06ab5377341cf38c3a3c6628b5bf91d545b7dcd153c629d5025582274a371f43

Analysis

max time kernel
62s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
08/06/2024, 13:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleApplication2.exe
Size

4.4MB
MD5

a0f170a09dcc8f9161efe47a518d5a01
SHA1

3fefa661fb68a1dd43ddff16202650e0b26ecb20
SHA256

06ab5377341cf38c3a3c6628b5bf91d545b7dcd153c629d5025582274a371f43
SHA512

eaefca62badab468db04dd77812318d50fab36fbc2ce7f2c08163dbda08207c2734a0829793fdacf5c2ac4c3de5d96c6f53f6d0555e5e6f6f145cef810257c44
SSDEEP

49152:M9v90k5HkzhwSUiUCAOygB+fEjGDYG12089DZujZGUOutEdNkzRvP61crzPBdWzc:M9v90kOnU7OyYjQsuhVPtd

Score

7^/10

discovery execution spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
12	discord.com
20	discord.com
27	discord.com
36	discord.com
43	discord.com
51	discord.com
1	discord.com
4	discord.com

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ipinfo.io
52	ipinfo.io
1	ipinfo.io
2	ipinfo.io
4	ipinfo.io
5	ipinfo.io
21	ipinfo.io
30	ipinfo.io
13	ipinfo.io
44	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3180	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1356	WMIC.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3568	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
460	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4900	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3268	powershell.exe
3268	powershell.exe
4636	powershell.exe
4636	powershell.exe
3180	powershell.exe
3180	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeIncreaseQuotaPrivilege	1356	WMIC.exe
Token: SeSecurityPrivilege	1356	WMIC.exe
Token: SeTakeOwnershipPrivilege	1356	WMIC.exe
Token: SeLoadDriverPrivilege	1356	WMIC.exe
Token: SeSystemProfilePrivilege	1356	WMIC.exe
Token: SeSystemtimePrivilege	1356	WMIC.exe
Token: SeProfSingleProcessPrivilege	1356	WMIC.exe
Token: SeIncBasePriorityPrivilege	1356	WMIC.exe
Token: SeCreatePagefilePrivilege	1356	WMIC.exe
Token: SeBackupPrivilege	1356	WMIC.exe
Token: SeRestorePrivilege	1356	WMIC.exe
Token: SeShutdownPrivilege	1356	WMIC.exe
Token: SeDebugPrivilege	1356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1356	WMIC.exe
Token: SeRemoteShutdownPrivilege	1356	WMIC.exe
Token: SeUndockPrivilege	1356	WMIC.exe
Token: SeManageVolumePrivilege	1356	WMIC.exe
Token: 33	1356	WMIC.exe
Token: 34	1356	WMIC.exe
Token: 35	1356	WMIC.exe
Token: 36	1356	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1516	4872	ConsoleApplication2.exe	78
PID 4872 wrote to memory of 1516	4872	ConsoleApplication2.exe	78
PID 4872 wrote to memory of 1516	4872	ConsoleApplication2.exe	78
PID 1516 wrote to memory of 4900	1516	cmd.exe	79
PID 1516 wrote to memory of 4900	1516	cmd.exe	79
PID 1516 wrote to memory of 4900	1516	cmd.exe	79
PID 4872 wrote to memory of 1364	4872	ConsoleApplication2.exe	80
PID 4872 wrote to memory of 1364	4872	ConsoleApplication2.exe	80
PID 4872 wrote to memory of 1364	4872	ConsoleApplication2.exe	80
PID 1364 wrote to memory of 1832	1364	cmd.exe	81
PID 1364 wrote to memory of 1832	1364	cmd.exe	81
PID 1364 wrote to memory of 1832	1364	cmd.exe	81
PID 4872 wrote to memory of 3852	4872	ConsoleApplication2.exe	83
PID 4872 wrote to memory of 3852	4872	ConsoleApplication2.exe	83
PID 4872 wrote to memory of 3852	4872	ConsoleApplication2.exe	83
PID 3852 wrote to memory of 3268	3852	cmd.exe	84
PID 3852 wrote to memory of 3268	3852	cmd.exe	84
PID 3852 wrote to memory of 3268	3852	cmd.exe	84
PID 4872 wrote to memory of 3824	4872	ConsoleApplication2.exe	85
PID 4872 wrote to memory of 3824	4872	ConsoleApplication2.exe	85
PID 4872 wrote to memory of 3824	4872	ConsoleApplication2.exe	85
PID 3824 wrote to memory of 1356	3824	cmd.exe	86
PID 3824 wrote to memory of 1356	3824	cmd.exe	86
PID 3824 wrote to memory of 1356	3824	cmd.exe	86
PID 4872 wrote to memory of 4248	4872	ConsoleApplication2.exe	87
PID 4872 wrote to memory of 4248	4872	ConsoleApplication2.exe	87
PID 4872 wrote to memory of 4248	4872	ConsoleApplication2.exe	87
PID 4248 wrote to memory of 4016	4248	cmd.exe	88
PID 4248 wrote to memory of 4016	4248	cmd.exe	88
PID 4248 wrote to memory of 4016	4248	cmd.exe	88
PID 4872 wrote to memory of 4992	4872	ConsoleApplication2.exe	89
PID 4872 wrote to memory of 4992	4872	ConsoleApplication2.exe	89
PID 4872 wrote to memory of 4992	4872	ConsoleApplication2.exe	89
PID 4992 wrote to memory of 1636	4992	cmd.exe	90
PID 4992 wrote to memory of 1636	4992	cmd.exe	90
PID 4992 wrote to memory of 1636	4992	cmd.exe	90
PID 4872 wrote to memory of 1500	4872	ConsoleApplication2.exe	91
PID 4872 wrote to memory of 1500	4872	ConsoleApplication2.exe	91
PID 4872 wrote to memory of 1500	4872	ConsoleApplication2.exe	91
PID 1500 wrote to memory of 2432	1500	cmd.exe	92
PID 1500 wrote to memory of 2432	1500	cmd.exe	92
PID 1500 wrote to memory of 2432	1500	cmd.exe	92
PID 4872 wrote to memory of 1912	4872	ConsoleApplication2.exe	93
PID 4872 wrote to memory of 1912	4872	ConsoleApplication2.exe	93
PID 4872 wrote to memory of 1912	4872	ConsoleApplication2.exe	93
PID 1912 wrote to memory of 4636	1912	cmd.exe	94
PID 1912 wrote to memory of 4636	1912	cmd.exe	94
PID 1912 wrote to memory of 4636	1912	cmd.exe	94
PID 4872 wrote to memory of 2116	4872	ConsoleApplication2.exe	95
PID 4872 wrote to memory of 2116	4872	ConsoleApplication2.exe	95
PID 4872 wrote to memory of 2116	4872	ConsoleApplication2.exe	95
PID 2116 wrote to memory of 3568	2116	cmd.exe	96
PID 2116 wrote to memory of 3568	2116	cmd.exe	96
PID 2116 wrote to memory of 3568	2116	cmd.exe	96
PID 4872 wrote to memory of 2716	4872	ConsoleApplication2.exe	97
PID 4872 wrote to memory of 2716	4872	ConsoleApplication2.exe	97
PID 4872 wrote to memory of 2716	4872	ConsoleApplication2.exe	97
PID 2716 wrote to memory of 460	2716	cmd.exe	98
PID 2716 wrote to memory of 460	2716	cmd.exe	98
PID 2716 wrote to memory of 460	2716	cmd.exe	98
PID 4872 wrote to memory of 2916	4872	ConsoleApplication2.exe	100
PID 4872 wrote to memory of 2916	4872	ConsoleApplication2.exe	100
PID 4872 wrote to memory of 2916	4872	ConsoleApplication2.exe	100
PID 2916 wrote to memory of 2440	2916	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 1.1.1.1
    3⤵
    - Runs ping.exe
    PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get currentrefreshrate
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Content (Get-PSReadlineOption).HistorySavePath
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan show profile
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:236
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:704
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1892

Network

DNS

ipinfo.io

ConsoleApplication2.exe

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.186.192
DNS

8.8.8.8.in-addr.arpa

ConsoleApplication2.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

api.gofile.io

ConsoleApplication2.exe

Remote address:

8.8.8.8:53

Request

api.gofile.io

IN A

Response

api.gofile.io

IN A

151.80.29.83

api.gofile.io

IN A

51.178.66.33

api.gofile.io

IN A

51.38.43.18
DNS

83.29.80.151.in-addr.arpa

ConsoleApplication2.exe

Remote address:

8.8.8.8:53

Request

83.29.80.151.in-addr.arpa

IN PTR

Response

83.29.80.151.in-addr.arpa

IN PTR

ns3048708ip-151-80-29eu
DNS

discord.com

ConsoleApplication2.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.135.232
DNS

discord.com

ConsoleApplication2.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A
DNS

192.186.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.186.117.34.in-addr.arpa

IN PTR

Response

192.186.117.34.in-addr.arpa

IN PTR

19218611734bcgoogleusercontentcom
DNS

store9.gofile.io

Remote address:

8.8.8.8:53

Request

store9.gofile.io

IN A

Response

store9.gofile.io

IN A

206.168.190.239
DNS

239.190.168.206.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.190.168.206.in-addr.arpa

IN PTR

Response
DNS

232.138.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.138.159.162.in-addr.arpa

IN PTR

Response
DNS

store10.gofile.io

Remote address:

8.8.8.8:53

Request

store10.gofile.io

IN A

Response

store10.gofile.io

IN A

31.14.70.252
DNS

252.70.14.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.70.14.31.in-addr.arpa

IN PTR

Response

252.70.14.31.in-addr.arpa

IN PTR

31-14-70-252custmojifr
DNS

store1.gofile.io

Remote address:

8.8.8.8:53

Request

store1.gofile.io

IN A

Response

store1.gofile.io

IN A

45.112.123.227
DNS

227.123.112.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.123.112.45.in-addr.arpa

IN PTR

Response
DNS

store3.gofile.io

Remote address:

8.8.8.8:53

Request

store3.gofile.io

IN A

Response

store3.gofile.io

IN A

136.175.10.233
DNS

233.10.175.136.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.10.175.136.in-addr.arpa

IN PTR

Response
DNS

store4.gofile.io

Remote address:

8.8.8.8:53

Request

store4.gofile.io

IN A

Response

store4.gofile.io

IN A

31.14.70.245
DNS

discord.com

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232
DNS

245.70.14.31.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.70.14.31.in-addr.arpa

IN PTR

Response

245.70.14.31.in-addr.arpa

IN PTR

31-14-70-245custmojifr
DNS

ipinfo.io

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A

Response

ipinfo.io

IN A

34.117.186.192
DNS

232.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.136.159.162.in-addr.arpa

IN PTR

Response
POST

https://store10.gofile.io/uploadFile

ConsoleApplication2.exe

Remote address:

31.14.70.252:443

Request

POST /uploadFile HTTP/1.1
Host: store10.gofile.io
Accept: */*
Content-Length: 200525
Content-Type: multipart/form-data; boundary=------------------------1133fc2b1e53fbd6

Response

HTTP/1.1 200 OK

Server: nginx/1.21.6
Date: Sat, 08 Jun 2024 13:35:14 GMT
Content-Type: application/json
Content-Length: 316
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
POST

https://store10.gofile.io/uploadFile

ConsoleApplication2.exe

Remote address:

31.14.70.252:443

Request

POST /uploadFile HTTP/1.1
Host: store10.gofile.io
Accept: */*
Content-Length: 200525
Content-Type: multipart/form-data; boundary=------------------------797fa654c3e8f7dd

Response

HTTP/1.1 200 OK

Server: nginx/1.21.6
Date: Sat, 08 Jun 2024 13:35:40 GMT
Content-Type: application/json
Content-Length: 316
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range

34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.8kB
9
8
127.0.0.1:49770

ConsoleApplication2.exe
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.8kB
9
8
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

912 B
6.0kB
10
13
206.168.190.239:443

store9.gofile.io

tls

ConsoleApplication2.exe

209.4kB
7.5kB
164
58
127.0.0.1:49833

ConsoleApplication2.exe
127.0.0.1:49852

ConsoleApplication2.exe
127.0.0.1:49862

ConsoleApplication2.exe
127.0.0.1:49866

ConsoleApplication2.exe
162.159.138.232:443

discord.com

tls

ConsoleApplication2.exe

2.0kB
5.1kB
10
9
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.9kB
9
9
127.0.0.1:49869

ConsoleApplication2.exe
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

912 B
6.0kB
10
13
31.14.70.252:443

https://store10.gofile.io/uploadFile

tls, http

ConsoleApplication2.exe

208.1kB
9.3kB
164
118

HTTP Request

POST https://store10.gofile.io/uploadFile

HTTP Response

200
127.0.0.1:49872

ConsoleApplication2.exe
127.0.0.1:49876

ConsoleApplication2.exe
127.0.0.1:49880

ConsoleApplication2.exe
162.159.138.232:443

discord.com

tls

ConsoleApplication2.exe

2.0kB
5.1kB
10
9
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.9kB
9
9
127.0.0.1:49883

ConsoleApplication2.exe
127.0.0.1:49886

ConsoleApplication2.exe
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

912 B
5.9kB
10
12
45.112.123.227:443

store1.gofile.io

tls

ConsoleApplication2.exe

208.0kB
8.4kB
165
84
127.0.0.1:49890

ConsoleApplication2.exe
162.159.138.232:443

discord.com

tls

ConsoleApplication2.exe

2.0kB
5.1kB
10
9
127.0.0.1:49894

ConsoleApplication2.exe
127.0.0.1:49897

ConsoleApplication2.exe
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.9kB
9
9
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

912 B
5.9kB
10
12
136.175.10.233:443

store3.gofile.io

tls

ConsoleApplication2.exe

207.9kB
8.2kB
161
78
127.0.0.1:49900

ConsoleApplication2.exe
127.0.0.1:49904

ConsoleApplication2.exe
127.0.0.1:49908

ConsoleApplication2.exe
162.159.138.232:443

discord.com

tls

ConsoleApplication2.exe

2.0kB
5.1kB
10
9
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.8kB
9
8
127.0.0.1:49911

ConsoleApplication2.exe
127.0.0.1:49914

ConsoleApplication2.exe
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

964 B
6.0kB
11
13
31.14.70.252:443

https://store10.gofile.io/uploadFile

tls, http

ConsoleApplication2.exe

263.6kB
10.2kB
199
129

HTTP Request

POST https://store10.gofile.io/uploadFile

HTTP Response

200
127.0.0.1:49918

ConsoleApplication2.exe
162.159.138.232:443

discord.com

tls

ConsoleApplication2.exe

2.0kB
5.1kB
10
9
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.8kB
9
8
127.0.0.1:49922

ConsoleApplication2.exe
127.0.0.1:49925

ConsoleApplication2.exe
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

912 B
5.9kB
10
12
31.14.70.245:443

store4.gofile.io

tls

ConsoleApplication2.exe

208.0kB
8.4kB
164
84
127.0.0.1:49928

ConsoleApplication2.exe
127.0.0.1:49932

ConsoleApplication2.exe
162.159.136.232:443

discord.com

tls

ConsoleApplication2.exe

2.0kB
5.1kB
10
9
34.117.186.192:443

ipinfo.io

tls

ConsoleApplication2.exe

853 B
4.8kB
9
8
127.0.0.1:49936

ConsoleApplication2.exe
127.0.0.1:49939

ConsoleApplication2.exe
151.80.29.83:443

api.gofile.io

tls

ConsoleApplication2.exe

912 B
5.9kB
10
12
127.0.0.1:49942

ConsoleApplication2.exe
127.0.0.1:49946

ConsoleApplication2.exe
136.175.10.233:443

store3.gofile.io

tls

ConsoleApplication2.exe

207.8kB
8.8kB
161
113

8.8.8.8:53

ipinfo.io

dns

ConsoleApplication2.exe

365 B
515 B
6
5

DNS Request

ipinfo.io

DNS Response

34.117.186.192

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

api.gofile.io

DNS Response

151.80.29.83

51.178.66.33

51.38.43.18

DNS Request

83.29.80.151.in-addr.arpa

DNS Request

discord.com

DNS Request

discord.com

DNS Response

162.159.138.232

162.159.136.232

162.159.137.232

162.159.128.233

162.159.135.232
8.8.8.8:53

192.186.117.34.in-addr.arpa

dns

1.0kB
1.6kB
15
15

DNS Request

192.186.117.34.in-addr.arpa

DNS Request

store9.gofile.io

DNS Response

206.168.190.239

DNS Request

239.190.168.206.in-addr.arpa

DNS Request

232.138.159.162.in-addr.arpa

DNS Request

store10.gofile.io

DNS Response

31.14.70.252

DNS Request

252.70.14.31.in-addr.arpa

DNS Request

store1.gofile.io

DNS Response

45.112.123.227

DNS Request

227.123.112.45.in-addr.arpa

DNS Request

store3.gofile.io

DNS Response

136.175.10.233

DNS Request

233.10.175.136.in-addr.arpa

DNS Request

store4.gofile.io

DNS Response

31.14.70.245

DNS Request

discord.com

DNS Response

162.159.136.232

162.159.128.233

162.159.138.232

162.159.137.232

162.159.135.232

DNS Request

245.70.14.31.in-addr.arpa

DNS Request

ipinfo.io

DNS Response

34.117.186.192

DNS Request

232.136.159.162.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e080d58e6387c9fd87434a502e1a902e

SHA1
ae76ce6a2a39d79226c343cfe4745d48c7c1a91a

SHA256
6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425

SHA512
6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
85036561421ae49479d1b358c766ea67

SHA1
cb395ef875dbbadb320eebb99c14035c5896c96d

SHA256
8365b3b8650502ecc62be011ead8b92c6728081fc6a709153c4de9eff0475ddc

SHA512
43f1808d425bcc65531ef79aaf589d136da0b0a093d6075bcfb0fb4936271d91fb71d4b3b4965440f8fa71fd1a18b54fce50215a39f27c7e7e36ee841196e4f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9e1ebcde1c5f1cce79cf8e9dce888f69

SHA1
34e096ca42a2395148e81849dd95fb5e95423621

SHA256
21654195087df0c314773151bf2db21e486b98a7f3b5c252c877803269be3a19

SHA512
567080314314b1449f6c4a525afd73b552c9f0cf60f1d178e45eba895790f0e6ba17c3eb828e5599c3ddef8b66f203ae668b6f261d3dc921c4dfcc2b60a1ba6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qasncgtw.2bd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zs3QtPaVzoAdwMJC\Nagogy-Grabber (Admin).zip

Filesize
195KB

MD5
616905862bcb7dddf4e71c5390046e30

SHA1
3ece26d7954604ecc5086e5813a727e553c9b1d8

SHA256
0b0df3e7d4c3a8dff3261e3a798874935b9b3858edb72b247dd1f195bf6ba172

SHA512
04eeace18d0753de44e5666da4c7ade18a9993733917e5180be6294e44d6dd2865a72262069098781f3ae84299b914c513def3680faf222bada92edf05119554

Download Submit
memory/3180-63-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/3180-62-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/3180-60-0x0000000005740000-0x0000000005A97000-memory.dmp

Filesize
3.3MB

Download
memory/3268-19-0x0000000006160000-0x00000000061F6000-memory.dmp

Filesize
600KB

Download
memory/3268-7-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3268-17-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/3268-18-0x0000000005C30000-0x0000000005C7C000-memory.dmp

Filesize
304KB

Download
memory/3268-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/3268-20-0x00000000060F0000-0x000000000610A000-memory.dmp

Filesize
104KB

Download
memory/3268-21-0x0000000006200000-0x0000000006222000-memory.dmp

Filesize
136KB

Download
memory/3268-22-0x00000000071A0000-0x0000000007746000-memory.dmp

Filesize
5.6MB

Download
memory/3268-25-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/3268-16-0x00000000057D0000-0x0000000005B27000-memory.dmp

Filesize
3.3MB

Download
memory/3268-1-0x00000000023D0000-0x0000000002406000-memory.dmp

Filesize
216KB

Download
memory/3268-6-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/3268-2-0x0000000004F10000-0x000000000553A000-memory.dmp

Filesize
6.2MB

Download
memory/3268-3-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/3268-5-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/3268-4-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4636-39-0x0000000005F30000-0x0000000005F76000-memory.dmp

Filesize
280KB

Download
memory/4636-38-0x0000000005E90000-0x0000000005EDC000-memory.dmp

Filesize
304KB

Download
memory/4636-28-0x00000000054F0000-0x0000000005847000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.