Overview

overview

10

Static

static

5

JaffaCakes...43.zip

windows7-x64

JaffaCakes...43.zip

windows10-2004-x64

JaffaCakes...43.zip

android-10-x64

JaffaCakes...43.zip

android-13-x64

JaffaCakes...43.zip

macos-10.15-amd64

JaffaCakes...43.zip

ubuntu-18.04-amd64

JaffaCakes...43.zip

debian-9-armhf

JaffaCakes...43.zip

debian-9-mips

JaffaCakes...43.zip

debian-9-mipsel

2ef1aedbfa...a7.exe

windows7-x64

10

2ef1aedbfa...a7.exe

windows10-2004-x64

10

2ef1aedbfa...a7.exe

android-10-x64

2ef1aedbfa...a7.exe

android-13-x64

2ef1aedbfa...a7.exe

macos-10.15-amd64

2ef1aedbfa...a7.exe

ubuntu-18.04-amd64

2ef1aedbfa...a7.exe

debian-9-armhf

2ef1aedbfa...a7.exe

debian-9-mips

2ef1aedbfa...a7.exe

debian-9-mipsel

Resubmissions

17-01-2025 13:41

250117-qy3vha1jen 10

24-12-2024 18:03

241224-wm54datje1 10

Analysis

  • max time kernel
    300s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe

  • Size

    2.9MB

  • MD5

    21948d42c2c1e49cadea88e80dfe6880

  • SHA1

    d7f6837f76f3785eef87048c4a28c4b664f99dbd

  • SHA256

    2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7

  • SHA512

    14054453d259e53d88881a6b50061960befc06309fc14d1f557d5cb3cbc2ac7e855a805cc483915e8b5ce737c328dd03a8cfbc9a68a670e0238896009befa863

  • SSDEEP

    49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcm:C2cPK8YwjE2cPK8f

Score
10/10
remcoswebmonitorremotehostbackdoordiscoveryinfostealerlinkpdfpersistenceratupx

Malware Config

Extracted

Family

webmonitor

C2

snpandey4659.wm01.to:443

Attributes
  • config_key

    sFitr5r1ExCJl86X6inyc4qxlzwyw8fK

  • private_key

    t1wG88poq

  • url_path

    /recv4.php

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

C2

daya4659.ddns.net:8282

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-S1KNPZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 5 IoCs
  • Webmonitor family
    webmonitor
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 26 IoCs
  • Unexpected DNS network traffic destination 28 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 13 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • HTTP links in PDF interactive object 2 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
    C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe sh $MOZILLA/ %SIGINT% "SIGTERM|DESTROY|SIGKILL"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
      "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
        "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4256
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4792
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4476
              • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
                "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4220
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  8⤵
                    PID:496
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:5116
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3452
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
        2⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A74604CCBE88614464E1341CEA349F5A --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            PID:572
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F936F17579480800B88E17F60A82BEC3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F936F17579480800B88E17F60A82BEC3 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
            4⤵
            • System Location Discovery: System Language Discovery
            PID:864
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC25910D4D2D73180D19244C16FA4403 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4904
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=92412A4EC4000E8AA344222E3487A526 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=92412A4EC4000E8AA344222E3487A526 --renderer-client-id=5 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4516
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1C711F9B5B82AC9791BF5E2F402709F --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2700
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=770698A136EC71DC2D320A0F5691B042 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1928
      • C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
        "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: RenamesItself
        PID:1772
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4608
    • C:\Windows\System32\CompPkgSrv.exe
      C:\Windows\System32\CompPkgSrv.exe -Embedding
      1⤵
        PID:2904
      • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:4904
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          PID:3080
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2700
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:916
      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:1580
        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
          "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
          2⤵
          • Executes dropped EXE
          PID:1112
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3484
      • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:4528
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          PID:2264
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2356
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2228
      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:4080
        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
          "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
          2⤵
          • Executes dropped EXE
          PID:2592
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3484
      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:388
        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
          "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
          2⤵
          • Executes dropped EXE
          PID:2828
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1816
      • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:552
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3604
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3368
      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:460
        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
          "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
          2⤵
          • Executes dropped EXE
          PID:3228
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:692
      • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:1552
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3068
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3084
      • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:3408
        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
          "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3828
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4944
      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:2384
        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
          "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
          2⤵
          • Executes dropped EXE
          PID:5032
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
          2⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4284

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
        Filesize

        56KB

        MD5

        752a1f26b18748311b691c7d8fc20633

        SHA1

        c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

        SHA256

        111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

        SHA512

        a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
        Filesize

        64KB

        MD5

        7b3cb8500051c48af2c2324895a6b259

        SHA1

        568c14db9730fb8e9a24210711e04edf2a829653

        SHA256

        388c3c09d5fa2152e156ba38876f76facb6a068fd5f2dc8577f6d3a4978ad2f2

        SHA512

        74b1eb7634e17dbc3f5993d95bfb8c6923cb17b8e54235157bbe3f2c71548a5dfd940852bf9e1af4c0a5bde5a5846c8d26c724bfce9f4d50b9aceb6ece66aab4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
        Filesize

        36KB

        MD5

        b30d3becc8731792523d599d949e63f5

        SHA1

        19350257e42d7aee17fb3bf139a9d3adb330fad4

        SHA256

        b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

        SHA512

        523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        Filesize

        418B

        MD5

        ff449f6f7bc5e2d800eb30e2d2c56611

        SHA1

        93419ea805b9ce35a766e5c56db50d54c2d3f94b

        SHA256

        655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

        SHA512

        02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf
        Filesize

        340KB

        MD5

        bb0aa1bade4df17033a05d8d682b44d2

        SHA1

        bec4b0a8a7413d158cf6705a3c888bdf36a4371b

        SHA256

        96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

        SHA512

        6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
        Filesize

        1.1MB

        MD5

        d859026242e3b85e2d8d22507aca1183

        SHA1

        38d14a3083553312fc27f53ae7299026178c1d1c

        SHA256

        1705696187e835214dbb1029fa237b8995879cf8af2d98184f287b1f7091f637

        SHA512

        b24222dea1931ebfbb5ad589026e3ebbd834575665b68b14bd1ffb3d81977ba9bcb7958990410aa49894e4fe3856d3f01c10bdacbd3324b4a44fb158fafba80f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
        Filesize

        2.9MB

        MD5

        cdace3efc6010585a0117ed55ed86b5b

        SHA1

        302400bd314f5901be19af9e9db51a73f8f01f5d

        SHA256

        cb775f765c4dae35e3b5b01ba1ea06668f2532df73dc6e86315d3896d35ccb96

        SHA512

        50e8e16568210c30bd66724e9163f5949526ff8a19e78a2f65b6d117f0d14e3fd1c40aaa750401e4f4a87176d0803912eb23882939caff55ad11869e7d822938

        Download Submit

      • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
        Filesize

        118B

        MD5

        df7b290c8c9b9df2c59166529215cb45

        SHA1

        450ef6a6da68f40d83f20caa519a029a9d6d855a

        SHA256

        ed5354cf35d79f5ee3acbce819abaf0cd4ff02d66437ddfe9e56fdb864729787

        SHA512

        91aef9993d9bd729242b8c9d6d0fd83f7d9edc841e6a653ff79bd66e69f33f61f976e7fbac2fa2843bd20d75f7b210a37ca24fa1c139df5c9334e20941b27f68

        Download Submit

      • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
        Filesize

        1.1MB

        MD5

        d5581c9db64b399c7d0cdb3f7b78673b

        SHA1

        87396211e6468d73c97301fe0b673f64bcd6d17c

        SHA256

        7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

        SHA512

        5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

        Download Submit

      • memory/1668-23-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1668-30-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1772-17-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/1772-182-0x0000000000B60000-0x0000000000E4B000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1772-19-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/1772-13-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/1772-20-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/1772-18-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/2356-232-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/2592-234-0x00000000003A0000-0x00000000003C0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2700-196-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/2700-211-0x0000000000400000-0x00000000004C0000-memory.dmp

        Filesize

        768KB

        Download

      • memory/4220-49-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4220-56-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4220-52-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4220-53-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4220-48-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download