remcos | 4e8b3c07043d58d62d456ddb7201ad7b14578df119f005a8b441885b8208114b

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.pdf.pif.exe
Size

492KB
MD5

5ae083acb92a7e6dfe29b4edb7ec20fb
SHA1

c12a45b9cf33a1881c34e0e3d469e7d039130426
SHA256

7390d25410ff7cf2690c1d340f46578881687443fd3653283cf3818769bbb848
SHA512

75b23e5f3a1fb90424932a211cbdac7c8c3c078a57d8d6754e15d9bdaa4cd7b58ff91abb36a20639597a149b2aa8a1a4feec75a31233afb02a7e4d303f497f5b
SSDEEP

3072:kMSncRzAOP4g5IdrO79+lHNNqqRPsO98bx0NO4lzv:XSncRlPbI1O7kNPRPp98V0xl

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

192.168.168.154:5555

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_lxuvlzlakuvlhki
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	main.pdf.pif.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	BACKDOOR.EXE

Executes dropped EXE 4 IoCs

pid	Process
3540	BACKDOOR.EXE
3184	remcos.exe
5056	remcos.exe
5440	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	BACKDOOR.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.pdf.pif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BACKDOOR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5176	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	main.pdf.pif.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5176	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5192	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5192	AcroRd32.exe
5056	remcos.exe
5192	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3540	3756	main.pdf.pif.exe	87
PID 3756 wrote to memory of 3540	3756	main.pdf.pif.exe	87
PID 3756 wrote to memory of 3540	3756	main.pdf.pif.exe	87
PID 3756 wrote to memory of 5192	3756	main.pdf.pif.exe	88
PID 3756 wrote to memory of 5192	3756	main.pdf.pif.exe	88
PID 3756 wrote to memory of 5192	3756	main.pdf.pif.exe	88
PID 3268 wrote to memory of 3184	3268	cmd.exe	91
PID 3268 wrote to memory of 3184	3268	cmd.exe	91
PID 3268 wrote to memory of 3184	3268	cmd.exe	91
PID 3540 wrote to memory of 392	3540	BACKDOOR.EXE	92
PID 3540 wrote to memory of 392	3540	BACKDOOR.EXE	92
PID 3540 wrote to memory of 392	3540	BACKDOOR.EXE	92
PID 392 wrote to memory of 5176	392	cmd.exe	94
PID 392 wrote to memory of 5176	392	cmd.exe	94
PID 392 wrote to memory of 5176	392	cmd.exe	94
PID 392 wrote to memory of 5056	392	cmd.exe	97
PID 392 wrote to memory of 5056	392	cmd.exe	97
PID 392 wrote to memory of 5056	392	cmd.exe	97
PID 2632 wrote to memory of 5440	2632	cmd.exe	101
PID 2632 wrote to memory of 5440	2632	cmd.exe	101
PID 2632 wrote to memory of 5440	2632	cmd.exe	101
PID 5192 wrote to memory of 6024	5192	AcroRd32.exe	106
PID 5192 wrote to memory of 6024	5192	AcroRd32.exe	106
PID 5192 wrote to memory of 6024	5192	AcroRd32.exe	106
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107
PID 6024 wrote to memory of 2964	6024	RdrCEF.exe	107

C:\Users\Admin\AppData\Local\Temp\main.pdf.pif.exe
"C:\Users\Admin\AppData\Local\Temp\main.pdf.pif.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\BACKDOOR.EXE
  "C:\Users\Admin\AppData\Local\Temp\BACKDOOR.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5176
  - - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5056
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PDF.PDF"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6024
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF0A74508DAAE7B2D846DAAA13813411 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=965E8931C7C55FF791AA2E1097E0C40C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=965E8931C7C55FF791AA2E1097E0C40C --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3A318919F82A96C3877BEC0164498C7A --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=215EDE1699C6E6278D669B4D6F555DA7 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CBEBD30D99604BDEDE03E4604D1362B0 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:632
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B4FA32FE56F8F465D8B829B0F734AF0A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B4FA32FE56F8F465D8B829B0F734AF0A --renderer-client-id=7 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9c1f87a4b2a919d0dc4cf2c1a8eb5fe7

SHA1
7a5b16fdda861cad5eee3e2646988f59cbe0f03b

SHA256
af4d21c227a64f8227d6bbf79b9b5ed248ce4ab2266a93f7791093fe4a0c124b

SHA512
97da2e7a3a197de33c2ccfa10362680582550d7fa56205562030fca3dd3dffe90d235e833606974314a93fc2ae914f4545eef33090b6c78fa02648c80da7080f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BACKDOOR.EXE

Filesize
36KB

MD5
cffddc7c3177706625765eb684410c7d

SHA1
04d82ea5e2b0e8e06a3284715146e11148209d2d

SHA256
39ecab5ce3b3d2049f707937f679015daf7b3bb56a313cf44683d75887511166

SHA512
2165e1553c40291f49823e7fac5454d137f1d2170e54c1e237afe62f2fc43361db8dadd4c1bed5c61aed8c4ee4c9a405685f7620f5f25efada7bc33957cb2765

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDF.PDF

Filesize
40KB

MD5
7b3c39fbf5b0b43b3c01d00c1e065366

SHA1
a425c056d064305e394e92b055043272c4d89ee7

SHA256
a4f71b309275fa1c9aba3dbb96ccba45ec6f18e57a99e8bf31607931e3a0494e

SHA512
f2d763ad3804bb450b9c8646482cf1ac0da9e00b4769a711971083ad963c484f6f6b44a61414f299a7eedcca2b454e0715b6c09869f6f22f4bd04b15a92b3ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
99B

MD5
76c1687d97dfdbcea62ef1490bec5001

SHA1
5f4d1aeafa7d840cde67b76f97416dd68efd1bed

SHA256
79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

SHA512
da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

Download Submit
memory/3184-21-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3540-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3540-19-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-53-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-153-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-160-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-162-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-165-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5056-168-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5440-27-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download