Overview

overview

10

Static

static

5

2ef1aedbfa...a7.exe

windows7-x64

10

2ef1aedbfa...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe

  • Size

    2.9MB

  • MD5

    21948d42c2c1e49cadea88e80dfe6880

  • SHA1

    d7f6837f76f3785eef87048c4a28c4b664f99dbd

  • SHA256

    2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7

  • SHA512

    14054453d259e53d88881a6b50061960befc06309fc14d1f557d5cb3cbc2ac7e855a805cc483915e8b5ce737c328dd03a8cfbc9a68a670e0238896009befa863

  • SSDEEP

    49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcm:C2cPK8YwjE2cPK8f

Score
10/10
remcoswebmonitorremotehostbackdoordiscoveryinfostealerlinkpdfpersistenceratupx

Malware Config

Extracted

Family

webmonitor

C2

snpandey4659.wm01.to:443

Attributes
  • config_key

    sFitr5r1ExCJl86X6inyc4qxlzwyw8fK

  • private_key

    t1wG88poq

  • url_path

    /recv4.php

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

C2

daya4659.ddns.net:8282

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-S1KNPZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 2 IoCs
  • Webmonitor family
    webmonitor
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Unexpected DNS network traffic destination 12 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 22 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • HTTP links in PDF interactive object 2 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 17 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
    "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
      "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
        "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:3480
              • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
                "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2292
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1832
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 560
                    9⤵
                    • Program crash
                    PID:936
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3044
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 576
                    9⤵
                    • Program crash
                    PID:1252
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  8⤵
                    PID:3452
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1568
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 560
                      9⤵
                      • Program crash
                      PID:1036
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:4960
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 552
                      9⤵
                      • Program crash
                      PID:2348
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2932
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 560
                      9⤵
                      • Program crash
                      PID:628
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    8⤵
                      PID:1128
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:4588
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 560
                        9⤵
                        • Program crash
                        PID:2784
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:1524
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 560
                        9⤵
                        • Program crash
                        PID:1460
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:912
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 192
                        9⤵
                        • Program crash
                        PID:788
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2928
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 560
                        9⤵
                        • Program crash
                        PID:4940
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2072
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 560
                        9⤵
                        • Program crash
                        PID:4116
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2272
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 560
                        9⤵
                        • Program crash
                        PID:2536
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:4496
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192
                        9⤵
                        • Program crash
                        PID:2628
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:1376
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 208
                        9⤵
                        • Program crash
                        PID:2324
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:4220
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 560
                        9⤵
                        • Program crash
                        PID:3472
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:3332
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 560
                        9⤵
                        • Program crash
                        PID:4892
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:1320
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 560
                        9⤵
                        • Program crash
                        PID:228
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:540
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 560
                        9⤵
                        • Program crash
                        PID:4192
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1860
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
            3⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2988
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
          2⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2168
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D15FBA942D6FED696D303F3E0EBC8D93 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3332
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B8998368128527BA7395464888ABEAC2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B8998368128527BA7395464888ABEAC2 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
              4⤵
              • System Location Discovery: System Language Discovery
              PID:880
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7950BE8334725850AF8FE3665324D4E0 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1524
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=931BDAF45D1965E609156546C20659B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=931BDAF45D1965E609156546C20659B9 --renderer-client-id=5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4832
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1A3E3368374E5D478043CCE7036969DC --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1108
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9C16E0CD580F6797AB9FF5F3D107CEE --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4472
        • C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
          "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
          2⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: RenamesItself
          PID:4852
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4888
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:2060
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1832 -ip 1832
          1⤵
            PID:440
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3044 -ip 3044
            1⤵
              PID:624
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1568 -ip 1568
              1⤵
                PID:4528
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4960 -ip 4960
                1⤵
                  PID:3672
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2932 -ip 2932
                  1⤵
                    PID:3092
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4588 -ip 4588
                    1⤵
                      PID:3508
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1524 -ip 1524
                      1⤵
                        PID:2348
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 912 -ip 912
                        1⤵
                          PID:4420
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2928 -ip 2928
                          1⤵
                            PID:1320
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2072 -ip 2072
                            1⤵
                              PID:2284
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2272 -ip 2272
                              1⤵
                                PID:1300
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4496 -ip 4496
                                1⤵
                                  PID:3508
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1376 -ip 1376
                                  1⤵
                                    PID:3380
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4220 -ip 4220
                                    1⤵
                                      PID:2296
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3332 -ip 3332
                                      1⤵
                                        PID:1408
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1320 -ip 1320
                                        1⤵
                                          PID:3668
                                        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                          C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                          1⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:2008
                                          • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                            "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            PID:3716
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1160
                                        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                          C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                          1⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:4048
                                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            PID:5008
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3664
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 540 -ip 540
                                          1⤵
                                            PID:1080
                                          • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                            C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                            1⤵
                                              PID:2988
                                            • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                              C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                              1⤵
                                                PID:2584

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                Filesize

                                                36KB

                                                MD5

                                                b30d3becc8731792523d599d949e63f5

                                                SHA1

                                                19350257e42d7aee17fb3bf139a9d3adb330fad4

                                                SHA256

                                                b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                                                SHA512

                                                523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                                                Download Submit

                                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                Filesize

                                                56KB

                                                MD5

                                                752a1f26b18748311b691c7d8fc20633

                                                SHA1

                                                c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                                                SHA256

                                                111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                                                SHA512

                                                a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                                                Download Submit

                                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                Filesize

                                                64KB

                                                MD5

                                                07dedd3b7cab95a309aa294b05b6845c

                                                SHA1

                                                fe5ea58784ac3211358966e7f970dc38aebbc633

                                                SHA256

                                                677214ad89055503710a80a770b49d5071e3496d1bf054270066f1cff6e0b2ad

                                                SHA512

                                                e8f8b301a25f2b969c66d0392402ef44d2c45eb1c0b7442fa5325c4e9b52abf5dc1d20166a7b15dc9e537dc045eabdcbc09f2a0d338fe79e95b969efd3d52ba7

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\install.vbs
                                                Filesize

                                                418B

                                                MD5

                                                ff449f6f7bc5e2d800eb30e2d2c56611

                                                SHA1

                                                93419ea805b9ce35a766e5c56db50d54c2d3f94b

                                                SHA256

                                                655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

                                                SHA512

                                                02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf
                                                Filesize

                                                340KB

                                                MD5

                                                bb0aa1bade4df17033a05d8d682b44d2

                                                SHA1

                                                bec4b0a8a7413d158cf6705a3c888bdf36a4371b

                                                SHA256

                                                96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

                                                SHA512

                                                6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                                Filesize

                                                1.1MB

                                                MD5

                                                0dbd539825227675b07a6a9da2536457

                                                SHA1

                                                04b1e0258c49d10348a00e1c1597a50b1f7e83fd

                                                SHA256

                                                21a480e5004c0bdbb0add406a15f4e571bc22eac9f0cc0f87d68b007fdd1d5fb

                                                SHA512

                                                06d4878e302d286a77d9da3f8db1ce672cb7055749298ee2afc8e4d19955a115a99cf07a50a6d598e56bccdda55624291e31a81bc53a1eb20fd43e10cc711bb4

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                                Filesize

                                                2.9MB

                                                MD5

                                                faf9096eb1d71c796f3bdb9ad38101d4

                                                SHA1

                                                bc732a391b910885620d18bfa8f2dad3ede88faa

                                                SHA256

                                                e1ea57dcf0886488756440ba61f6abf83f3c059bf6b27ad98bc645c5febef62f

                                                SHA512

                                                73ff3b5f4bec4ece895216af60fbd42df8960811c48bc258d0b7eccec40c15aef71dc6529d3b1859a361b19ed7e04b4cf8b0ae5e8697c6d772de851b2ac3ffde

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
                                                Filesize

                                                118B

                                                MD5

                                                6e92a07f8140fbbc79db9ee2ae4a1739

                                                SHA1

                                                9dfcd9025a16909466fb92b41f9d41df49035017

                                                SHA256

                                                465e709d7f19d1809f144c377652ef6218a72759fd3b8b1a3f861ed6a922cca5

                                                SHA512

                                                ab1330128e800fe58ef8d348807c4fdcb17082ded7effe7070ce4cc79ed77e15bd5a8aad30f5d9e06cd4fd4114391fbb34d688a0ceda3e79bec402c35fc0e926

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
                                                Filesize

                                                1.1MB

                                                MD5

                                                d5581c9db64b399c7d0cdb3f7b78673b

                                                SHA1

                                                87396211e6468d73c97301fe0b673f64bcd6d17c

                                                SHA256

                                                7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

                                                SHA512

                                                5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

                                                Download Submit

                                              • memory/1156-13-0x0000000003C90000-0x0000000003C91000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/1320-216-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1376-209-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1524-194-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1568-89-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1832-82-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1832-83-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/2072-199-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/2272-202-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/2292-78-0x0000000000400000-0x0000000000420000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/2292-75-0x0000000000400000-0x0000000000420000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/2292-74-0x0000000000400000-0x0000000000420000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/2292-79-0x0000000000400000-0x0000000000420000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/2904-31-0x0000000000400000-0x0000000000420000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/2904-24-0x0000000000400000-0x0000000000420000-memory.dmp

                                                Filesize

                                                128KB

                                                Download

                                              • memory/2928-197-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/2932-110-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/3044-87-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/3332-213-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/4220-211-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/4496-207-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/4588-191-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/4852-18-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                Filesize

                                                768KB

                                                Download

                                              • memory/4852-192-0x0000000000730000-0x0000000000A1B000-memory.dmp

                                                Filesize

                                                2.9MB

                                                Download

                                              • memory/4852-19-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                Filesize

                                                768KB

                                                Download

                                              • memory/4852-21-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                Filesize

                                                768KB

                                                Download

                                              • memory/4852-14-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                Filesize

                                                768KB

                                                Download

                                              • memory/4852-20-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                Filesize

                                                768KB

                                                Download

                                              • memory/4960-95-0x0000000000400000-0x0000000000526000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download