njrat | eda68b560a21b00745c94e06afeb5618ba2c5827f1722186622846b5a1550e55

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VikaStarter.exe
Size

344KB
MD5

abd0172224799f2ab81a7a64ecd32d6a
SHA1

1451aeb778f943618a2992be08eb7a3535ecf838
SHA256

eda68b560a21b00745c94e06afeb5618ba2c5827f1722186622846b5a1550e55
SHA512

ff54b40b998673ae63b8063f95f8ef9cadec65a49b578c2772e6affd7f15d5541c4b6b6d2358e8d52bd434e291eda65c57b367d0b092d7090e06554c217807b7
SSDEEP

3072:Gn2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUef:jE+yclwQKjdn+WPtYVJIoBfRT+tkgAAb

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe

Executes dropped EXE 4 IoCs

pid	Process
2428	VikaStarter.exe
2420	Dllhost.exe
2836	Server.exe
2872	Server.exe

Loads dropped DLL 4 IoCs

pid	Process
3032	VikaStarter.exe
3032	VikaStarter.exe
3032	VikaStarter.exe
2428	VikaStarter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	2.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2076	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 805ca1176457da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 8073f2366457da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AF9EE21-C357-11EE-95F4-C273E1627A77} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	VikaStarter.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54708781-C357-11EE-95F4-C273E1627A77} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f12000000000020000000000106600000001000020000000b97194a39ece12b1c0ad50f4194d37e6b16818186f327560dee168a2224ffe9c000000000e8000000002000020000000a0cefef8a66633b650cfd4f9a8f475f44b1d10f3fa07414c4eb8261c501ebb52200000004a36a9bec96684eab191443158d1bd5e39c6be63645c6944a5aff4b4eef1c8d1400000001de2bbd0d69975487bb9f0c91b7c69049188e13c32404460d797b65992c2a12aac0e58594bca477141682105af12b3c0f74a4fa8294ac4a0e993d81fd355cfd5	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\shell\open\CommandId = "IE.File"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.swf\ = "swf_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.swf	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\swf_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2428	VikaStarter.exe
2420	Dllhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: 33	2420	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2420	Dllhost.exe
Token: SeShutdownPrivilege	2184	shutdown.exe
Token: SeRemoteShutdownPrivilege	2184	shutdown.exe
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2116	iexplore.exe
2116	iexplore.exe
3032	iexplore.exe
3032	iexplore.exe
3032	iexplore.exe
3032	iexplore.exe
2532	iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3032	VikaStarter.exe
3032	VikaStarter.exe
2116	iexplore.exe
2116	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
3032	iexplore.exe
3032	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
3032	iexplore.exe
3032	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2532	iexplore.exe
2532	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE
1272	IEXPLORE.EXE
1272	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2644	3032	VikaStarter.exe	29
PID 3032 wrote to memory of 2644	3032	VikaStarter.exe	29
PID 3032 wrote to memory of 2644	3032	VikaStarter.exe	29
PID 3032 wrote to memory of 2644	3032	VikaStarter.exe	29
PID 3032 wrote to memory of 2428	3032	VikaStarter.exe	30
PID 3032 wrote to memory of 2428	3032	VikaStarter.exe	30
PID 3032 wrote to memory of 2428	3032	VikaStarter.exe	30
PID 3032 wrote to memory of 2428	3032	VikaStarter.exe	30
PID 2428 wrote to memory of 2420	2428	VikaStarter.exe	31
PID 2428 wrote to memory of 2420	2428	VikaStarter.exe	31
PID 2428 wrote to memory of 2420	2428	VikaStarter.exe	31
PID 2428 wrote to memory of 2420	2428	VikaStarter.exe	31
PID 2420 wrote to memory of 2076	2420	Dllhost.exe	32
PID 2420 wrote to memory of 2076	2420	Dllhost.exe	32
PID 2420 wrote to memory of 2076	2420	Dllhost.exe	32
PID 2420 wrote to memory of 2076	2420	Dllhost.exe	32
PID 2740 wrote to memory of 2836	2740	taskeng.exe	38
PID 2740 wrote to memory of 2836	2740	taskeng.exe	38
PID 2740 wrote to memory of 2836	2740	taskeng.exe	38
PID 2740 wrote to memory of 2836	2740	taskeng.exe	38
PID 2420 wrote to memory of 2116	2420	Dllhost.exe	39
PID 2420 wrote to memory of 2116	2420	Dllhost.exe	39
PID 2420 wrote to memory of 2116	2420	Dllhost.exe	39
PID 2420 wrote to memory of 2116	2420	Dllhost.exe	39
PID 2116 wrote to memory of 1732	2116	iexplore.exe	40
PID 2116 wrote to memory of 1732	2116	iexplore.exe	40
PID 2116 wrote to memory of 1732	2116	iexplore.exe	40
PID 2116 wrote to memory of 1732	2116	iexplore.exe	40
PID 2420 wrote to memory of 3032	2420	Dllhost.exe	42
PID 2420 wrote to memory of 3032	2420	Dllhost.exe	42
PID 2420 wrote to memory of 3032	2420	Dllhost.exe	42
PID 2420 wrote to memory of 3032	2420	Dllhost.exe	42
PID 3032 wrote to memory of 2696	3032	iexplore.exe	43
PID 3032 wrote to memory of 2696	3032	iexplore.exe	43
PID 3032 wrote to memory of 2696	3032	iexplore.exe	43
PID 3032 wrote to memory of 2696	3032	iexplore.exe	43
PID 3032 wrote to memory of 1568	3032	iexplore.exe	45
PID 3032 wrote to memory of 1568	3032	iexplore.exe	45
PID 3032 wrote to memory of 1568	3032	iexplore.exe	45
PID 1568 wrote to memory of 1580	1568	rundll32.exe	46
PID 1568 wrote to memory of 1580	1568	rundll32.exe	46
PID 1568 wrote to memory of 1580	1568	rundll32.exe	46
PID 2740 wrote to memory of 2872	2740	taskeng.exe	48
PID 2740 wrote to memory of 2872	2740	taskeng.exe	48
PID 2740 wrote to memory of 2872	2740	taskeng.exe	48
PID 2740 wrote to memory of 2872	2740	taskeng.exe	48
PID 2420 wrote to memory of 2532	2420	Dllhost.exe	49
PID 2420 wrote to memory of 2532	2420	Dllhost.exe	49
PID 2420 wrote to memory of 2532	2420	Dllhost.exe	49
PID 2420 wrote to memory of 2532	2420	Dllhost.exe	49
PID 2532 wrote to memory of 2452	2532	iexplore.exe	50
PID 2532 wrote to memory of 2452	2532	iexplore.exe	50
PID 2532 wrote to memory of 2452	2532	iexplore.exe	50
PID 2532 wrote to memory of 2452	2532	iexplore.exe	50
PID 2532 wrote to memory of 868	2532	iexplore.exe	52
PID 2532 wrote to memory of 868	2532	iexplore.exe	52
PID 2532 wrote to memory of 868	2532	iexplore.exe	52
PID 2532 wrote to memory of 868	2532	iexplore.exe	52
PID 2532 wrote to memory of 1272	2532	iexplore.exe	53
PID 2532 wrote to memory of 1272	2532	iexplore.exe	53
PID 2532 wrote to memory of 1272	2532	iexplore.exe	53
PID 2532 wrote to memory of 1272	2532	iexplore.exe	53
PID 2532 wrote to memory of 2396	2532	iexplore.exe	54
PID 2532 wrote to memory of 2396	2532	iexplore.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VikaStarter.exe
"C:\Users\Admin\AppData\Local\Temp\VikaStarter.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1\Vikastart.bat" "
  2⤵
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\1\VikaStarter.exe
  "C:\Users\Admin\AppData\Local\Temp\1\VikaStarter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\ProgramData\Dllhost.exe
    "C:\ProgramData\Dllhost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
      4⤵
      Creates scheduled task(s)
      PID:2076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.upload.ee/image/2298158/koli.swf
      4⤵
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.upload.ee/image/2971847/scare4.swf
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2696
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9X5K6NC\scare4.swf
        5⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9X5K6NC\scare4.swf
        6⤵
        
        PID:1580
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.upload.ee/image/2299952/facey.swf
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2452
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:1127431 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:868
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:1127438 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1272
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:4142085 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2396
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 00
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2184

C:\Windows\system32\taskeng.exe
taskeng.exe {39D98886-338A-4F45-B857-17CEA5093424} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:2872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_582DC597430784041BB93D3718D1C412

Filesize
727B

MD5
fa09f7f0b5e47a28d13ff5a4d4d37ca4

SHA1
224d01ff979574da3a1ef3f07129f6a2c7bdfe62

SHA256
d5ce85e0dd59da489f9cf63f6ea55186281751afc25df1a72a0f7b73cbcf9b4d

SHA512
316f4275af76ab1f27d87525ffbb928607479dd777d716f9c26a2b8205067e5bbfce17fcee24d1cf8b6ac695b9cfb6c624ae7d48b9d1fc2041e8fd7fc5bdbe02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
471B

MD5
52a6dea3a45cc1a0bdc8d8e27353f1ef

SHA1
581575ba2faa42bfe654a8d7af4d013d57112440

SHA256
f01a0bdbf91009449a849beb5f632b1158800a40b86a8ed6f8a554561b1fbbe7

SHA512
e750ced1bf87a96f7c4a206b5eb39dc886988bb887e7693f5c58d00d3065895bcf9c79c401c4f3cd89e497e82197811cf8f0fba5e9397b2418a1a8f0e7abd55f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_582DC597430784041BB93D3718D1C412

Filesize
408B

MD5
acb3fdb8593b39868e56c7603e4a8b20

SHA1
9a05c26efcce67e6c11b3a2203620a9cce94cdfd

SHA256
caf678be18fec87c1eb7a82f11dae7efd7d8f2dd25cfe8eb73cc8718f5801cca

SHA512
60a79d6139071c66c5f9ff3fe79e616f8150f6c986b1646cdc34e11a7bf10d96395930a86981487e1f43571f3bf75363ea2b896946d5c37ccbc09d18279ecdd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
52ddf3b8a9843d980a79f9ff9c5383b2

SHA1
e44ec8d0297ca5388e6d536e69ddac484ce37691

SHA256
1e5287f43d858eec8f930a117b370e148c633592e1169dbd2ffbe0be9df24207

SHA512
0ebb52641a13c7ccd9fa0085d9ab5c0225c6ffc2ceea97f23f857d25cca088844796233ac649b4d566ca164fb8783d68a8f08bd873e944363ebeb78ffe3765ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
687d5fdc7dfddc4946ed78e632f58d8f

SHA1
3b7ecff353dd3cd6af9081c1ee26cc86e8d49e55

SHA256
732050b91347e23bfb566848ca190a91d3476f5b4b89770745b93f022c12b542

SHA512
1fd5c81aafcf13813d868e8c588d673a7049149ec5404f045b7593533c90dccb39fb3fda378e468127e051db53951ea9ada8103dd1bb773602ef16a51eaa0bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a158bd3fd6692a236476e5090b447726

SHA1
24d8cda69d1c1736ce10c6d4af9e8bb67e033cd3

SHA256
bdb4a7183cd76eef786972936a7cd8ba17d9126bdfd30b1c851da5634f376d7a

SHA512
8cad0a204850339c8e61e60bccb9a0b285c0b18c41fc308ca16f2f8ca95f5ac9791436cfe87a8e67f153a7f2299a849d7f580d43bd8008150920b9e3bf775b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
172a52cdede443a2b029663f08403827

SHA1
1ec1351720c741b1f09d7fcdeb18605fb0786bd9

SHA256
cb730de85df40f39171a7d4fa28b37370e747e1e4138407b2187f62c7a2546dc

SHA512
e2ffc04fd76c10a77afc426dfd23df2faa68c775c59598844026bbab9982bd6739bcd03f863aa123d58d2c1d2c0f7d1b429d19cb46d41178837a80b29e9e7c11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d4198ccc95d6b6e6c134212dc9d89c4

SHA1
b853d5b9a5a534ecc7f5c0153b8a3bbdcb84e0a9

SHA256
0781b70b16ece4039f8fc02d0c47a562ff649972bffbe0ca44dc79ff80f3fbb4

SHA512
c97d200dfc4ea56d233747abaeb20efed7561fc2ef358eefee616fd34cf2d20f769181ac02975637740060ab8021eca9fc74cb4fe6e222b704904abb0b246b8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fe33a8af25835db0528463c58d42dbc

SHA1
054dc25dced4af83b0220b3f1d1edb53d21413cc

SHA256
7c6b694fce89609c140fbc47b5e2b9b543ab68695fe221789ba37432b8ea2f88

SHA512
f8835a34cd23475e09bec0ffb010ea9362afac7e028685fc79af115cf8d984d3eceb733dd0c87c2d517c2eb0044b0484fcd8e9e547cba5b5e591966fa6041d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a1a416d70bad718840c6e3502c9ba5d

SHA1
c5811f96a9497eda39cf6c8ad3a904611908966c

SHA256
ca37cdbfaafcc8988c3ae1339b33a0bfc02481f1ac502027888415aae5fc412c

SHA512
d25777cd0462c9e1fc709bc26430cd5f7765a6d9ec9cbaf304ccd176c29ab5280511d095ae7ff591a9c3504b35848538d4df038f33ae952bc2ac3e44aea5eb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77fef8670ffa1326266271a4378593b9

SHA1
6066f95e78b5ccae32804b793dd613942e49326d

SHA256
4ab4bf65774013de950781cd3a704b8f9f042aec25e61d834cc5572ff10fb83f

SHA512
ed41486b140a13993669d38e8f72f790581c2f648a56d4b31ce9a62f9fff3e4508b53d1ec091715cce30f4ef01233cc962c77b1b21c4a9f29231b05752251695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8f7b1565ce49307e13b02cf379efc9c

SHA1
f416f0f0301602e4db6bcb93cd7621fe2365264b

SHA256
c2b743174623f6d8000e4595ca1cd96ff9627a75612072251672ba0405985a4c

SHA512
a98e4ec24687f7733766bff67a6fadcae852073ea211cb3c553b2de0f85215e4f320363e7e243e4a56a172d566d7506c0a3185ed7a420003986acbd314418cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c22c3bb52b5a1f3dab17ec3a49bdc65

SHA1
7efb42ecf2cae35b0d45b98a3fb17a35c565fbd4

SHA256
b9eaff02d5032568ae91b4fe84484e8a26306b2ca7b4607a4fa2bc0324d22b15

SHA512
cab7ba409c964ae4599b3aaabae6939a91ec94210ca9e2c748936fa4fda1f90cf5ea4103b9ed28e664aef20f81bbe7d6e0c4b3b2e58bb0cee8bbcdf068ec16ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ea2c5b4d8ae80852573c6fc463aafe1

SHA1
136562124b4c824b3fef507e7492d4fb3d4b7138

SHA256
d4e96444818f86f7995eda4e91a278b86e8883ded5db9f75b6585ed0d0ddb96d

SHA512
0102cb2bd769fe4eba80122f85b4d1ba74f269072cc7e117c750b03aac7198ddf36ff4d41324ca257146e55bf353b180f03c58f73a52825006a246d30ae1ca2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6f3723abc9a11d8f8276acde5760e91

SHA1
321e09a9d745cc69b8f5c2c30447988ed1774540

SHA256
a5ef8789d1a84c2ac40a07c79655f2f1fddbb5d1137ef6e1de95cb91d12e026d

SHA512
e0a0f959e435528c32fca4f401da68747dcf3f32c1702e45c89f6779b13fa6f19b83e38cfed092b2b98c2a3042a7f724a35164b2991041a9c08b4fa9cbebb2b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55e9f148dc2c1edaa75906b279edd046

SHA1
c8eb77b9d6bb06ea210434a3811b967778dfd9e5

SHA256
a1bd00537ca11b577cbed461095a6557aa1882c907e5f9d8c0f669c48484a90a

SHA512
f1b80321e7ed62fe2a0054b7655758ca5e760cfd7171a4bc104c50934438ed59dab0c0215a6d6b9419ad980320d46684b406dc62197dcd1f0d1f38fb83b4f6c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62ac07e970d3eac683456daa17771e36

SHA1
48e6535bd9664d45ed40dcf7c8fee8273d770d2a

SHA256
a8cf27867263f6155c5ec7642abf6efed249a722eb54bf070e5693dcc31ed03d

SHA512
249480bf91a4df8d685efbed6154c4e2a54ca181694d8f2a02d7032738f75f5e830b9aa5955be2b36f8eb67f9fb74e52b783d0b4131cafde4290c40b3219ef52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03bb3d003a73cd08e888998032d9cbce

SHA1
927bd6061476834f290f48876bb5cec2c3d09144

SHA256
9e63a1fadb1dcec94346a1cd1b964022b4c894ca5058ef881c445c54fef54a31

SHA512
35b98073e6c8e9b8075ce05edf95066450fb6753f4efc6d39c382f84ed2cb43d865268987bd721111db29e1658c7dacd684f1065481dee3ce1b6ac8af53c706c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35753364d0493dbc69bc96e63c0adfa7

SHA1
869aa8d4f829cf4d1cedd0c760eda746d550588d

SHA256
f21bafe0aefe8ac014cbc366cbaf748d296da20b415f2d161308698a32712f6e

SHA512
55add8adeddb6cafec6b45eb71645470e679a9baa5fcd6bbcc8c277f07e777a7d96cd4f85315b37a20e762a29afc8ee600fa7d76b91dbb1d3ae4904902949b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00cbbe76535cf5711bc987191258dee6

SHA1
7f8d6064308c49d47365892296b7a27ebcbc7221

SHA256
d17ddc8b560e95adb5047e5054ed4ceb99b11dd2c9b116988021036fec7d5538

SHA512
f5f90e1065110be262f14df6e70965f5b8fc8781fff6af58ce8f5f3c16ec2ff8c537c98aa2dd69fcc259e7951f1db7e825ad74aa679b6322f00ef5e57e63d676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
636432677d986d234c946526a19af08e

SHA1
2b4fd836f3db552f9bcfafffc8616c81762fbfd5

SHA256
6b08ef0c9e3cdef0c82a75e47a83626f1e7805b7105ea53c3cae946dcfb93427

SHA512
7aa5f42caea7d05ec3a136ba211988a13597aab6ab65ad35fa349f039273d584019740f1be0b565391560f37ad763d24841b2f2d2a4b41c34d78b34ffb6abde2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39d15c825642529c095887f2394ccb22

SHA1
74108a0b65694e917e4c5b0d14f995bfbd69c714

SHA256
5bf7b031723c3537977f85276ed9e868ce69aecf4fbb2e113126b0242ea72697

SHA512
aca636bcf9421d6c051d89c41812af64585c46279e61529caa6c3012b8c77d7ce38d0f2030731c2eec5c8b837192591af3b52614cfe22c853f697792afbe8e6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
885a383690552d254282c725c60c6fad

SHA1
e96b3fc3f5d9d669ead7c449f2d8ff9e8984664d

SHA256
34825e507c0cd3817df0e483c4c0f0eaa963fa75390394e59d783e0d87bda7b6

SHA512
3a63a9d652a3353cbcb326ce9a53c3076401347e479da26ba1940d5f30d9125591e8e86697ab4bc13e8597ca8de5eaa2c427c4a9966b7396beeabc980b1c945f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d71bf5367ee273ebbdf6ce9957817fb

SHA1
f71b706ddbd42f2485c17248a07561ca3317ea77

SHA256
3fa462482de0de656445522e1a3eee3108d997885e2d3855a0900f376c8dbf7e

SHA512
a04e8d165cf7f83a29cb777d43f3efa286148461fa72dd6b6d9ee7af99a0706092dd1715ff519c7da8cb736fa1f080a462163a5af5acda420cc7f92915870010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ddfe7e5659c0c1f42897870d5464afa

SHA1
942eb08b4184a323655ff012e0a55aae4bea2a5d

SHA256
7e7c42dad69082b12726a34bc9a21ca14cb218a8d731cb152a68115c113f2281

SHA512
8f5346c8a055405afb70ea1ecc1619f8879e8df1559e4163305972fb6f5cab3baf4460e435cc6c207e5d87222a2f7193f220ebe9707d3eb98b79997205429718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3b27c606f64bb325dbad82e55b10828

SHA1
e8b203dd3023e94cf3cc7ef7aba0831fef3b2f22

SHA256
e2ebb93fb2e937e39a9885e6daba04dbf24990afa1ff4b59b0f8c2779825227b

SHA512
2dbc1b3f23bad66f9a4acb2317237b96d9c92ca2fc084bfba823a4c8238cc6655799d2b1141d765a8ab854953dda1b045c6a1a6427dbe434604b8e51e157a72d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e63d4a2e673f8af88d9563fbfd6e54e0

SHA1
39bf39d05049cf40dafff3f40b80c147cbed27cc

SHA256
7dd90dcfb913e7b9e4d32cf2ce85a5792d9c0b2276ee71fb2424c5ec9d6cc18e

SHA512
72dffdcc0b69c88d556f166490d5b3b35c1dd364470ab8494cf76a152e5a860929e675b8d9bd53eb81c1779091ddfd7b8a752b34cb105cdf0b5c7dcbcfa047ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95260885607ba2fc20b036512e1652c2

SHA1
024755576e79296779c5f41a7bcd4194b1f674e1

SHA256
5dd242d7d1a9d2fe06ef08171dca4501457b29c2533611fa45949f740dbe202f

SHA512
a426941b47dd8a6cb52dab2c01a4052d9a7b00abe7edd451af6635412c0d36f970f328fdea254f9f11190897c2490006791c1418295bcbc2de7023d4bf3d9612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f937808c1e55efd0a76dde47e91e3285

SHA1
574071ecb119a7f36b1400eb54684d873a45761c

SHA256
e86478fcb6d6762294ba632be2f2f6f7f069ab5f7972133a4123ed70a59f7eca

SHA512
4a94278ccddf446931d75e05141b982f6ae94b1cd08ca869414a8fbab3ca4fe78238d851226432c6bd527d49f106d9509d74d44ee993d93e79d3182d91ec5d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3518532fe8cff7bea66bd813eddae8c0

SHA1
b6086db5b574e6c49526baa536fb22ebf3143bc1

SHA256
c07e9582d49949fd583bc9a281cc7f1426b429c4640837f5e4e660fbd924fd44

SHA512
540474d1df0cf2c4e7d4463db7f32a67e783c07e02394e5d1d5adbdab793e7ca6d846fcdcfdbf0083eacaff37da37da3260e2c37bd2e748cd6a068a0179c487f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55c7b174e1e23ac701bc377203d21199

SHA1
850adb1f9af7f59a5858d8307208cc5c946ff952

SHA256
9758e893ad05347f21c30ea922b102bc3a6bd14a2c57876378544e1cbcfce8c5

SHA512
1af42b88251e7f799e0bce7d3ce7d5650c88a57349e76ff40d73f541c5bfd4178241407f3b850eb447225cf43d60d533d9949367581dbcc55b658ec27bd898a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55ce764463d252ea46b6aaaea0711ba2

SHA1
2ea80ae1d1a4853928bc1c009c91871431f3284c

SHA256
0ce0803ae30aaa7f7461da6b6c339a11027ce6b52ce161b67ec9b1180230a227

SHA512
6fed3b1f94ba853893f08cb30b6cbd27c58e475cf9532e5c3514bb3e3089d2cc8f8d8f543d460a7955ebf4a30658d12f7c6eb50e79a1361877bb18e8d27b69fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b93a71a1610af255dce43ea7bd991e3

SHA1
8466b582fde982b7d4c99be51bc9f206220b1653

SHA256
1ff91757cb62850d89ced758442ef90eeab3be3ce0a48df7938e5136db20c4b4

SHA512
ec28b13a5c02c17c9ca08a180b31ee3ae8973a3a4566e6b4893e13ecea29769d0f44819d3f52cfc94e6f90c69f4ebe86945765a98835e6f9726d27410954576e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53b4b75e084c1b4b7f7c25d551bbf110

SHA1
e646f4ab3b272fc3dd0c00d0502f071906080ab1

SHA256
2d5caffa36086ba0eb09aa40962bd677334489bcaa80c71200be23e07cddf1de

SHA512
0202e67cb42ba7198229b485497eacb2684ee545fab3f32216b7cc6bf0704dd686b5b724a45dd8b2faa2fe1149f506b628f77ab5c8c330482898fab68175d730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a134aca1d28172125c075984aca9211

SHA1
e1e89b934695ac753b897ebfc816101e29ade103

SHA256
fea732e79ef4ef5d794448ee236d1a9633d99f7fac3e37b55fe6bd291de2dda3

SHA512
e91ad70b3d53cc2cb36d95687790d739cb0d54629f688ba3ba42646daa15e707b8335510862848d5da2594bfb1349fde616860a5911d4a04010c7991199fa857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
400B

MD5
2f7bd160b89071d4de1cb93c2c10436a

SHA1
f3386a4d8bc6682cd84ade4975c433bf3780c188

SHA256
c3480976d405310bdd5ae9db8183370784e2ea97779b210a56979c2bf8e6b6dc

SHA512
114adb45982ea61b5ce3b8a80ab6fe675c1f00222e2fd10a7a0230c99eaf622e58fa31a3aba189c433c0ba1eb18d1b893bedf7b2b8ab7b5edc0f69fac182aa6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e39025b4cbadddb4d780ea5d3b2e1787

SHA1
f87b2a44b9b05d44f844f8190621525f271e6d98

SHA256
3b3bdb83da936d0eed1bfe91776c8e65a45dc5d9324109cfc7f0e4edef45e47a

SHA512
f4f5494439ab5afa6af529e6bf161868a20d371745b962606f88eef50c9c6f28d7fb02ffd9c5a845cf27c1dfc33f448819ddfbf279d02b15eab2798c4c551d28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{54708781-C357-11EE-95F4-C273E1627A77}.dat

Filesize
5KB

MD5
54d84bccbf09b71dcf2296c74f73bca2

SHA1
9005a25e90f2396b5a928c338d59e46a12a0058f

SHA256
97df72a32cfe3e09d34e590da2d15f27b1b0e53889859fbfdced419cf9014290

SHA512
377836dd24f2695c673625610e07f6f34e753057f673859ed5c8554519ddbe93e57d39c36d8133b7acabac038fd1b270ce705d67d9d07dd9b1a568470bd628ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C0XMJ7WI\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JD6MS3HR\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JD6MS3HR\http_404[1]

Filesize
6KB

MD5
f65c729dc2d457b7a1093813f1253192

SHA1
5006c9b50108cf582be308411b157574e5a893fc

SHA256
b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f

SHA512
717aff18f105f342103d36270d642cc17bd9921ff0dbc87e3e3c2d897f490f4ecfab29cf998d6d99c4951c3eabb356fe759c3483a33704ce9fcc1f546ebcbbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9X5K6NC\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9X5K6NC\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RW388YQ4\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RW388YQ4\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RW388YQ4\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RW388YQ4\scare4[1].swf

Filesize
106KB

MD5
4fb1687abd4aec202fe1c05061d98128

SHA1
39f6f10981728861d4a1cebf54917566c6916f1b

SHA256
7afa36638fa3c37c8c56836202aa67979246afe3980164404717abbaf1e25ac9

SHA512
6d93be95ee38266b2674509588ea00bd442e05ddbe5be046ab81782c6952fcd6a8eda83a09680ab63f181fcc372a649371893ec278151765eaee46748d2a04a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\VikaStarter.exe

Filesize
42KB

MD5
e83cec05cf8b527541f152b5c2f468c5

SHA1
197735f16a2da90b15427a2bf4e46c93d2cd2708

SHA256
a460c3dd116e37206cf677ca31cf74928f8f508e5f7374b2179184bc61598670

SHA512
0d8e0d1b71c6c6b5a2eab9562a1f4ff66de177a5c92303adec3eae43cc8d5ae6d8d1a36fd49bfb71640c1cea70da8a8eff977818b4739dbcb0b9e2692f546fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\Vikastart.bat

Filesize
2KB

MD5
12b1929fae7dc26250685c9ebd37b991

SHA1
4e4cea3a529bedf19c95e7bed7bf8eceeedfe095

SHA256
5478647bb4ebbe82885bc09aa99c85385a2b0a756d3328aa7f37973a343a9d88

SHA512
e4d9878d9396133e1456fb65c6820cf76f611619ec55603ce84032d2e52839a1cb90b729f62668704c1f062a92013a4bdebb9364e8d5a71242903ca517083710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BBB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4F4248809A242BC4.TMP

Filesize
16KB

MD5
0abd402046380f04a1e1607ba2c86156

SHA1
992e48476886e03fa9f68e66e3917da95bc84ea2

SHA256
1ff0decbcb4e56ed52c3c496328408f34a0cbd6a382a347e9ced45309dcc2826

SHA512
c035ae3c81c24234a0767048e344fe153e016f43d8beaa7693fa8d394a419c69c7a6cad404c0176d7dd3e415a4ef16f7f7a376dca43a17c3c2696d8183ce51f9

Download Submit
memory/1836-1530-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2420-56-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/2420-59-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-1529-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-60-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2420-54-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2420-53-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2428-43-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2428-55-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-45-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2428-44-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-64-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2836-65-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2836-63-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-66-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2840-1526-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2872-1014-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/2872-1089-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-1015-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-1016-0x0000000001060000-0x00000000010A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads