remcos | 1ca69e236adf2ce4b3602f6e7328fdf75f9ca9b99abbc85bef1a034f97acb730

Analysis

max time kernel
297s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msimg32.dll
Size

2.3MB
MD5

1b9dd6d0ec099d3cef652a662cb3dbf5
SHA1

60d53ecd48b32d7a3317dee7938465558910e975
SHA256

b431a7291da03060abacbfe81f2b203d36190dbc15c775ea75b5a1192d48559c
SHA512

4c257deb92509929db801359dcf1317865deb5d705f8e73b56efa885d105db6dfe3b257086f0f879ade9b1f85af872e59c077624355abe16d86ebe7ac82dbeef
SSDEEP

49152:869FikjsYvjmNaMTuF2leBiDw0uLsD4Tht:l9sYvjRYDw0is0Tht

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

privmerkt.com:8922

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TA78E3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint"	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1 ORGANIZER MARY 2023 COMPILED PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1 ORGANIZER MARY 2023 COMPILED PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1 ORGANIZER MARY 2023 COMPILED PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
3984	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
1672	OpenWith.exe
2384	AcroRd32.exe
2384	AcroRd32.exe
2384	AcroRd32.exe
2384	AcroRd32.exe
4788	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4544	4908	regsvr32.exe	81
PID 4908 wrote to memory of 4544	4908	regsvr32.exe	81
PID 4908 wrote to memory of 4544	4908	regsvr32.exe	81
PID 4968 wrote to memory of 4844	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	96
PID 4968 wrote to memory of 4844	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	96
PID 4968 wrote to memory of 4844	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	96
PID 4968 wrote to memory of 4844	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	96
PID 4968 wrote to memory of 4844	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	96
PID 4968 wrote to memory of 2564	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	98
PID 4968 wrote to memory of 2564	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	98
PID 4968 wrote to memory of 2564	4968	1 ORGANIZER MARY 2023 COMPILED PDF.exe	98
PID 2564 wrote to memory of 748	2564	cmd.exe	100
PID 2564 wrote to memory of 748	2564	cmd.exe	100
PID 2564 wrote to memory of 748	2564	cmd.exe	100
PID 2996 wrote to memory of 2248	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	101
PID 2996 wrote to memory of 2248	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	101
PID 2996 wrote to memory of 2248	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	101
PID 2996 wrote to memory of 2248	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	101
PID 2996 wrote to memory of 2248	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	101
PID 2996 wrote to memory of 4732	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	102
PID 2996 wrote to memory of 4732	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	102
PID 2996 wrote to memory of 4732	2996	1 ORGANIZER MARY 2023 COMPILED PDF.exe	102
PID 4732 wrote to memory of 3096	4732	cmd.exe	104
PID 4732 wrote to memory of 3096	4732	cmd.exe	104
PID 4732 wrote to memory of 3096	4732	cmd.exe	104
PID 1672 wrote to memory of 2384	1672	OpenWith.exe	106
PID 1672 wrote to memory of 2384	1672	OpenWith.exe	106
PID 1672 wrote to memory of 2384	1672	OpenWith.exe	106
PID 2384 wrote to memory of 1000	2384	AcroRd32.exe	107
PID 2384 wrote to memory of 1000	2384	AcroRd32.exe	107
PID 2384 wrote to memory of 1000	2384	AcroRd32.exe	107
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108
PID 1000 wrote to memory of 1928	1000	RdrCEF.exe	108

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe
"C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:748

C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe
"C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\1 ORGANIZER MARY 2023 COMPILED PDF.exe"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1040 & W2"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=270DE517542E1CB463893C61B23BCF02 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=803662683634974D35B3BC4727A9EBE2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=803662683634974D35B3BC4727A9EBE2 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3000
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=361E91E8A45122E1ADC09CA19E4D6113 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5036
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5F6636B35D8956FAF7556A3DE19207F0 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ABCDC1B28662D04743C3E0658E4F89C6 --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll

Filesize
949.5MB

MD5
66b289eb221a65b6136e52bad4d40736

SHA1
1cea850a4342693a1d93710ab4cf9b6851ac40a2

SHA256
2998c1efdab64e2a7c1a07c75434e2787024d72c621f96fea70fd304da2dd22e

SHA512
40a60ff0c28d38edff46bab086ee98d70ce1dc4c38ed6a13a8600739358a1796db88071fa8caa265154baaa30897d21bf2ec1a8c6a8363c093b6333f98d9642d

Download Submit
memory/2248-37-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/2248-36-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/2996-34-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/2996-33-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/2996-28-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/2996-29-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/2996-31-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/2996-30-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4544-1-0x00000000702ED000-0x000000007030B000-memory.dmp

Filesize
120KB

Download
memory/4544-0-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4544-2-0x00000000702ED000-0x000000007030B000-memory.dmp

Filesize
120KB

Download
memory/4844-17-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-42-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-16-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-11-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-18-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-19-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-20-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-21-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-22-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-23-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-24-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-25-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-26-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-27-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-13-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-14-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-7-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-66-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-65-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-64-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-63-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-62-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-39-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-40-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-61-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-41-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-15-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-43-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-44-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-45-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-46-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-47-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-48-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-49-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-50-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-51-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-52-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-53-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-54-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-55-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-56-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-57-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-58-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-59-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4844-60-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/4968-4-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4968-6-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4968-5-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4968-3-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4968-8-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download
memory/4968-9-0x0000000070200000-0x0000000070471000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads