Analysis Overview
SHA256
31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753
Threat Level: Known bad
The file RFQ130824.exe was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 08:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 08:06
Reported
2024-08-14 08:08
Platform
win7-20240708-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\xpha.pif | N/A |
| N/A | N/A | C:\Windows \SysWOW64\per.exe | N/A |
| N/A | N/A | C:\Windows \SysWOW64\per.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wclbjzkj = "C:\\Users\\Public\\Wclbjzkj.url" | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\xpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\SndVol.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\esentutl.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\jkzjblcW.cmd" "
C:\Windows\SysWOW64\esentutl.exe
C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
C:\Windows\SysWOW64\esentutl.exe
C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
C:\Users\Public\xpha.pif
C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
C:\Windows \SysWOW64\per.exe
"C:\\Windows \\SysWOW64\\per.exe
C:\Windows \SysWOW64\per.exe
"C:\Windows \SysWOW64\per.exe"
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
C:\Windows\SysWOW64\esentutl.exe
C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe /d C:\\Users\\Public\\Libraries\\Wclbjzkj.PIF /o
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2007.filemail.com | udp |
| DE | 50.7.84.74:443 | 2007.filemail.com | tcp |
| DE | 50.7.84.74:443 | 2007.filemail.com | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| US | 8.8.8.8:53 | legacyrem.duckdns.org | udp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| US | 8.8.8.8:53 | legacyrem.duckdns.org | udp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| US | 8.8.8.8:53 | legacyrem.duckdns.org | udp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
Files
memory/2980-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2980-1-0x00000000032C0000-0x00000000042C0000-memory.dmp
memory/2980-2-0x00000000032C0000-0x00000000042C0000-memory.dmp
memory/2980-5-0x0000000000400000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCDEB.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCE1D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Public\Libraries\jkzjblcW.cmd
| MD5 | b87f096cbc25570329e2bb59fee57580 |
| SHA1 | d281d1bf37b4fb46f90973afc65eece3908532b2 |
| SHA256 | d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e |
| SHA512 | 72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7 |
\Users\Public\alpha.pif
| MD5 | ad7b9c14083b52bc532fba5948342b98 |
| SHA1 | ee8cbf12d87c4d388f09b4f69bed2e91682920b5 |
| SHA256 | 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae |
| SHA512 | e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1 |
C:\Users\Public\xpha.pif
| MD5 | 6242e3d67787ccbf4e06ad2982853144 |
| SHA1 | 6ac7947207d999a65890ab25fe344955da35028e |
| SHA256 | 4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d |
| SHA512 | 7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf |
C:\Windows \SysWOW64\per.exe
| MD5 | 869640d0a3f838694ab4dfea9e2f544d |
| SHA1 | bdc42b280446ba53624ff23f314aadb861566832 |
| SHA256 | 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323 |
| SHA512 | 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7 |
memory/1320-107-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-111-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-112-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-106-0x0000000003160000-0x0000000004160000-memory.dmp
memory/1320-110-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-114-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-115-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-116-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-117-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-118-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-119-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-121-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-122-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-123-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-124-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-126-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-127-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-129-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-130-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-131-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-134-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-135-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-136-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-138-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-140-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-141-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-143-0x00000000295D0000-0x0000000029652000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 0b2d344293957488a13a494084a4c46f |
| SHA1 | 9385e770e02c05b73e615f9c4df3f2ae944760ac |
| SHA256 | 4760ab24edda6177be07e6321ac2395f2b06883615d487d68ea6161bf450af3c |
| SHA512 | 420bceb8b18cd5d0014a625fcb4244cf128b01f1188762eed4f3394932d22589112b4def4b07bf8bc14725b332b439207a3282b5c89b9f96e16a8ce985205599 |
memory/1320-145-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-146-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-148-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-149-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-150-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-153-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-154-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-155-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-157-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-159-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-160-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-161-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-162-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-164-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-165-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-167-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-168-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-169-0x00000000295D0000-0x0000000029652000-memory.dmp
memory/1320-172-0x00000000295D0000-0x0000000029652000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 08:06
Reported
2024-08-14 08:08
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\xpha.pif | N/A |
| N/A | N/A | C:\Windows \SysWOW64\per.exe | N/A |
| N/A | N/A | C:\Users\Public\pha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \SysWOW64\per.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wclbjzkj = "C:\\Users\\Public\\Wclbjzkj.url" | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\xpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\alpha.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\SndVol.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\esentutl.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Public\pha.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Users\Public\pha.pif | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Public\pha.pif | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\pha.pif | N/A |
| N/A | N/A | C:\Users\Public\pha.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\pha.pif | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SndVol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\jkzjblcW.cmd" "
C:\Windows\SysWOW64\esentutl.exe
C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
C:\Windows\SysWOW64\esentutl.exe
C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
C:\Users\Public\xpha.pif
C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
C:\Windows \SysWOW64\per.exe
"C:\\Windows \\SysWOW64\\per.exe
C:\Windows\SYSTEM32\esentutl.exe
esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
C:\Users\Public\pha.pif
C:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension '.exe','bat','.pif'
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
C:\Users\Public\alpha.pif
C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
C:\Windows\SysWOW64\esentutl.exe
C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\RFQ130824.exe /d C:\\Users\\Public\\Libraries\\Wclbjzkj.PIF /o
C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2007.filemail.com | udp |
| DE | 50.7.84.74:443 | 2007.filemail.com | tcp |
| DE | 50.7.84.74:443 | 2007.filemail.com | tcp |
| US | 8.8.8.8:53 | 74.84.7.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:59089 | tcp | |
| US | 8.8.8.8:53 | legacyrem.duckdns.org | udp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| US | 8.8.8.8:53 | legacyrem.duckdns.org | udp |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp | |
| MY | 103.186.116.130:59089 | legacyrem.duckdns.org | tcp |
| N/A | 127.0.0.1:59089 | tcp |
Files
memory/2888-0-0x0000000002430000-0x0000000002431000-memory.dmp
memory/2888-1-0x0000000002A60000-0x0000000003A60000-memory.dmp
memory/2888-2-0x0000000002A60000-0x0000000003A60000-memory.dmp
memory/2888-4-0x0000000000400000-0x0000000000540000-memory.dmp
C:\Users\Public\Libraries\jkzjblcW.cmd
| MD5 | b87f096cbc25570329e2bb59fee57580 |
| SHA1 | d281d1bf37b4fb46f90973afc65eece3908532b2 |
| SHA256 | d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e |
| SHA512 | 72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7 |
memory/716-11-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/716-34-0x0000000001680000-0x0000000001690000-memory.dmp
C:\Users\Public\alpha.pif
| MD5 | d0fce3afa6aa1d58ce9fa336cc2b675b |
| SHA1 | 4048488de6ba4bfef9edf103755519f1f762668f |
| SHA256 | 4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22 |
| SHA512 | 80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2 |
C:\Users\Public\xpha.pif
| MD5 | b3624dd758ccecf93a1226cef252ca12 |
| SHA1 | fcf4dad8c4ad101504b1bf47cbbddbac36b558a7 |
| SHA256 | 4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef |
| SHA512 | c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838 |
C:\Windows \SysWOW64\per.exe
| MD5 | 869640d0a3f838694ab4dfea9e2f544d |
| SHA1 | bdc42b280446ba53624ff23f314aadb861566832 |
| SHA256 | 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323 |
| SHA512 | 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7 |
C:\Windows \SysWOW64\NETUTILS.dll
| MD5 | c5db31551cb21105e3f0b3e467b91cc7 |
| SHA1 | c66fd7732973d9803ba0fd4323e8507876892310 |
| SHA256 | 3fa23d8f7b7eeac6443e107bd70d0c6371afc1f8082d3d58fffd8685cf9e2193 |
| SHA512 | 6d1ee4b55fb74dc093f52caf1e093ec2742af263ff8fa264cd61eea48c021c3438150ba12a8e9d694e7246fe296ea011d8b6313e8ee4476a63c7072c2990685e |
C:\Users\Public\pha.pif
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zvcwdlh.2cv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1636-133-0x000002435BCD0000-0x000002435BCF2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 21accd922f1c726d6011b3ef1306af82 |
| SHA1 | 6d6f0627e4141e34505abe96eb0a810b9a048639 |
| SHA256 | dccb09bf338b6e9820bd7fd342cabab8d846cc86a3fcdc0d3dbddcbeab171cce |
| SHA512 | e0d36fcca59d6f958757f6a47ba7e5d095b39f005a65d54066632db9d3501c15dc519b075be20e235a00646217f34ea1d83cbabc82a860fa078c77aa33c04e19 |