Analysis
-
max time kernel
33s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 17:48
Behavioral task
behavioral1
Sample
6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
Resource
win10v2004-20240802-en
General
-
Target
6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
-
Size
2.9MB
-
MD5
5519df0a635727fc10991148bfe970a0
-
SHA1
2a6ff2e8cd98ce0bb1e8a8cf024f616aa922edb7
-
SHA256
6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554
-
SHA512
13ce91d2931ae1aefa618d43919b8c00a612b67a886451a696b5e764c833eb4ce27d07c41ca4c4f95f92791d54b35d55d6efc1f3fec66c4aee1f1d7271f7ee3f
-
SSDEEP
49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcL:C2cPK8YwjE2cPK8y
Malware Config
Extracted
webmonitor
snpandey4659.wm01.to:443
-
config_key
sFitr5r1ExCJl86X6inyc4qxlzwyw8fK
-
private_key
t1wG88poq
-
url_path
/recv4.php
Extracted
remcos
2.3.0 Pro
RemoteHost
daya4659.ddns.net:8282
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
3
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-S1KNPZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 3 IoCs
resource yara_rule behavioral2/memory/4284-20-0x0000000000400000-0x00000000004C0000-memory.dmp family_webmonitor behavioral2/memory/4284-19-0x0000000000400000-0x00000000004C0000-memory.dmp family_webmonitor behavioral2/memory/452-226-0x0000000000400000-0x00000000004C0000-memory.dmp family_webmonitor -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation remcos_agent_Protected.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation remcos_agent_Protected.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation driverquery.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation sfc.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe -
Executes dropped EXE 12 IoCs
pid Process 884 remcos_agent_Protected.exe 696 remcos_agent_Protected.exe 4936 remcos.exe 1852 remcos.exe 3488 driverquery.exe 2356 sfc.exe 4372 driverquery.exe 4776 driverquery.exe 1940 driverquery.exe 2876 driverquery.exe 452 driverquery.exe 3200 sfc.exe -
resource yara_rule behavioral2/memory/4284-13-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/4284-17-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/4284-20-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/4284-19-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/4284-18-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/452-226-0x0000000000400000-0x00000000004C0000-memory.dmp upx -
Unexpected DNS network traffic destination 13 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 114.114.114.114 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 185.141.152.26 -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos_agent_Protected.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos_agent_Protected.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebMonitor-d36a = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-d36a.exe" 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00080000000234b5-4.dat autoit_exe behavioral2/memory/1332-56-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/1332-57-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/3356-82-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4720-88-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4008-90-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/804-92-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/3484-103-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/2124-153-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/232-196-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/3116-198-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4284-199-0x0000000000F80000-0x000000000126B000-memory.dmp autoit_exe behavioral2/memory/3504-201-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/1520-204-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/memory/4752-206-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe behavioral2/files/0x00070000000234bb-207.dat autoit_exe behavioral2/files/0x00070000000234c2-209.dat autoit_exe behavioral2/memory/2080-212-0x0000000000400000-0x0000000000526000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 1148 set thread context of 4284 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 85 PID 884 set thread context of 696 884 remcos_agent_Protected.exe 88 PID 4936 set thread context of 1852 4936 remcos.exe 98 PID 1852 set thread context of 1332 1852 remcos.exe 99 PID 1852 set thread context of 3356 1852 remcos.exe 113 PID 1852 set thread context of 4720 1852 remcos.exe 117 PID 1852 set thread context of 4008 1852 remcos.exe 120 PID 1852 set thread context of 804 1852 remcos.exe 125 PID 1852 set thread context of 3484 1852 remcos.exe 128 PID 1852 set thread context of 2124 1852 remcos.exe 131 PID 1852 set thread context of 232 1852 remcos.exe 134 PID 1852 set thread context of 3116 1852 remcos.exe 138 PID 1852 set thread context of 3504 1852 remcos.exe 142 PID 1852 set thread context of 1520 1852 remcos.exe 146 PID 1852 set thread context of 4752 1852 remcos.exe 149 PID 1852 set thread context of 2080 1852 remcos.exe 154 PID 3488 set thread context of 452 3488 driverquery.exe 161 PID 2356 set thread context of 3200 2356 sfc.exe 165 -
HTTP links in PDF interactive object 2 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral2/files/0x00070000000234ba-21.dat pdf_with_link_action behavioral2/files/0x00070000000234bb-207.dat pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 13 IoCs
pid pid_target Process procid_target 3196 1332 WerFault.exe 99 4952 3356 WerFault.exe 113 1876 4720 WerFault.exe 117 1656 4008 WerFault.exe 120 3468 804 WerFault.exe 125 3944 3484 WerFault.exe 128 4332 2124 WerFault.exe 131 1220 232 WerFault.exe 134 2744 3116 WerFault.exe 138 4856 3504 WerFault.exe 142 4724 1520 WerFault.exe 146 4868 4752 WerFault.exe 149 4808 2080 WerFault.exe 154 -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language driverquery.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos_agent_Protected.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos_agent_Protected.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings remcos_agent_Protected.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4784 schtasks.exe 2952 schtasks.exe 4164 schtasks.exe 4452 schtasks.exe 4320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4284 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1468 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1468 AcroRd32.exe 1852 remcos.exe 1468 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 884 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 82 PID 1148 wrote to memory of 884 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 82 PID 1148 wrote to memory of 884 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 82 PID 1148 wrote to memory of 1468 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 84 PID 1148 wrote to memory of 1468 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 84 PID 1148 wrote to memory of 1468 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 84 PID 1148 wrote to memory of 4284 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 85 PID 1148 wrote to memory of 4284 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 85 PID 1148 wrote to memory of 4284 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 85 PID 1148 wrote to memory of 4284 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 85 PID 1148 wrote to memory of 4284 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 85 PID 1148 wrote to memory of 4784 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 86 PID 1148 wrote to memory of 4784 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 86 PID 1148 wrote to memory of 4784 1148 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe 86 PID 884 wrote to memory of 696 884 remcos_agent_Protected.exe 88 PID 884 wrote to memory of 696 884 remcos_agent_Protected.exe 88 PID 884 wrote to memory of 696 884 remcos_agent_Protected.exe 88 PID 884 wrote to memory of 696 884 remcos_agent_Protected.exe 88 PID 884 wrote to memory of 696 884 remcos_agent_Protected.exe 88 PID 696 wrote to memory of 5020 696 remcos_agent_Protected.exe 89 PID 696 wrote to memory of 5020 696 remcos_agent_Protected.exe 89 PID 696 wrote to memory of 5020 696 remcos_agent_Protected.exe 89 PID 884 wrote to memory of 2952 884 remcos_agent_Protected.exe 90 PID 884 wrote to memory of 2952 884 remcos_agent_Protected.exe 90 PID 884 wrote to memory of 2952 884 remcos_agent_Protected.exe 90 PID 5020 wrote to memory of 3940 5020 WScript.exe 92 PID 5020 wrote to memory of 3940 5020 WScript.exe 92 PID 5020 wrote to memory of 3940 5020 WScript.exe 92 PID 3940 wrote to memory of 4936 3940 cmd.exe 94 PID 3940 wrote to memory of 4936 3940 cmd.exe 94 PID 3940 wrote to memory of 4936 3940 cmd.exe 94 PID 1468 wrote to memory of 4700 1468 AcroRd32.exe 97 PID 1468 wrote to memory of 4700 1468 AcroRd32.exe 97 PID 1468 wrote to memory of 4700 1468 AcroRd32.exe 97 PID 4936 wrote to memory of 1852 4936 remcos.exe 98 PID 4936 wrote to memory of 1852 4936 remcos.exe 98 PID 4936 wrote to memory of 1852 4936 remcos.exe 98 PID 4936 wrote to memory of 1852 4936 remcos.exe 98 PID 4936 wrote to memory of 1852 4936 remcos.exe 98 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 1852 wrote to memory of 1332 1852 remcos.exe 99 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103 PID 4700 wrote to memory of 3400 4700 RdrCEF.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeC:\Users\Admin\AppData\Roaming\remcos\remcos.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 5609⤵
- Program crash
PID:3196
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 5609⤵
- Program crash
PID:4952
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 5609⤵
- Program crash
PID:1876
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 2129⤵
- Program crash
PID:1656
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 5609⤵
- Program crash
PID:3468
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 5609⤵
- Program crash
PID:3944
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 5689⤵
- Program crash
PID:4332
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 5689⤵
- Program crash
PID:1220
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:4660
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 5689⤵
- Program crash
PID:2744
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:2200
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 5769⤵
- Program crash
PID:4856
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵PID:4016
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 5609⤵
- Program crash
PID:4724
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 5809⤵
- Program crash
PID:4868
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe8⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 5609⤵
- Program crash
PID:4808
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4164
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2952
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B101A846924702B92AA084A22D40FCF1 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3400
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3BB21CDFA0FF6C9C6AA2FC243A6E5655 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3BB21CDFA0FF6C9C6AA2FC243A6E5655 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:724
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A86F36AA192BB547625DD5339304670 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4800
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=70C3334B69276DE459BCB04E8590F005 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=70C3334B69276DE459BCB04E8590F005 --renderer-client-id=5 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=343600FFE10E41ADC3197342E8103563 --mojo-platform-channel-handle=2700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4340
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F2E1056BBF004487135FED22EDEEBD0 --mojo-platform-channel-handle=2852 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4284
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1332 -ip 13321⤵PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3356 -ip 33561⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4720 -ip 47201⤵PID:788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4008 -ip 40081⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 804 -ip 8041⤵PID:1824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3484 -ip 34841⤵PID:2944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2124 -ip 21241⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 232 -ip 2321⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3116 -ip 31161⤵PID:1676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3504 -ip 35041⤵PID:544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1520 -ip 15201⤵PID:2852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 47521⤵PID:1000
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exeC:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:4372
-
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:1940
-
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4452
-
-
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exeC:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"2⤵
- Executes dropped EXE
PID:3200
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2080 -ip 20801⤵PID:4080
-
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exeC:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe1⤵PID:2236
-
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exeC:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe1⤵PID:3352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD563641f006fc89392a894f6d67e0cd762
SHA10d235098c91de0e2015b2f63227808af27e22d00
SHA25642c100ad408358cf18592870ccecb2992abfb21c640ac8ea4c56b05da541ed10
SHA5123c9bee6952b13f7b20dcb7ba683a93fcafe1243ee68f0d8256be3341a606c2a4b6a58dbd9250ee7b2d78f81b21977eec7a21a3bf0a789c90ffe026cc2bd0c521
-
Filesize
418B
MD5ff449f6f7bc5e2d800eb30e2d2c56611
SHA193419ea805b9ce35a766e5c56db50d54c2d3f94b
SHA256655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416
SHA51202a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6
-
Filesize
340KB
MD5bb0aa1bade4df17033a05d8d682b44d2
SHA1bec4b0a8a7413d158cf6705a3c888bdf36a4371b
SHA25696d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764
SHA5126bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9
-
Filesize
1.1MB
MD525b5e68686f3010edd84c84035974015
SHA107fa88f5f72ae246df12527d0fd64eb198770a2b
SHA2569f87c401b8324c46989b50e54e70155efbd341a4bd9b3344ecd408e9213074ef
SHA512abac1d532a15f4cd630a001988ac68c3d39c409fb2872bbebd473c3da077e9fb389ca21c7f767358522c2eee5a9614f326e75805efc737e7a2ec867f56b4f3e1
-
Filesize
2.9MB
MD58dd794c11a6a59656833361f3ca99326
SHA146e5a16c8943c9bcadb282ed206a336427575426
SHA2562da85afafeb886262b3b373d2d4544121e11727cd4e40d0d16795ac297113c4d
SHA512cb273e4fb98729a6c533c9eda002565878a48fc300b3a8ebfbb3f0ea8845d51837a4560909bef80dc8b180472f91182890cad74430d180c1f56c32b6f2d52bcf
-
Filesize
118B
MD57ad145280fa8e6ca7181b1a7f12bfbd4
SHA1d9cf96ce215f1599ba3e3f8d63cf2c0fde1d5318
SHA25613a2699fa0bfc6c08dc54da8bbeaea78e75506b2c720ca128706070ebfbf52ca
SHA512b740aeb70c306231db41672b5f7bd66b9e9314c6c5a6a9bcce92b0a8d7a1ff569bcd744a0554a1b788f291f2dfd3387c565817d8a7778fd275e738c75a1ea1d0
-
Filesize
1.1MB
MD5d5581c9db64b399c7d0cdb3f7b78673b
SHA187396211e6468d73c97301fe0b673f64bcd6d17c
SHA2567210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826
SHA5125a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6