26e3098a535a96521959292a4084ebe735df148578bd8849cacea1c5a5f19201

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 00:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOLAYA-PHOTO.exe
Size

149KB
MD5

082651eefe9806f50fb938f393148d45
SHA1

61817d9547cbfc0490511c8599261b62adbc61fa
SHA256

dd854c4d604f2add306b0e004097c9fb897b4107f02407d4b521abbc22919bbd
SHA512

3c8cd68bd19fb0fbb40ed1a5f53d7f83f152c4aced62e137bd7771303da26a4e74ce2648958909f2f92506ea2508665d7139a11b0568740104df87b68bcaf994
SSDEEP

3072:lBAp5XhKpN4eOyVTGfhEClj8jTk+0hiIvh5iBZ:AbXE9OiTGfhEClq9SE

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4372	WScript.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	GOLAYA-PHOTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\salst\ogurets\all3.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\podkati.bat	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\stuckja.jol	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\lit.vbs	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\122.txt	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\Uninstall.exe	GOLAYA-PHOTO.exe
File created	C:\Program Files (x86)\salst\ogurets\Uninstall.ini	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\polenolll.pof	GOLAYA-PHOTO.exe
File opened for modification	C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs	GOLAYA-PHOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	GOLAYA-PHOTO.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 1472	3644	GOLAYA-PHOTO.exe	89
PID 3644 wrote to memory of 1472	3644	GOLAYA-PHOTO.exe	89
PID 3644 wrote to memory of 1472	3644	GOLAYA-PHOTO.exe	89
PID 1472 wrote to memory of 4372	1472	cmd.exe	93
PID 1472 wrote to memory of 4372	1472	cmd.exe	93
PID 1472 wrote to memory of 4372	1472	cmd.exe	93
PID 3644 wrote to memory of 532	3644	GOLAYA-PHOTO.exe	94
PID 3644 wrote to memory of 532	3644	GOLAYA-PHOTO.exe	94
PID 3644 wrote to memory of 532	3644	GOLAYA-PHOTO.exe	94

C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe
"C:\Users\Admin\AppData\Local\Temp\GOLAYA-PHOTO.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\salst\ogurets\podkati.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\all3.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:4372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:532

Network

DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=381982C3A3FF61940E8596C6A21F606E; domain=.bing.com; expires=Thu, 06-Feb-2025 00:33:16 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 274298B0A24A426F8DE38CB1B29E0BE8 Ref B: LON04EDGE1015 Ref C: 2024-01-13T00:33:16Z
date: Sat, 13 Jan 2024 00:33:15 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=381982C3A3FF61940E8596C6A21F606E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Gdtxynw3mmvExwM8Bps25j3q7xOdu_SuQhaMWb4eb80; domain=.bing.com; expires=Thu, 06-Feb-2025 00:33:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1E89C0E32B80472D86523C8F9A5A67F1 Ref B: LON04EDGE1015 Ref C: 2024-01-13T00:33:16Z
date: Sat, 13 Jan 2024 00:33:16 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=381982C3A3FF61940E8596C6A21F606E; MSPTC=Gdtxynw3mmvExwM8Bps25j3q7xOdu_SuQhaMWb4eb80

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7AE275571F044018ADCE994191DF725D Ref B: LON04EDGE1015 Ref C: 2024-01-13T00:33:16Z
date: Sat, 13 Jan 2024 00:33:16 GMT
DNS

23.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.181.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR
DNS

100.5.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.5.17.2.in-addr.arpa

IN PTR

Response

100.5.17.2.in-addr.arpa

IN PTR

a2-17-5-100deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

32.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.134.221.88.in-addr.arpa

IN PTR

Response

32.134.221.88.in-addr.arpa

IN PTR

a88-221-134-32deploystaticakamaitechnologiescom
DNS

32.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.134.221.88.in-addr.arpa

IN PTR
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

134.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.71.91.104.in-addr.arpa

IN PTR

Response

134.71.91.104.in-addr.arpa

IN PTR

a104-91-71-134deploystaticakamaitechnologiescom

64.62.191.222:4321

WScript.exe

260 B
5
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

tls, http2

2.6kB
12.1kB
25
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f523d12a08224be7a558a0bc43765fd0&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

HTTP Response

204
52.111.229.19:443
20.223.35.26:443

40 B
1
20.223.35.26:443

tls

874 B
24.3kB
19
20
20.223.35.26:443

tls

46 B
158 B
1
3
87.248.205.0:80
52.142.223.178:80

156 B
3
96.17.178.176:80

4.9kB
201.2kB
89
144
96.17.178.176:80
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.7kB
8.9kB
13
8
204.79.197.200:443

g.bing.com

22.5kB
639.9kB
465
460
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.1kB
8.2kB
13
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.5kB
11.1kB
17
15
96.17.178.176:80
96.17.178.176:80

46 B
40 B
1
1
96.17.178.176:80

52 B
1
96.17.178.176:80
96.17.178.176:80

4.9kB
227.7kB
99
163
96.17.178.176:80

46 B
40 B
1
1
96.17.178.176:80

10.8kB
216.5kB
154
155
96.17.178.176:80

46 B
1
96.17.178.176:80

52 B
487 B
1
2
96.17.178.176:80

2.1kB
125.7kB
45
90
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.16.110.114:80
138.91.171.81:80
96.17.178.176:80

8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

23.181.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.181.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

140.71.91.104.in-addr.arpa

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

100.5.17.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

100.5.17.2.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

32.134.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

32.134.221.88.in-addr.arpa

DNS Request

32.134.221.88.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

134.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

134.71.91.104.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\salst\ogurets\all3.vbs

Filesize
299B

MD5
399aafbff20b97ae2c6119061d41cbd0

SHA1
3056f90e2696e9564c9a3419cc7a7c03ef14b429

SHA256
898eebf1486b8d382f0001cec8604b4711d21e3015334bd5a49f60d39ebdc1fe

SHA512
85627296a59270aa783bf64d55d2560d9ee18eaa9de88deae4b8170581bd18450f53bfbbd9bdb6ec3a99ac8a06545252a1b10a13fa3584bb75dae4f917ed1606

Download Submit
C:\Program Files (x86)\salst\ogurets\osjovnofr.vbs

Filesize
744B

MD5
2b3d8e8acf083e55fdbaa04a313e082c

SHA1
d472ce8d0786478cc1f5bb1b8d9ba9085fc3ade3

SHA256
f75b5d1d65c4668e1c9833d7ef4dcd04013d7f1e52f80b579011cf12ba6f0846

SHA512
055609e1ac6e2824f5d02082e4da0995c7c1757543003cd5aa134adbf344c4c52d6d5361c909c9163dd017bc5fe6f52a5c47dc235ae77df31da8dc1bdd5a6085

Download Submit
C:\Program Files (x86)\salst\ogurets\podkati.bat

Filesize
3KB

MD5
32476fdee702c96f10c2bf839d4999ea

SHA1
6eba74027756760c7a3b22957efc215fbf9871e5

SHA256
78a635131e9f79f01185e120ecd29fb09260b56b678fccd3b23245fac2b673d3

SHA512
a5b73557a2293aff4b3d0e5a2f185af54abdda68ea40b5f167271da91e32f199af06bc60a6d6da4faeef960bf9844b538788745bf4c5a590807081cb6f280234

Download Submit
C:\Program Files (x86)\salst\ogurets\polenolll.pof

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\salst\ogurets\stuckja.jol

Filesize
51B

MD5
2f3e6a7cead939112e164924c1f10781

SHA1
33cd402d053f7597c1b825892929295e6834c35c

SHA256
9e32bfeb04a302900d18c7dbed95d648b766741a387001a1ef6ce32276c73136

SHA512
9005e318a904b7880f43e568230fd38e5a75d20f30f48b25058dad74b17d94d02bde1dbf9ee0bb931e8748f05087ab8b2116e4c00de3d134abb330bc07044ff2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c525250576e43ebdf6e507f70d33692c

SHA1
54bc4847d056796f486969729db4052e36ee5b0c

SHA256
0b4bb2b098ae8a8f62afaacaec63be4e8ec282e19c3b596df26efc8acb9d7295

SHA512
a4bb591fa54a83e0eceb239fe7aa96e76511f4b045a0dbf21c700a51ffc53050160d69051b4ff6dd5877be411fefa11e6b44e97d6dbb397d0e4af08409e4ddf6

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d9a93296f8c62ab96271667c72d7a3b3

SHA1
abcf5a6ed773cfc978fc2176138778ad406c188a

SHA256
f6c84e7c7fced4ae3ee3ca143fd5e134a183eb1e2f67ab71a6e9a902596be993

SHA512
f91de9fbc57397c895aa1bda0ed18601711b1da377ceeee9d5a5ff48a4a3ba2e4feaacf3c64475c07daf584d6374e79d8206a49d1e25bc3044b2e4b6c7d4bd02

Download Submit
memory/3644-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.