milleniumrat | edc2569ca00fba2e64ff7727b64b3cdf7182f9a37226f190aeb57a755f225ede

Resubmissions

19-04-2024 22:03

240419-1yfp3she5x 10

19-04-2024 18:14

240419-wvbvhabf45 7

Analysis

max time kernel
27s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 22:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T22:04:40Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_25-dirty.qcow2\"}"

Report Analysis Logs

General

Target

hacn.exe
Size

12.3MB
MD5

0b6cd2cf55fadd40218d09b5617022f3
SHA1

f33ce545bf7d07c84755cea6151b44ca17889a70
SHA256

edc2569ca00fba2e64ff7727b64b3cdf7182f9a37226f190aeb57a755f225ede
SHA512

d45ee80d7d17c62257a117de22b647317a728ac716d3193af539944e985055735ce5a6444f08f49a15a0dd397d1557e830129b810b703dc508d3a7ed9a7e6d96
SSDEEP

196608:ehHHDfyGowBdnpkYRMZuYcISpZUUvExfiYvq7IsBfW023p0R6iM9j:2DfDoc64YcIyZU0E9dufW0ayRI9

Score

10^/10

milleniumrat evasion persistence rat spyware stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 4420 created 3340	4420	setup.exe	Explorer.EXE
PID 4420 created 3340	4420	setup.exe	Explorer.EXE
PID 4420 created 3340	4420	setup.exe	Explorer.EXE
PID 4420 created 3340	4420	setup.exe	Explorer.EXE
PID 4420 created 3340	4420	setup.exe	Explorer.EXE
PID 4420 created 3340	4420	setup.exe	Explorer.EXE

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s.exemain.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 4 IoCs

Processes:

s.exemain.exesetup.exeUpdate.exe

pid process

796 s.exe
4768 main.exe
4420 setup.exe
2016 Update.exe
Loads dropped DLL 4 IoCs

Processes:

hacn.exemain.exeUpdate.exe

pid process

2804 hacn.exe
2804 hacn.exe
4768 main.exe
2016 Update.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
796	s.exe
4768	main.exe
4420	setup.exe
2016	Update.exe

pid	process
2804	hacn.exe
2804	hacn.exe
4768	main.exe
2016	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

26 raw.githubusercontent.com
27 raw.githubusercontent.com
45 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

setup.exe

description pid process target process

PID 4420 set thread context of 3624 4420 setup.exe dialer.exe
Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4120 sc.exe
1388 sc.exe
3688 sc.exe
1684 sc.exe
3068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com
45	raw.githubusercontent.com

flow	ioc
19	ip-api.com

description	pid	process	target process
PID 4420 set thread context of 3624	4420	setup.exe	dialer.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

pid	process
4120	sc.exe
1388	sc.exe
3688	sc.exe
1684	sc.exe
3068	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3984 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4756 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3248 tasklist.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4656 reg.exe

pid	process
3984	schtasks.exe

pid	process
4756	timeout.exe

pid	process
3248	tasklist.exe

pid	process
4656	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

main.exeUpdate.exesetup.exepowershell.exedialer.exe

pid	process
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
4768	main.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
2016	Update.exe
4420	setup.exe
4420	setup.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4420	setup.exe
4420	setup.exe
4420	setup.exe
4420	setup.exe
4420	setup.exe
4420	setup.exe
3624	dialer.exe
3624	dialer.exe
4420	setup.exe
4420	setup.exe
3624	dialer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

main.exetasklist.exeUpdate.exepowershell.exedialer.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	4768	main.exe
Token: SeDebugPrivilege	3248	tasklist.exe
Token: SeDebugPrivilege	2016	Update.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	3624	dialer.exe
Token: SeShutdownPrivilege	316	dwm.exe
Token: SeCreatePagefilePrivilege	316	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

2016 Update.exe

pid	process
2016	Update.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

hacn.exehacn.execmd.exes.exemain.execmd.exeUpdate.execmd.execmd.exesetup.exedialer.exelsass.exe

description	pid	process	target process
PID 4724 wrote to memory of 2804	4724	hacn.exe	hacn.exe
PID 4724 wrote to memory of 2804	4724	hacn.exe	hacn.exe
PID 2804 wrote to memory of 1520	2804	hacn.exe	cmd.exe
PID 2804 wrote to memory of 1520	2804	hacn.exe	cmd.exe
PID 1520 wrote to memory of 796	1520	cmd.exe	s.exe
PID 1520 wrote to memory of 796	1520	cmd.exe	s.exe
PID 1520 wrote to memory of 796	1520	cmd.exe	s.exe
PID 796 wrote to memory of 4768	796	s.exe	main.exe
PID 796 wrote to memory of 4768	796	s.exe	main.exe
PID 796 wrote to memory of 4420	796	s.exe	setup.exe
PID 796 wrote to memory of 4420	796	s.exe	setup.exe
PID 4768 wrote to memory of 4776	4768	main.exe	cmd.exe
PID 4768 wrote to memory of 4776	4768	main.exe	cmd.exe
PID 4776 wrote to memory of 3248	4776	cmd.exe	tasklist.exe
PID 4776 wrote to memory of 3248	4776	cmd.exe	tasklist.exe
PID 4776 wrote to memory of 2124	4776	cmd.exe	find.exe
PID 4776 wrote to memory of 2124	4776	cmd.exe	find.exe
PID 4776 wrote to memory of 4756	4776	cmd.exe	timeout.exe
PID 4776 wrote to memory of 4756	4776	cmd.exe	timeout.exe
PID 4776 wrote to memory of 2016	4776	cmd.exe	Update.exe
PID 4776 wrote to memory of 2016	4776	cmd.exe	Update.exe
PID 2016 wrote to memory of 3684	2016	Update.exe	cmd.exe
PID 2016 wrote to memory of 3684	2016	Update.exe	cmd.exe
PID 3684 wrote to memory of 4656	3684	cmd.exe	reg.exe
PID 3684 wrote to memory of 4656	3684	cmd.exe	reg.exe
PID 2760 wrote to memory of 1388	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 1388	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 3688	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 3688	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 3068	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 3068	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 1684	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 1684	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 4120	2760	cmd.exe	sc.exe
PID 2760 wrote to memory of 4120	2760	cmd.exe	sc.exe
PID 4420 wrote to memory of 3624	4420	setup.exe	dialer.exe
PID 3624 wrote to memory of 612	3624	dialer.exe	winlogon.exe
PID 3624 wrote to memory of 672	3624	dialer.exe	lsass.exe
PID 3624 wrote to memory of 960	3624	dialer.exe	svchost.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 3624 wrote to memory of 316	3624	dialer.exe	dwm.exe
PID 3624 wrote to memory of 508	3624	dialer.exe	svchost.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 3624 wrote to memory of 1040	3624	dialer.exe	svchost.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 3624 wrote to memory of 1104	3624	dialer.exe	svchost.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 672 wrote to memory of 2644	672	lsass.exe	sysmon.exe
PID 3624 wrote to memory of 1112	3624	dialer.exe	svchost.exe
PID 3624 wrote to memory of 1120	3624	dialer.exe	svchost.exe
PID 3624 wrote to memory of 1144	3624	dialer.exe	svchost.exe
PID 3624 wrote to memory of 1268	3624	dialer.exe	svchost.exe
PID 3624 wrote to memory of 1292	3624	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1292

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2644

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\hacn.exe
  "C:\Users\Admin\AppData\Local\Temp\hacn.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\hacn.exe
    "C:\Users\Admin\AppData\Local\Temp\hacn.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI47242\s.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\_MEI47242\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI47242\s.exe -pbeznogym
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:796
      - C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp49F9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp49F9.tmp.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4768"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
        
        C:\Windows\system32\find.exe
        
        find ":"
        8⤵
        
        PID:2124
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        10⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4656
      - C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1388
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3688
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3068
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1684
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4120
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4636
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:3984
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1064

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3308

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
2.7MB

MD5
975694323d6fe3acc4c231abedaba584

SHA1
aa7ac0fac1b51d558f55f8be9b2f6a7015be2f62

SHA256
643219c50d739c1b7c691ae32cef54d947897629ca52de39dbf95d6b1c698486

SHA512
ab3fe63fb567c2864582d355fcd371b05300116c34ad2059c4b0324d30cafb8882a0a6b07222934609a1760f562ba199ccad7ccf187abf0cb11e47929f76db86

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
5df3e2c717f267899f37ec6e8fc7f47a

SHA1
5e980079f67215bf69b8c1c16b56f40bf4a29958

SHA256
e3f5c557ece7ec27cb7e4a26482eadf0d9065065d94b2919f9b881bc74800e6e

SHA512
8cef1184120e010421d69fcf271822b3f0b45e34a1565152a3f2decb8f500d0e69de9816d9075683fcfb0f431713f3fbc42ac2d87503cdcdde125aba3fa1635d

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\s.exe

Filesize
7.3MB

MD5
69844fa00a57dfbedf6ad10016734a5a

SHA1
1e3d266530daf49ee01a9026ab518b11af8ef1ae

SHA256
067d544437c847ada035f5cadbe8b75554aaa7dad6cbfdfbfa83a302b63a647e

SHA512
fde734bb418552fcc8e318fa5ff4156d233fb43bfd2997c2f1eb9b9f4f109a3824f992dbff107765f4eec780008884de26b04e8e02a08dad337ace9aa230fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhfudc4v.uxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49F9.tmp.bat

Filesize
256B

MD5
6a6fddce7ccdc6940822e497949d9546

SHA1
abab77c009a6c48062b61c29abefc69f496401c0

SHA256
d861f803a487969c05c683f42c4c969d96a82e570f661aed6c7f475fcad6ac98

SHA512
443f4c11ffe4421469133a0c8efe537ed702d5cadb0fcbf96b96baa21c70de80614d52833227016c04a47bd7e72673ed0e1b7af424cac288cfc064ad6891103e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
memory/316-141-0x0000022A09750000-0x0000022A0977B000-memory.dmp

Filesize
172KB

Download
memory/316-129-0x0000022A09750000-0x0000022A0977B000-memory.dmp

Filesize
172KB

Download
memory/316-133-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/508-140-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/508-138-0x00000179E29D0000-0x00000179E29FB000-memory.dmp

Filesize
172KB

Download
memory/508-145-0x00000179E29D0000-0x00000179E29FB000-memory.dmp

Filesize
172KB

Download
memory/612-123-0x00000229235A0000-0x00000229235CB000-memory.dmp

Filesize
172KB

Download
memory/612-118-0x0000022923570000-0x0000022923594000-memory.dmp

Filesize
144KB

Download
memory/612-188-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/612-190-0x00000229235A0000-0x00000229235CB000-memory.dmp

Filesize
172KB

Download
memory/612-120-0x00000229235A0000-0x00000229235CB000-memory.dmp

Filesize
172KB

Download
memory/612-126-0x00007FFE4C9CD000-0x00007FFE4C9CE000-memory.dmp

Filesize
4KB

Download
memory/672-137-0x00007FFE4C9CD000-0x00007FFE4C9CE000-memory.dmp

Filesize
4KB

Download
memory/672-134-0x00000194DE3D0000-0x00000194DE3FB000-memory.dmp

Filesize
172KB

Download
memory/672-122-0x00000194DE3D0000-0x00000194DE3FB000-memory.dmp

Filesize
172KB

Download
memory/672-124-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/960-132-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/960-144-0x00007FFE4C9CC000-0x00007FFE4C9CD000-memory.dmp

Filesize
4KB

Download
memory/960-139-0x0000017EDD0D0000-0x0000017EDD0FB000-memory.dmp

Filesize
172KB

Download
memory/960-127-0x0000017EDD0D0000-0x0000017EDD0FB000-memory.dmp

Filesize
172KB

Download
memory/1040-152-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1040-149-0x000002B0601C0000-0x000002B0601EB000-memory.dmp

Filesize
172KB

Download
memory/1040-154-0x000002B0601C0000-0x000002B0601EB000-memory.dmp

Filesize
172KB

Download
memory/1104-159-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1104-158-0x0000021346AB0000-0x0000021346ADB000-memory.dmp

Filesize
172KB

Download
memory/1112-162-0x000001F786110000-0x000001F78613B000-memory.dmp

Filesize
172KB

Download
memory/1112-163-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1120-167-0x0000013E43B70000-0x0000013E43B9B000-memory.dmp

Filesize
172KB

Download
memory/1120-170-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1144-173-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1144-172-0x0000028B89D00000-0x0000028B89D2B000-memory.dmp

Filesize
172KB

Download
memory/1264-196-0x00007FF69A5F0000-0x00007FF69AB55000-memory.dmp

Filesize
5.4MB

Download
memory/1264-222-0x0000025A5D770000-0x0000025A5D79B000-memory.dmp

Filesize
172KB

Download
memory/1268-178-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1268-176-0x000001C703970000-0x000001C70399B000-memory.dmp

Filesize
172KB

Download
memory/1292-182-0x00007FFE0C9B0000-0x00007FFE0C9C0000-memory.dmp

Filesize
64KB

Download
memory/1292-183-0x000001A808D90000-0x000001A808DBB000-memory.dmp

Filesize
172KB

Download
memory/1292-180-0x000001A808D90000-0x000001A808DBB000-memory.dmp

Filesize
172KB

Download
memory/1364-227-0x00000149B6190000-0x00000149B61BB000-memory.dmp

Filesize
172KB

Download
memory/1364-198-0x00000149B6190000-0x00000149B61BB000-memory.dmp

Filesize
172KB

Download
memory/1408-230-0x000002290DA60000-0x000002290DA8B000-memory.dmp

Filesize
172KB

Download
memory/1524-234-0x0000029654F70000-0x0000029654F9B000-memory.dmp

Filesize
172KB

Download
memory/1536-237-0x000001A3B3D00000-0x000001A3B3D2B000-memory.dmp

Filesize
172KB

Download
memory/1548-239-0x000001AB90890000-0x000001AB908BB000-memory.dmp

Filesize
172KB

Download
memory/1648-241-0x0000027FCF5A0000-0x0000027FCF5CB000-memory.dmp

Filesize
172KB

Download
memory/1704-242-0x0000017FE8B40000-0x0000017FE8B6B000-memory.dmp

Filesize
172KB

Download
memory/1744-248-0x000001DD95380000-0x000001DD953AB000-memory.dmp

Filesize
172KB

Download
memory/1768-265-0x00000270311D0000-0x00000270311FB000-memory.dmp

Filesize
172KB

Download
memory/2016-68-0x0000012FB5000000-0x0000012FB5010000-memory.dmp

Filesize
64KB

Download
memory/2016-96-0x0000012FB5000000-0x0000012FB5010000-memory.dmp

Filesize
64KB

Download
memory/2016-71-0x0000012FB51F0000-0x0000012FB525A000-memory.dmp

Filesize
424KB

Download
memory/2016-70-0x0000012FB5170000-0x0000012FB517A000-memory.dmp

Filesize
40KB

Download
memory/2016-243-0x0000012FB5000000-0x0000012FB5010000-memory.dmp

Filesize
64KB

Download
memory/2016-93-0x0000012FB5600000-0x0000012FB5612000-memory.dmp

Filesize
72KB

Download
memory/2016-65-0x00007FFE2DEC0000-0x00007FFE2E981000-memory.dmp

Filesize
10.8MB

Download
memory/2016-151-0x00007FFE2DEC0000-0x00007FFE2E981000-memory.dmp

Filesize
10.8MB

Download
memory/2016-181-0x0000012FB5000000-0x0000012FB5010000-memory.dmp

Filesize
64KB

Download
memory/2016-74-0x0000012FB55C0000-0x0000012FB55FA000-memory.dmp

Filesize
232KB

Download
memory/2016-75-0x0000012FB5140000-0x0000012FB5166000-memory.dmp

Filesize
152KB

Download
memory/2016-258-0x00007FFE2DEC0000-0x00007FFE2E981000-memory.dmp

Filesize
10.8MB

Download
memory/3308-271-0x00007FFE4C930000-0x00007FFE4CB25000-memory.dmp

Filesize
2.0MB

Download
memory/3308-276-0x00000264BE910000-0x00000264BE93B000-memory.dmp

Filesize
172KB

Download
memory/3308-253-0x00000264BE910000-0x00000264BE93B000-memory.dmp

Filesize
172KB

Download
memory/3384-240-0x00000206CA020000-0x00000206CA04B000-memory.dmp

Filesize
172KB

Download
memory/3624-116-0x00007FFE4AF70000-0x00007FFE4B02E000-memory.dmp

Filesize
760KB

Download
memory/3624-192-0x00007FF762D80000-0x00007FF762DAB000-memory.dmp

Filesize
172KB

Download
memory/3624-115-0x00007FFE4C930000-0x00007FFE4CB25000-memory.dmp

Filesize
2.0MB

Download
memory/4420-69-0x00007FF6CB840000-0x00007FF6CBDA5000-memory.dmp

Filesize
5.4MB

Download
memory/4420-150-0x00007FF6CB840000-0x00007FF6CBDA5000-memory.dmp

Filesize
5.4MB

Download
memory/4420-131-0x00007FF6CB840000-0x00007FF6CBDA5000-memory.dmp

Filesize
5.4MB

Download
memory/4644-98-0x00007FFE2DEC0000-0x00007FFE2E981000-memory.dmp

Filesize
10.8MB

Download
memory/4644-109-0x0000021724C10000-0x0000021724C20000-memory.dmp

Filesize
64KB

Download
memory/4644-113-0x00007FFE2DEC0000-0x00007FFE2E981000-memory.dmp

Filesize
10.8MB

Download
memory/4644-108-0x0000021724C10000-0x0000021724C20000-memory.dmp

Filesize
64KB

Download
memory/4644-110-0x0000021724C90000-0x0000021724CB2000-memory.dmp

Filesize
136KB

Download
memory/4768-60-0x00007FFE2DE10000-0x00007FFE2E8D1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-46-0x00000297B4940000-0x00000297B4EE0000-memory.dmp

Filesize
5.6MB

Download
memory/4768-47-0x00007FFE2DE10000-0x00007FFE2E8D1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-54-0x00000297CF320000-0x00000297CF396000-memory.dmp

Filesize
472KB

Download
memory/4768-55-0x00000297CF3C0000-0x00000297CF3D0000-memory.dmp

Filesize
64KB

Download
memory/4768-56-0x00000297CF2C0000-0x00000297CF2DE000-memory.dmp

Filesize
120KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads