remcos | 7e14eac3878e56172746c4ce61a41938ee6ddb571721682db462d31e8810a0c9

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24.exe
Size

469KB
MD5

936f01333e0ff8de6f821e69901b815c
SHA1

e7b64d55bebfff003b7b0c5ecfd5c301b676fbee
SHA256

b47c6fece1bae3a1310a5c676b2c361b98fb6f8639354d7e606138ab3f7f6a84
SHA512

fddb4f6c7f91717a32469ea2b6832390266bb99418ea1c28d87f3511a44ad1a92c4badc9c3e30368f665cbc519bc71cd27f5871e0c3ab8d30d39695c5cb925d0
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSwn9:uiLJbpI7I2WhQqZ7w9

Score

10^/10

remcos remotehost discovery evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

core-hook.gl.at.ply.gg:7242

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
scvhost.exe
copy_folder
files
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-O8KBFJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
scvhost
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	scvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
388	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1832	scvhost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scvhost = "\"C:\\ProgramData\\files\\scvhost.exe\""	scvhost.exe

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3760	544	WerFault.exe	106
2264	4416	WerFault.exe	109
1312	2428	WerFault.exe	107
1188	1928	WerFault.exe	117
1400	3952	WerFault.exe	120
5032	4552	WerFault.exe	118
552	2008	WerFault.exe	128
4992	4092	WerFault.exe	129
2736	2256	WerFault.exe	131
636	4464	WerFault.exe	138
1004	4984	WerFault.exe	140
2356	1512	WerFault.exe	137
5008	4152	WerFault.exe	146
2432	4772	WerFault.exe	148
4824	3828	WerFault.exe	147
2252	4540	WerFault.exe	156
4724	4796	WerFault.exe	157
2608	2708	WerFault.exe	159
3128	3976	WerFault.exe	168
2952	4008	WerFault.exe	169
3984	4808	WerFault.exe	167
1312	864	WerFault.exe	176
4996	380	WerFault.exe	179
3920	3068	WerFault.exe	177
2704	4824	WerFault.exe	185
3712	5036	WerFault.exe	186
4376	724	WerFault.exe	188
3632	1012	WerFault.exe	194
640	3332	WerFault.exe	197
4844	3604	WerFault.exe	195

Suspicious use of SetThreadContext 32 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 4184	1832	scvhost.exe	96
PID 4184 set thread context of 4460	4184	iexplore.exe	99
PID 4184 set thread context of 544	4184	iexplore.exe	106
PID 4184 set thread context of 2428	4184	iexplore.exe	107
PID 4184 set thread context of 4416	4184	iexplore.exe	109
PID 4184 set thread context of 1928	4184	iexplore.exe	117
PID 4184 set thread context of 4552	4184	iexplore.exe	118
PID 4184 set thread context of 3952	4184	iexplore.exe	120
PID 4184 set thread context of 2008	4184	iexplore.exe	128
PID 4184 set thread context of 4092	4184	iexplore.exe	129
PID 4184 set thread context of 2256	4184	iexplore.exe	131
PID 4184 set thread context of 1512	4184	iexplore.exe	137
PID 4184 set thread context of 4464	4184	iexplore.exe	138
PID 4184 set thread context of 4984	4184	iexplore.exe	140
PID 4184 set thread context of 4152	4184	iexplore.exe	146
PID 4184 set thread context of 3828	4184	iexplore.exe	147
PID 4184 set thread context of 4772	4184	iexplore.exe	148
PID 4184 set thread context of 4540	4184	iexplore.exe	156
PID 4184 set thread context of 4796	4184	iexplore.exe	157
PID 4184 set thread context of 2708	4184	iexplore.exe	159
PID 4184 set thread context of 4808	4184	iexplore.exe	167
PID 4184 set thread context of 3976	4184	iexplore.exe	168
PID 4184 set thread context of 4008	4184	iexplore.exe	169
PID 4184 set thread context of 864	4184	iexplore.exe	176
PID 4184 set thread context of 3068	4184	iexplore.exe	177
PID 4184 set thread context of 380	4184	iexplore.exe	179
PID 4184 set thread context of 4824	4184	iexplore.exe	185
PID 4184 set thread context of 5036	4184	iexplore.exe	186
PID 4184 set thread context of 724	4184	iexplore.exe	188
PID 4184 set thread context of 1012	4184	iexplore.exe	194
PID 4184 set thread context of 3604	4184	iexplore.exe	195
PID 4184 set thread context of 3332	4184	iexplore.exe	197

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	24.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	iexplore.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3400	reg.exe
2952	reg.exe
3128	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1832	scvhost.exe
1832	scvhost.exe

Suspicious behavior: MapViewOfSection 32 IoCs

pid	Process
1832	scvhost.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe
4184	iexplore.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2008	iexplore.exe
4152	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1620	1084	24.exe	84
PID 1084 wrote to memory of 1620	1084	24.exe	84
PID 1084 wrote to memory of 1620	1084	24.exe	84
PID 1620 wrote to memory of 3400	1620	cmd.exe	86
PID 1620 wrote to memory of 3400	1620	cmd.exe	86
PID 1620 wrote to memory of 3400	1620	cmd.exe	86
PID 1084 wrote to memory of 388	1084	24.exe	88
PID 1084 wrote to memory of 388	1084	24.exe	88
PID 1084 wrote to memory of 388	1084	24.exe	88
PID 388 wrote to memory of 2116	388	WScript.exe	91
PID 388 wrote to memory of 2116	388	WScript.exe	91
PID 388 wrote to memory of 2116	388	WScript.exe	91
PID 2116 wrote to memory of 1832	2116	cmd.exe	93
PID 2116 wrote to memory of 1832	2116	cmd.exe	93
PID 2116 wrote to memory of 1832	2116	cmd.exe	93
PID 1832 wrote to memory of 4472	1832	scvhost.exe	94
PID 1832 wrote to memory of 4472	1832	scvhost.exe	94
PID 1832 wrote to memory of 4472	1832	scvhost.exe	94
PID 1832 wrote to memory of 4184	1832	scvhost.exe	96
PID 1832 wrote to memory of 4184	1832	scvhost.exe	96
PID 1832 wrote to memory of 4184	1832	scvhost.exe	96
PID 1832 wrote to memory of 4184	1832	scvhost.exe	96
PID 4184 wrote to memory of 2280	4184	iexplore.exe	97
PID 4184 wrote to memory of 2280	4184	iexplore.exe	97
PID 4184 wrote to memory of 2280	4184	iexplore.exe	97
PID 4184 wrote to memory of 4460	4184	iexplore.exe	99
PID 4184 wrote to memory of 4460	4184	iexplore.exe	99
PID 4184 wrote to memory of 4460	4184	iexplore.exe	99
PID 4184 wrote to memory of 4460	4184	iexplore.exe	99
PID 2280 wrote to memory of 3128	2280	cmd.exe	100
PID 2280 wrote to memory of 3128	2280	cmd.exe	100
PID 2280 wrote to memory of 3128	2280	cmd.exe	100
PID 4472 wrote to memory of 2952	4472	cmd.exe	101
PID 4472 wrote to memory of 2952	4472	cmd.exe	101
PID 4472 wrote to memory of 2952	4472	cmd.exe	101
PID 4184 wrote to memory of 544	4184	iexplore.exe	106
PID 4184 wrote to memory of 544	4184	iexplore.exe	106
PID 4184 wrote to memory of 544	4184	iexplore.exe	106
PID 4184 wrote to memory of 544	4184	iexplore.exe	106
PID 4184 wrote to memory of 2428	4184	iexplore.exe	107
PID 4184 wrote to memory of 2428	4184	iexplore.exe	107
PID 4184 wrote to memory of 2428	4184	iexplore.exe	107
PID 4184 wrote to memory of 2428	4184	iexplore.exe	107
PID 4184 wrote to memory of 4416	4184	iexplore.exe	109
PID 4184 wrote to memory of 4416	4184	iexplore.exe	109
PID 4184 wrote to memory of 4416	4184	iexplore.exe	109
PID 4184 wrote to memory of 4416	4184	iexplore.exe	109
PID 4184 wrote to memory of 1928	4184	iexplore.exe	117
PID 4184 wrote to memory of 1928	4184	iexplore.exe	117
PID 4184 wrote to memory of 1928	4184	iexplore.exe	117
PID 4184 wrote to memory of 1928	4184	iexplore.exe	117
PID 4184 wrote to memory of 4552	4184	iexplore.exe	118
PID 4184 wrote to memory of 4552	4184	iexplore.exe	118
PID 4184 wrote to memory of 4552	4184	iexplore.exe	118
PID 4184 wrote to memory of 4552	4184	iexplore.exe	118
PID 4184 wrote to memory of 3952	4184	iexplore.exe	120
PID 4184 wrote to memory of 3952	4184	iexplore.exe	120
PID 4184 wrote to memory of 3952	4184	iexplore.exe	120
PID 4184 wrote to memory of 3952	4184	iexplore.exe	120
PID 4184 wrote to memory of 2008	4184	iexplore.exe	128
PID 4184 wrote to memory of 2008	4184	iexplore.exe	128
PID 4184 wrote to memory of 2008	4184	iexplore.exe	128
PID 4184 wrote to memory of 2008	4184	iexplore.exe	128
PID 4184 wrote to memory of 4092	4184	iexplore.exe	129

C:\Users\Admin\AppData\Local\Temp\24.exe
"C:\Users\Admin\AppData\Local\Temp\24.exe"
1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\files\scvhost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\ProgramData\files\scvhost.exe
      C:\ProgramData\files\scvhost.exe
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2952
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4184
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3128
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:4460
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ufahncheofdslkplvfbmuzvqsnvkopbbhq"
        6⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 12
        7⤵
        Program crash
        
        PID:3760
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wzgrov"
        6⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 12
        7⤵
        Program crash
        
        PID:1312
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hctkpnlzq"
        6⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 12
        7⤵
        Program crash
        
        PID:2264
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bjhclmxkdsrvkgezxmpayzoquebgi"
        6⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 12
        7⤵
        Program crash
        
        PID:1188
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mluumeiezajimmslgxbcjeihvskpbjuc"
        6⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 12
        7⤵
        Program crash
        
        PID:5032
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ofzn"
        6⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 12
        7⤵
        Program crash
        
        PID:1400
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\twbpkoxlpnyllzhzaxpqmfbgpjq"
        6⤵
        Suspicious use of UnmapMainImage
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 12
        7⤵
        Program crash
        
        PID:552
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dqghkgiedvqqvnvdrijrxkwxyxztxw"
        6⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 12
        7⤵
        Program crash
        
        PID:4992
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gklalztgrdicxtrhaswtawqghercqhdysd"
        6⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 12
        7⤵
        Program crash
        
        PID:2736
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\azhrhgnrmamwjuvncfkeqx"
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 12
        7⤵
        Program crash
        
        PID:2356
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lcmkiyylaiebuajzlpxfbkpxsv"
        6⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 12
        7⤵
        Program crash
        
        PID:636
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vwsujrjnoqwfwpgdcajhepjobcxyl"
        6⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 12
        7⤵
        Program crash
        
        PID:1004
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\plomfpvycnbziqcjv"
        6⤵
        Suspicious use of UnmapMainImage
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 12
        7⤵
        Program crash
        
        PID:5008
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aftegigsqvtmswynnpkte"
        6⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 12
        7⤵
        Program crash
        
        PID:4824
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\chyxhaytedlqvcmrwaxvpico"
        6⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 12
        7⤵
        Program crash
        
        PID:2432
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xouodzlfzzpkh"
        6⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 12
        7⤵
        Program crash
        
        PID:2252
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hqzherwynhhprrni"
        6⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 12
        7⤵
        Program crash
        
        PID:4724
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rlnsfkgabpzbtxbmyis"
        6⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 12
        7⤵
        Program crash
        
        PID:2608
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ocgccblfduv"
        6⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 12
        7⤵
        Program crash
        
        PID:3984
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zwtuctwhqcnesl"
        6⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 12
        7⤵
        Program crash
        
        PID:3128
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jqzfdmhamkfruzeej"
        6⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 12
        7⤵
        Program crash
        
        PID:2952
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\efuezt"
        6⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 12
        7⤵
        Program crash
        
        PID:1312
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ghapadmno"
        6⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 12
        7⤵
        Program crash
        
        PID:3920
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qbfhbvxhcxuut"
        6⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 12
        7⤵
        Program crash
        
        PID:4996
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lqbzxcjtpuyofnxgeeugahumgfgzqnqv"
        6⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 12
        7⤵
        Program crash
        
        PID:2704
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vlgr"
        6⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 12
        7⤵
        Program crash
        
        PID:3712
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ynmcznmo"
        6⤵
        
        PID:724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 12
        7⤵
        Program crash
        
        PID:4376
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cwnmwejbbpfdooagpxcvpnidjkdeezj"
        6⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 12
        7⤵
        Program crash
        
        PID:3632
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nqsfxxuupxxiqdwkyhoxsacurrnffkijak"
        6⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 12
        7⤵
        Program crash
        
        PID:4844
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\psfxxp"
        6⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 12
        7⤵
        Program crash
        
        PID:640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ncvrbfykbukicupa.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4416 -ip 4416
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2428 -ip 2428
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 544 -ip 544
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1928 -ip 1928
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4552 -ip 4552
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3952 -ip 3952
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2008 -ip 2008
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4092 -ip 4092
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2256 -ip 2256
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1512 -ip 1512
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4464 -ip 4464
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4984 -ip 4984
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4152 -ip 4152
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3828 -ip 3828
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4772 -ip 4772
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4540 -ip 4540
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4796 -ip 4796
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2708 -ip 2708
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4808 -ip 4808
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3976 -ip 3976
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4008 -ip 4008
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 864 -ip 864
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3068 -ip 3068
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 380 -ip 380
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4824 -ip 4824
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5036 -ip 5036
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 724 -ip 724
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1012 -ip 1012
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3604 -ip 3604
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3332 -ip 3332
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\files\scvhost.exe

Filesize
469KB

MD5
936f01333e0ff8de6f821e69901b815c

SHA1
e7b64d55bebfff003b7b0c5ecfd5c301b676fbee

SHA256
b47c6fece1bae3a1310a5c676b2c361b98fb6f8639354d7e606138ab3f7f6a84

SHA512
fddb4f6c7f91717a32469ea2b6832390266bb99418ea1c28d87f3511a44ad1a92c4badc9c3e30368f665cbc519bc71cd27f5871e0c3ab8d30d39695c5cb925d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
502B

MD5
9717493f2f1b55f8354c6d961c51ca14

SHA1
ec471fa3629647a048e09564542d64ecfdd2ad13

SHA256
22619045c29514c7841bd96ce33f08ae43010cdba1bee032b6ff133885aaa0f4

SHA512
9b4a0a91e0c671d64726ae355232c20f1a96f0e59cee7dbb4afae304ba8b3b79db5120be0794d11d53cf716e876790ef60765c6633e425724dd24342e843720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncvrbfykbukicupa.vbs

Filesize
528B

MD5
3478bb3d9b1528548baa4ee1de04d269

SHA1
92c19b97cd135f38d5964bc079df412a20358927

SHA256
684029bc6616d1014d596ca182bc3d6c27973544ea918fc5bf9e174b5333015a

SHA512
84f2ce197098abbbfc9f8a8524271f29a693be7e16ca968241c3152276ae72596979f643476d73dc005b7765b90657b2ae47c5946463163a710b682f7772f239

Download Submit
memory/544-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2428-24-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4184-41-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-55-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-16-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-17-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-18-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-19-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-20-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-22-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-9-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-11-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-70-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-10-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-42-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-66-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-56-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-57-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-59-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-58-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-61-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-60-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-62-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-63-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-64-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4184-65-0x00000000002D0000-0x000000000034F000-memory.dmp

Filesize
508KB

Download
memory/4416-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4460-15-0x00000000010E0000-0x000000000115F000-memory.dmp

Filesize
508KB

Download
memory/4460-14-0x00000000010E0000-0x000000000115F000-memory.dmp

Filesize
508KB

Download