe svchost.exe PID 4428 set thread context of 3944 4428 remcos.exe svchost.exe PID 4428 set thread context of 4188 4428 remcos.exe svchost.exe PID 4428 set thread context of 3444 4428 remcos.exe svchost.exe PID 4428 set thread context of 2220 4428 remcos.exe svchost.exe PID 4428 set thread context of 4828 4428 remcos.exe svchost.exe PID 3888 set thread context of 3864 3888 driverquery.exe driverquery.exe PID 1408 set thread context of 1524 1408 sfc.exe sfc.exe -
HTTP links in PDF interactive object 2 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf pdf_with_link_action C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 23 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 776 4996 WerFault.exe svchost.exe 1400 4700 WerFault.exe svchost.exe 2956 4076 WerFault.exe svchost.exe 3640 4320 WerFault.exe svchost.exe 3992 4404 WerFault.exe svchost.exe 2612 4072 WerFault.exe svchost.exe 1032 4536 WerFault.exe svchost.exe 4424 5040 WerFault.exe svchost.exe 540 2504 WerFault.exe svchost.exe 4808 4804 WerFault.exe svchost.exe 5056 2780 WerFault.exe svchost.exe 2948 1416 WerFault.exe svchost.exe 4932 1820 WerFault.exe svchost.exe 3860 964 WerFault.exe svchost.exe 4424 8 WerFault.exe svchost.exe 3880 4036 WerFault.exe svchost.exe 3152 2144 WerFault.exe svchost.exe 3376 1412 WerFault.exe svchost.exe 3824 3944 WerFault.exe svchost.exe 4764 4188 WerFault.exe svchost.exe 4216 3444 WerFault.exe svchost.exe 3228 2220 WerFault.exe svchost.exe 5112 4828 WerFault.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 46 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RdrCEF.exesvchost.exeRdrCEF.exesvchost.exesvchost.exesvchost.exesfc.exeschtasks.exeCameraCaptureUI.exeremcos.exesvchost.execmd.exeRdrCEF.exesvchost.exesvchost.exesvchost.exedriverquery.exeschtasks.exesvchost.exesvchost.exeAcroRd32.exeschtasks.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeWScript.exeRdrCEF.exeRdrCEF.exeschtasks.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeCameraCaptureUI.exeremcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeRdrCEF.exeRdrCEF.exesvchost.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CameraCaptureUI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language driverquery.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CameraCaptureUI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos_agent_Protected.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos_agent_Protected.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
remcos_agent_Protected.exeCameraCaptureUI.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings remcos_agent_Protected.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings CameraCaptureUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4976 schtasks.exe 1496 schtasks.exe 4512 schtasks.exe 4072 schtasks.exe 4524 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CameraCaptureUI.exepid process 2360 CameraCaptureUI.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3532 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exeremcos.exepid process 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 3532 AcroRd32.exe 4428 remcos.exe 3532 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CameraCaptureUI.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.execmd.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 4216 wrote to memory of 2944 4216 CameraCaptureUI.exe remcos_agent_Protected.exe PID 4216 wrote to memory of 2944 4216 CameraCaptureUI.exe remcos_agent_Protected.exe PID 4216 wrote to memory of 2944 4216 CameraCaptureUI.exe remcos_agent_Protected.exe PID 4216 wrote to memory of 3532 4216 CameraCaptureUI.exe AcroRd32.exe PID 4216 wrote to memory of 3532 4216 CameraCaptureUI.exe AcroRd32.exe PID 4216 wrote to memory of 3532 4216 CameraCaptureUI.exe AcroRd32.exe PID 4216 wrote to memory of 2360 4216 CameraCaptureUI.exe CameraCaptureUI.exe PID 4216 wrote to memory of 2360 4216 CameraCaptureUI.exe CameraCaptureUI.exe PID 4216 wrote to memory of 2360 4216 CameraCaptureUI.exe CameraCaptureUI.exe PID 4216 wrote to memory of 2360 4216 CameraCaptureUI.exe CameraCaptureUI.exe PID 4216 wrote to memory of 2360 4216 CameraCaptureUI.exe CameraCaptureUI.exe PID 4216 wrote to memory of 4072 4216 CameraCaptureUI.exe schtasks.exe PID 4216 wrote to memory of 4072 4216 CameraCaptureUI.exe schtasks.exe PID 4216 wrote to memory of 4072 4216 CameraCaptureUI.exe schtasks.exe PID 2944 wrote to memory of 1412 2944 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 2944 wrote to memory of 1412 2944 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 2944 wrote to memory of 1412 2944 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 2944 wrote to memory of 1412 2944 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 2944 wrote to memory of 1412 2944 remcos_agent_Protected.exe remcos_agent_Protected.exe PID 1412 wrote to memory of 2300 1412 remcos_agent_Protected.exe WScript.exe PID 1412 wrote to memory of 2300 1412 remcos_agent_Protected.exe WScript.exe PID 1412 wrote to memory of 2300 1412 remcos_agent_Protected.exe WScript.exe PID 2944 wrote to memory of 4524 2944 remcos_agent_Protected.exe schtasks.exe PID 2944 wrote to memory of 4524 2944 remcos_agent_Protected.exe schtasks.exe PID 2944 wrote to memory of 4524 2944 remcos_agent_Protected.exe schtasks.exe PID 2300 wrote to memory of 4592 2300 WScript.exe cmd.exe PID 2300 wrote to memory of 4592 2300 WScript.exe cmd.exe PID 2300 wrote to memory of 4592 2300 WScript.exe cmd.exe PID 4592 wrote to memory of 1476 4592 cmd.exe remcos.exe PID 4592 wrote to memory of 1476 4592 cmd.exe remcos.exe PID 4592 wrote to memory of 1476 4592 cmd.exe remcos.exe PID 3532 wrote to memory of 3612 3532 AcroRd32.exe RdrCEF.exe PID 3532 wrote to memory of 3612 3532 AcroRd32.exe RdrCEF.exe PID 3532 wrote to memory of 3612 3532 AcroRd32.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe PID 3612 wrote to memory of 4536 3612 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe"C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 5609⤵
- Program crash
PID:776 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 5609⤵
- Program crash
PID:1400 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 5609⤵
- Program crash
PID:2956 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:3948
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 2049⤵
- Program crash
PID:3640 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 5649⤵
- Program crash
PID:3992 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 5649⤵
- Program crash
PID:2612 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 5609⤵
- Program crash
PID:1032 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 2089⤵
- Program crash
PID:4424 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 5609⤵
- Program crash
PID:540 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2089⤵
- Program crash
PID:4808 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:2916
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 5609⤵
- Program crash
PID:5056 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 5609⤵
- Program crash
PID:2948 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:4508
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 5609⤵
- Program crash
PID:4932 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 5609⤵
- Program crash
PID:3860 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:8 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 5609⤵
- Program crash
PID:4424 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 5609⤵
- Program crash
PID:3880 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 5609⤵
- Program crash
PID:3152 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 5609⤵
- Program crash
PID:3376 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:4440
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 2289⤵
- Program crash
PID:3824 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 5609⤵
- Program crash
PID:4764 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:2912
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:3444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 5609⤵
- Program crash
PID:4216 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 5609⤵
- Program crash
PID:3228 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:3500
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 5649⤵
- Program crash
PID:5112 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4976 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4524 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=628E72AE766C7836E89EB028EAB22751 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6CAA319E109B300427FC6DD3D2641CCF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6CAA319E109B300427FC6DD3D2641CCF --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C491B0F759CD2A697458E04EEA07284 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FD9B1FDE838FD410762D6F48EB5638B4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FD9B1FDE838FD410762D6F48EB5638B4 --renderer-client-id=5 --mojo-platform-channel-handle=2520 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01453613BE2DEF0AC2C394D948052C28 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D9728FBDB70C173215B7D7A5CFCE463C --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe"C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2360 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4996 -ip 49961⤵PID:1472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4700 -ip 47001⤵PID:2660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4076 -ip 40761⤵PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4320 -ip 43201⤵PID:2888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4404 -ip 44041⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4072 -ip 40721⤵PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4536 -ip 45361⤵PID:2912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 50401⤵PID:4952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2504 -ip 25041⤵PID:3992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4804 -ip 48041⤵PID:1204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2780 -ip 27801⤵PID:3580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1416 -ip 14161⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1820 -ip 18201⤵PID:3452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 964 -ip 9641⤵PID:4764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8 -ip 81⤵PID:4216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4036 -ip 40361⤵PID:3080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2144 -ip 21441⤵PID:1120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1412 -ip 14121⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3944 -ip 39441⤵PID:796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4188 -ip 41881⤵PID:4884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3444 -ip 34441⤵PID:2672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2220 -ip 22201⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4828 -ip 48281⤵PID:4004
-
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exeC:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exeC:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exeC:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe1⤵PID:4004
-
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exeC:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe1⤵PID:4592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD50a07d68cef7f583825f6d32a7add122e
SHA1387614ce56ca84d1bb85361e86c1441f98b6c581
SHA256a3aaed610046f6c9dd64fbf2d05bc0fe7cfac6c2e510a6e638906acb740ba3d7
SHA5121929c66bd586cad538187c46df294e9dbdb34c7eeed881ee3693bbf5d1d9d0fdf4155988076fe47ca82fb6bedd22657cfbf4334c9e07019cda644eb911926169
-
Filesize
418B
MD5ff449f6f7bc5e2d800eb30e2d2c56611
SHA193419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA51202a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6
-
Filesize
340KB
MD5bb0aa1bade4df17033a05d8d682b44d2
SHA1bec4b0a8a7413d158cf6705a3c888bdf36a4371b
SHA25696d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764
SHA5126bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9
-
Filesize
1.1MB
MD5ca6d66a62934585601079f85d861482e
SHA18a83b05af22d5b8b14561aedc5e2eb16679bb43b
SHA256c86f92e8f31b1b94b7f28224ad39049f5b37bf7ec02512a049bce696f93ad41a
SHA51223a3839706e67de3ea292d59089f4f1bef6023472c01c9be596cb860595964c68b6422824347c75a2bb12fddfab8909efd4db450bcbbc34a298b60c8e27b2810
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.9MB
MD51ec88792e3c005b546eafc46f9cdde6c
SHA1a20be967bad81b9bf7d5d09739ebc56654fbc81c
SHA25619b3948a9527c118d08d1b139239e78278e7dc1c6c402132cfd83e7084832f4a
SHA512971c9ee9b381a3829ba3e07f4962d1ff81c9286c89aa7e3ac743f5a6d6185fc0d36c4112ec42faf852a6613f853b467273ac83e4349a634d47ad87d2c675cad6
-
Filesize
118B
MD5a943e7f82e39c952c60726617f3461f3
SHA140d590b6503860510b6e0f44afcdf37a8166357e
SHA256f7fe636972fbb05ceadb9654dbd7c4b1ae98287174d8c0bb0cac0b8c92582443
SHA512884f705d9d51c57cd471c72820b902b4a69a53c8bdb2151cafeba70f0e9a25e1ffe776edbe5fbf54da0848e914983b13576175ca5686802c094310442a6c4dff
-
Filesize
1.1MB
MD5d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6