af34b699b6aa750e58a68516b97b4f8c2f08bd03453a6059f6869847cc63a7bf

Resubmissions

23/02/2024, 15:14 UTC

240223-smc6tabh28 7

23/02/2024, 15:12 UTC

240223-slfkjscg6w 7

23/02/2024, 15:03 UTC

240223-sfh4gsbf66 7

Analysis

max time kernel
447s
max time network
450s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
23/02/2024, 15:03 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Client.exe
Size

396KB
MD5

9b5f12b10b471e0a359bc11e50af28db
SHA1

5e42890b6b4a299cd954bf8dabaf75b38522c0b0
SHA256

af34b699b6aa750e58a68516b97b4f8c2f08bd03453a6059f6869847cc63a7bf
SHA512

1fbf71b9121cb141a617a2e14e466fead22da7cc7c672a8e5f79cab929e10a4f578edba06e8340d40d23f51852b33816a67351b6cecf5a5f72410c1bc0d5b773
SSDEEP

12288:+WSeotlIH682B+64kQHam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTT:+WSmpL

Score

7^/10

persistence upx

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	4c478eee0f7f48ec9431a5578a6c350e.exe
200	4606e96e1933489b87f42bc419d89b1f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001abcf-13.dat	upx
behavioral1/memory/2724-15-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2724-42-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-820923436-2084397322-3365974649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
2100	TASKKILL.exe
2536	TASKKILL.exe
4444	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-820923436-2084397322-3365974649-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-820923436-2084397322-3365974649-1000_Classes\Local Settings	4606e96e1933489b87f42bc419d89b1f.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe
4668	New Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	New Client.exe
Token: SeDebugPrivilege	2536	TASKKILL.exe
Token: SeDebugPrivilege	2100	TASKKILL.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe
Token: SeIncBasePriorityPrivilege	4668	New Client.exe
Token: 33	4668	New Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2404	LogonUI.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2100	4668	New Client.exe	74
PID 4668 wrote to memory of 2100	4668	New Client.exe	74
PID 4668 wrote to memory of 2100	4668	New Client.exe	74
PID 4668 wrote to memory of 2536	4668	New Client.exe	77
PID 4668 wrote to memory of 2536	4668	New Client.exe	77
PID 4668 wrote to memory of 2536	4668	New Client.exe	77
PID 4668 wrote to memory of 4444	4668	New Client.exe	79
PID 4668 wrote to memory of 4444	4668	New Client.exe	79
PID 4668 wrote to memory of 4444	4668	New Client.exe	79
PID 4668 wrote to memory of 2724	4668	New Client.exe	81
PID 4668 wrote to memory of 2724	4668	New Client.exe	81
PID 4668 wrote to memory of 2724	4668	New Client.exe	81
PID 2724 wrote to memory of 4744	2724	4c478eee0f7f48ec9431a5578a6c350e.exe	82
PID 2724 wrote to memory of 4744	2724	4c478eee0f7f48ec9431a5578a6c350e.exe	82
PID 4744 wrote to memory of 3640	4744	cmd.exe	85
PID 4744 wrote to memory of 3640	4744	cmd.exe	85
PID 4668 wrote to memory of 200	4668	New Client.exe	88
PID 4668 wrote to memory of 200	4668	New Client.exe	88
PID 4668 wrote to memory of 200	4668	New Client.exe	88
PID 200 wrote to memory of 2272	200	4606e96e1933489b87f42bc419d89b1f.exe	89
PID 200 wrote to memory of 2272	200	4606e96e1933489b87f42bc419d89b1f.exe	89
PID 200 wrote to memory of 2272	200	4606e96e1933489b87f42bc419d89b1f.exe	89
PID 4668 wrote to memory of 4540	4668	New Client.exe	90
PID 4668 wrote to memory of 4540	4668	New Client.exe	90
PID 4668 wrote to memory of 4540	4668	New Client.exe	90

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\4c478eee0f7f48ec9431a5578a6c350e.exe
  "C:\Users\Admin\AppData\Local\Temp\4c478eee0f7f48ec9431a5578a6c350e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1DD0.tmp\1DD1.tmp\1DD2.bat C:\Users\Admin\AppData\Local\Temp\4c478eee0f7f48ec9431a5578a6c350e.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gggg.VBS"
      4⤵
      Enumerates connected drives
      PID:3640
- C:\Users\Admin\AppData\Local\Temp\4606e96e1933489b87f42bc419d89b1f.exe
  "C:\Users\Admin\AppData\Local\Temp\4606e96e1933489b87f42bc419d89b1f.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    PID:2272
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 00
  2⤵
  PID:4540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
PID:4428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2404

Network

DNS

cut-britney.gl.at.ply.gg

New Client.exe

Remote address:

8.8.8.8:53

Request

cut-britney.gl.at.ply.gg

IN A

Response

cut-britney.gl.at.ply.gg

IN A

147.185.221.16
DNS

16.221.185.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.221.185.147.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

131.109.69.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.109.69.13.in-addr.arpa

IN PTR

Response
DNS

cut-britney.gl.at.ply.gg

New Client.exe

Remote address:

8.8.8.8:53

Request

cut-britney.gl.at.ply.gg

IN A

Response

cut-britney.gl.at.ply.gg

IN A

147.185.221.16

138.91.171.81:80

230 B
5
138.91.171.81:80

52 B
1
147.185.221.16:38277

cut-britney.gl.at.ply.gg

New Client.exe

35.8kB
1.1MB
522
965
147.185.221.16:38277

cut-britney.gl.at.ply.gg

New Client.exe

69.1kB
2.3kB
77
52

8.8.8.8:53

cut-britney.gl.at.ply.gg

dns

New Client.exe

70 B
86 B
1
1

DNS Request

cut-britney.gl.at.ply.gg

DNS Response

147.185.221.16
8.8.8.8:53

16.221.185.147.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

16.221.185.147.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

131.109.69.13.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

131.109.69.13.in-addr.arpa
8.8.8.8:53

cut-britney.gl.at.ply.gg

dns

New Client.exe

70 B
86 B
1
1

DNS Request

cut-britney.gl.at.ply.gg

DNS Response

147.185.221.16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
96fcf95de3f8965f64caaa3a5bf42ffe

SHA1
83266a90b8910d237f10325120e2270a8bb043eb

SHA256
5fdb9244a987af148f0f5f952c146c044a9c1fe7447aaac772df42564005e829

SHA512
89d9da037c07245d9d603f279d83cbef0bdaf616bd5820feeeff8f2ce7537e00e74e6567ef9ba0cc71cf68a76f8dc53f34c9c55c41309448fa4629a82c6895eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DD0.tmp\1DD1.tmp\1DD2.bat

Filesize
30B

MD5
357a7bdd785305e805a56f1ced70966d

SHA1
d5a5ad1cb1568d16351f1215bbf349168082cc50

SHA256
2dddc29e955de491e20da90c69ead88ef6f04bbb4d000095a1e3eac72139066f

SHA512
cd37160073bdc44a004fb514017f36c4134cd2e32110b8853f97f704de9fb61e3b0ed5bdfa401199bc7968d15ec7b998e0954a890cfba953baf15d066bf88355

Download Submit
C:\Users\Admin\AppData\Local\Temp\4606e96e1933489b87f42bc419d89b1f.exe

Filesize
444KB

MD5
e4f69c341bc8cfd11e4292788e1e021f

SHA1
cceb7f3a13f3800b93b2a075b62d0571f59c6f21

SHA256
f92e8a9832c9025b4f8e870e4f61582cccfcba28bb4cb00697578714b7b3a0f5

SHA512
71c2273d72b55d2e8b9f2b2c86ae8facd22191ae564284ba2b4e824f335b652d0335e2ab86484db6c257562eecb935daf006cf358d1398a80833d824e8c8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c478eee0f7f48ec9431a5578a6c350e.exe

Filesize
367KB

MD5
4312fc1e1e3de4b540e76d7867ef6a20

SHA1
e1bf939c3fbdec3c216b5a64bd1021590257ea96

SHA256
ba5ac5c166eb578e235d14d00e428f9d7e81b8a9d05d33bafeb54aa577ee2033

SHA512
0370d1c1d0d0b3adbb59270d97290058ad61d05dee26a4edab91f9acaa8a67540c3a51c779892e6300abbb91e0ac921fb75343ea5dd3387deabb1b2deab388fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
448d64b7e2c09496500e077a00882dc6

SHA1
4796fb338dc81d16606ed76f63075b4fef8e051d

SHA256
b894b20027e433c8abe00659b972519d2e4166206de2cbc74cf41567581a099d

SHA512
c2160b4317670acea1cc9b5ba4a447ca1f95370eb119aa2299e2d3dad13d0aee1fd55ee4695b2883f2ce00339db88ec80cb0f104fb9fda8811bb3bd29afc25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

Filesize
126KB

MD5
5fac9ee2ee41eabef3bc0a2043e8b4c4

SHA1
bd8bb1a4c059542bcfa2d813ed9dd649689f0eec

SHA256
983cfe7f4df4e1bdd6f9877ee6aacb6867456a1e467f59c9ea7019b2b8509ff3

SHA512
7291ac25a059fc00d1cce0e34adae8ddad860daa4731613ecedeb9b5a8f3a051317bcbf056c4ce4591dba596a83fc503539a27cc69307c0178f91934a4c4a825

Download Submit
C:\Users\Admin\AppData\Roaming\bb.mp3

Filesize
319KB

MD5
7141e2fb94792fc8f1213c8f61e9266d

SHA1
adf553fe103ba5a978a6a6bb15be1760f6668a2e

SHA256
7cbc8ec8c691ff941a87ed45d74521c9459e14f10c6686fc2b775e71c06174a0

SHA512
933c1561bb0c68d015392a768357a86585e477295be03a5a63db2916189071766014a747f7fdc6d06803776a6f02d4faa6562f2a74c11420c03e56e5e5892d3a

Download Submit
C:\Users\Admin\AppData\Roaming\gggg.VBS

Filesize
114B

MD5
56ec2fa7ef80fb09d1a45cdb4a7fcf2b

SHA1
73b8c3355eb2568ca2ff81735df04d31013d0615

SHA256
0a7ac9e82cd60496ae0ac47b894c47cbdbb68daf081cae2ff97e1fe92ef632a0

SHA512
11e4cea21338f648a681d26be95c8eafc94df15af295c8a9c9de70a38a744f02ecbda4ac601d39d56da19df56b1cd16cd8f397416984282e6fa28de5bfe106bc

Download Submit
memory/2272-71-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-69-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-86-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-85-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-72-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-67-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-68-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-66-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-64-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2272-65-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/2724-42-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2724-15-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4668-9-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4668-0-0x0000000073620000-0x0000000073BD0000-memory.dmp

Filesize
5.7MB

Download
memory/4668-2-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4668-7-0x0000000073620000-0x0000000073BD0000-memory.dmp

Filesize
5.7MB

Download
memory/4668-8-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/4668-1-0x0000000073620000-0x0000000073BD0000-memory.dmp

Filesize
5.7MB

Download
memory/4668-6-0x0000000073620000-0x0000000073BD0000-memory.dmp

Filesize
5.7MB

Download
memory/4668-89-0x0000000073620000-0x0000000073BD0000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.