mimikatz | 996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e

Analysis

max time kernel
21s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 10:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

heisenberg.exe
Size

37.3MB
MD5

02cb6d1971fb53861285f273d799ced3
SHA1

16946db5c16d768c0d76fab6761c65358863fc59
SHA256

996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e
SHA512

aed27298d6186bf556da9f0856df0e053e7df67f22e25989d57b741ef1edc6d26e12f44b2b6be13d2c6c1001e5df1266b307f136a1077cc79f733661cdc77c78
SSDEEP

786432:NisAB+Mi4XOBuW8TSHh6MbpTfK9Ua895WhqvEOTVxBwBirBVeUnKyI:NihL+8+B60WhqvE6fwBO+Uu

Score

10^/10

mimikatz xworm rat trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

xihYVi6fTjrH6gfk

Attributes

Install_directory
%AppData%
install_file
Telegram.exe
pastebin_url
https://pastebin.com/raw/FdSMTxzR

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002361f-308.dat	family_xworm
behavioral2/memory/4224-350-0x0000000000EA0000-0x0000000000EB8000-memory.dmp	family_xworm

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023622-397.dat	mimikatz

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000235f2-170.dat	upx
behavioral2/memory/4756-204-0x0000000000010000-0x0000000000113000-memory.dmp	upx
behavioral2/files/0x000700000002360b-277.dat	upx
behavioral2/memory/5424-344-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x00070000000235fc-361.dat	upx
behavioral2/memory/4268-370-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4756-619-0x0000000000010000-0x0000000000113000-memory.dmp	upx
behavioral2/memory/4756-666-0x0000000000010000-0x0000000000113000-memory.dmp	upx
behavioral2/memory/7804-701-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/5424-745-0x0000000000400000-0x0000000000410000-memory.dmp	upx

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000235f6-232.dat	nsis_installer_1
behavioral2/files/0x00070000000235f6-232.dat	nsis_installer_2

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7240	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\heisenberg.exe
"C:\Users\Admin\AppData\Local\Temp\heisenberg.exe"
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
  "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe
  "C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe"
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2404
- - \??\globalroot\systemroot\system32\usеrinit.exe
    /install
    3⤵
    PID:5584
- C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe
  "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe"
  2⤵
  PID:1940
- - C:\WINDOWS\302746537.exe
    "C:\WINDOWS\302746537.exe"
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9016.tmp\302746537.bat" "
      4⤵
      PID:6280
- C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe
  "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe"
  2⤵
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    PID:5648
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:6104
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3517800108 && exit"
      4⤵
      PID:6208
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3517800108 && exit"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7240
  - - C:\Windows\9594.tmp
      "C:\Windows\9594.tmp" \\.\pipe\{BF99A2D3-EC64-4CD3-ACF2-E2D76A95FC37}
      4⤵
      PID:6432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat" "
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoD.bat" "
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe
  "C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe"
  2⤵
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Local\Temp\ColorBug.exe
  "C:\Users\Admin\AppData\Local\Temp\ColorBug.exe"
  2⤵
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE
  "C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE"
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe"
  2⤵
  PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Delete Windows.bat" "
    3⤵
    PID:5828
- - C:\Users\Admin\AppData\Roaming\Telegram.exe
    "C:\Users\Admin\AppData\Roaming\Telegram.exe"
    3⤵
    PID:4224
- C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe
  "C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe"
  2⤵
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe
  "C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe"
  2⤵
  PID:3872
- C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe"
  2⤵
  PID:4316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\forkbomb.bat" "
  2⤵
  PID:4428
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:6152
- C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe"
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gay Porno DDOS.bat" "
  2⤵
  PID:5864
- C:\Users\Admin\AppData\Local\Temp\Goose.exe
  "C:\Users\Admin\AppData\Local\Temp\Goose.exe"
  2⤵
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\GooseDesktop.exe
    "C:\Users\Admin\AppData\Local\Temp\GooseDesktop.exe"
    3⤵
    PID:6448
- C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe
  "C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe"
  2⤵
  PID:5896
- C:\Users\Admin\AppData\Local\Temp\Hydra.exe
  "C:\Users\Admin\AppData\Local\Temp\Hydra.exe"
  2⤵
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\Melting.exe
  "C:\Users\Admin\AppData\Local\Temp\Melting.exe"
  2⤵
  PID:6292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nuclear[Clean].bat" "
  2⤵
  PID:6532
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2028
- C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe
  "C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe"
  2⤵
  PID:6644
- C:\Users\Admin\AppData\Local\Temp\PizDeath.exe
  "C:\Users\Admin\AppData\Local\Temp\PizDeath.exe"
  2⤵
  PID:6708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat" "
    3⤵
    PID:7220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bruh.vbs"
    3⤵
    PID:7536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoD.bat" "
    3⤵
    PID:7652
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pord.vbs"
    3⤵
    PID:6832
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank2.vbs"
  2⤵
  PID:5856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank3.vbs"
  2⤵
  PID:7104
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank4.vbs"
  2⤵
  PID:5704
- C:\Users\Admin\AppData\Local\Temp\Trololo.exe
  "C:\Users\Admin\AppData\Local\Temp\Trololo.exe"
  2⤵
  PID:7436
- C:\Users\Admin\AppData\Local\Temp\Windows-KB2670838.msu.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows-KB2670838.msu.exe"
  2⤵
  PID:7560
- C:\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe
  "C:\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe"
  2⤵
  PID:7672
- C:\Users\Admin\AppData\Local\Temp\2000.exe
  "C:\Users\Admin\AppData\Local\Temp\2000.exe"
  2⤵
  PID:7960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
fcfd963cc79385fd0ce023530cac006c

SHA1
22ac08f33d2e22b78b01a60b78b5f866b5c8817c

SHA256
df281b69acd2bcfef6b69152e6c897cf841b5405fabb3a918c902e48eaef6011

SHA512
76de663f3b860c38c8161e93b8076ed4bdf4e1632c2f64575503fbc98b7f948558b4aeeeac0f110a385c6e7cf8714cb8667d1f0373d2ff6fe1ad9bede2d5e3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.exe

Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe

Filesize
775KB

MD5
f49bcb5336b1e1212ae82cbb98f8dfe4

SHA1
fc87518aee297f9c18e40f4604ea048aec0342c4

SHA256
1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e

SHA512
51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe

Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe

Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe

Filesize
3.2MB

MD5
7810ff23f876f29cfb57b5682b978947

SHA1
3752b2236412acca972f90c527a93b65a2f74072

SHA256
3a42fea56a20ecd96ce04e358460e6c0d1fd78c62fcc59e3e5d5373b50abcc67

SHA512
b37d02e913b94536f7b979c2a4ef3b420327bcef6b3f40b3f4c26d4d28316cd8ebf4f1ab11bd2430cf7c8469c20f0e312eb1972c92d79be874c4adfeb77cb00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorBug.exe

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE

Filesize
1.6MB

MD5
3bd84863fc264eaef2829188ffce31eb

SHA1
a011d1a31afaac671c8ad7075966b30f4363b707

SHA256
bfa7d853f75e885f21fc0e8302d755713aeea8614df2a9b68af6399c2dd67376

SHA512
fdd9f9d2ff444afd252bef9b2502c354a8d359d2b7cd13dfc7ded3e800d6685ccf0ae3e0357c9657836b4fe2cfe071e54ef25efe501dff48ebc8da145c2ba7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe

Filesize
179KB

MD5
7bc3c76651c932ee205ba8ff08243c4d

SHA1
e36376e70a7f3b5c1597a60f3538e1f26e3247ca

SHA256
e398f3f90b23aa358f2786f0a15f3fac74ed3670433afc60ee733ada330beebc

SHA512
104d1516a12e8e6e107a8d71ee0ff955148a4d84914c998843af6effee55154022ed7f0cacb099abc1bccd9408e1eb08f2a146a5c5b7235d8b773023ab8f94a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe

Filesize
239KB

MD5
2f8f6e90ca211d7ef5f6cf3c995a40e7

SHA1
f8940f280c81273b11a20d4bfb43715155f6e122

SHA256
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gay Porno DDOS.bat

Filesize
55B

MD5
0ae6a1db8099df5c5a9e1b126aaca8a4

SHA1
f55fab31e4d6002ca8ab6cc70ce3b6f716a2cc4a

SHA256
df8732ebb0adff5579342d5b26664c19edef633881cb694a7fdaa73ac3b61edb

SHA512
ca395ada6f03d4263ab28a4518de7c7234f45e6989772340e1942fc453b50f43e357dc43c408bcb6552a790e514f53873c9ac79a9f50cd9acbf4b205d8c6b73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe

Filesize
48KB

MD5
21943d72b0f4c2b42f242ac2d3de784c

SHA1
c887b9d92c026a69217ca550568909609eec1c39

SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Melting.exe

Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe

Filesize
444KB

MD5
4ccc1c614f8d57fff412b5cc198ab5a8

SHA1
6c1af97d6089c3bcaee67fd492746d55b48e3934

SHA256
9f7085ff7cb2b814da16a02abe921dd42b3c6b992580c8f01e29d05750a0a488

SHA512
d503834c563177527698efc29b3bc762d99beb69e92182509115f0751da0ef3d13cfbaea96d71180fae5a8e08287abf2ed1b704f98dda6dd6042a653254f1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\PizDeath.exe

Filesize
3.4MB

MD5
0ff3efaac33cd3244a1c7aa954634701

SHA1
83c599ddc86fbb7dafe34453baa3d41b284a4325

SHA256
23e319337afc5ff168888a6674529610246858303a24a3bdfceca22a5e79d492

SHA512
a76a27776c6530c23990ba44e68baf2c87e9b57d4b83744ebb190f5954275f1da274a97ea1a4398b244583d3f4ea42e5bc030a716ad783c9e4f29e9312a66ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PizDeath.exe

Filesize
3.0MB

MD5
45f74b83d983426e127d5143e83240e2

SHA1
02c3a71417b583d16054a5504cd57fda2e0c8e80

SHA256
ed31142a592b84e0472befe109a1e5e77ef53e1a296d89cdccba5ed8d2e39e65

SHA512
0e974063859177d632ec21cc66cdd0ca00f15806de633e8b4f0575e902d6e7655f4be1b7bdc1fb94b5419563c3e8a5daa0ce9fad1f21c6e49ce67f19077f40d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prank.vbs

Filesize
60B

MD5
ae6ccac3fb001bbee932d56094f4f1db

SHA1
712bc731f35dca6d24885304a8efcf39ed92ebd4

SHA256
cb6ec854e7800bc56dbfff53a5f79993072ea7d15689d41d3ccd6077817d5210

SHA512
144898ec2e1587ceb9fa4398f53efc912254fb90ad12ff753ed5d24862c943173083e70929d84aabd01576109f852513444eac20823c6ba469ce8487b8472e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows-KB2670838.msu.exe

Filesize
728KB

MD5
6e49c75f701aa059fa6ed5859650b910

SHA1
ccb7898c509c3a1de96d2010d638f6a719f6f400

SHA256
f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621

SHA512
ccd1b581a29de52d2313a97eb3c3b32b223dba1e7a49c83f7774b374bc2d16b13fba9566de6762883f3b64ed8e80327b454e5d32392af2a032c22653fed0fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\forkbomb.bat

Filesize
21B

MD5
334099ce7dc622990a731c58185925df

SHA1
f08cff36eae14c289139fa3a3262161fc49e5a24

SHA256
003fde2362d22b41985c2e15be44ddd0ac3f5272fbea6924ec2256499c11859d

SHA512
13f893e2d37201ed7dcd13586dcfdde9001fe02356f4dc33a5a2e0071f96d87bc8d8d13ebcc515c7dfe7b449db313d1330cf5d959ea8e3d09a3df4a4644dc1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scream.exe

Filesize
2.1MB

MD5
e39dd3a9a4a5e4d5ec1da0dc150ae529

SHA1
bf43e0e88d5d7d90e2db94edb6db49a4fec0cadd

SHA256
99a9e467de96387f13aad26834787c243d57e5853caf29883e76e4e3879ee974

SHA512
a44095d51d91ecd99de1aa1135b8ee4250e710c564f2ebb5a5090bb5d710715dc8711118c05f2114406f2f730e84a33d2bf0ef8750048bb98f1abc9c57601981

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram.exe

Filesize
79KB

MD5
3805abbd3aea5d94acaf1ed10e5e23e9

SHA1
776abdffe0d8c34c25085f541b16249bdbc08ce8

SHA256
b39e41e32b18e5ad96b2a50cd72a5eaffde73e2a75c21bc70beddb28176495e3

SHA512
0a5b0feac05ff58f2baf1f0c3ac5884645af7b8c5f71ea1cf276194ff6bec034d8ef61de088b6574bc3453ac53a3fb83410b74a13865372fcdcdc8170c40e040

Download Submit
C:\Windows\302746537.exe

Filesize
22KB

MD5
8703ff2e53c6fd3bc91294ef9204baca

SHA1
3dbb8f7f5dfe6b235486ab867a2844b1c2143733

SHA256
3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

SHA512
d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

Download Submit
C:\Windows\9594.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c29d6253d89ee9c0c872dd377a7a8454

SHA1
46be3800684f6b208e0a8c7b120ef8614c22c4b0

SHA256
03f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb

SHA512
50141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e

Download Submit
\??\globalroot\systemroot\system32\usеrinit.exe

Filesize
139KB

MD5
4acd14244d2cd76d06939163127cfb10

SHA1
75f3e3c764f7d20c9950f5410f753f3210bcc2e7

SHA256
29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb

SHA512
001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

Download Submit
\systemroot\system32\mseeeeee.dll

Filesize
718KB

MD5
8736c2a37ff0adf6f03d94bb34d1f784

SHA1
e4867b136e100c9d45f6adea593c9a636134f308

SHA256
dbe318e7c72f9558f836c920510a5245ae5af29996b62f661399ce3724458ec3

SHA512
2bbb22540e6ae0ebdd7c5303f67fb3911025a9f8f68c1c192edf5247a66bff885e292dded093d4522488b9a98f5bb00f24b00374e8eeb219184faacc95818848

Download Submit
memory/1268-222-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/1268-221-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/1268-257-0x0000000001AB0000-0x0000000001ABA000-memory.dmp

Filesize
40KB

Download
memory/1268-218-0x0000000000FB0000-0x0000000001032000-memory.dmp

Filesize
520KB

Download
memory/1268-230-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/1268-258-0x0000000005AD0000-0x0000000005B26000-memory.dmp

Filesize
344KB

Download
memory/1660-369-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/3212-213-0x0000000000DA0000-0x0000000000DD2000-memory.dmp

Filesize
200KB

Download
memory/3488-262-0x0000000000400000-0x00000000004C4400-memory.dmp

Filesize
785KB

Download
memory/3608-366-0x0000000022640000-0x0000000022678000-memory.dmp

Filesize
224KB

Download
memory/3608-367-0x000000001DEC0000-0x000000001DECE000-memory.dmp

Filesize
56KB

Download
memory/3608-205-0x0000000000DF0000-0x0000000001254000-memory.dmp

Filesize
4.4MB

Download
memory/3608-343-0x0000000022600000-0x0000000022608000-memory.dmp

Filesize
32KB

Download
memory/3872-620-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-206-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-350-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

Filesize
96KB

Download
memory/4268-365-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4268-363-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4268-364-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4268-370-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4528-141-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/4756-204-0x0000000000010000-0x0000000000113000-memory.dmp

Filesize
1.0MB

Download
memory/4756-619-0x0000000000010000-0x0000000000113000-memory.dmp

Filesize
1.0MB

Download
memory/4756-666-0x0000000000010000-0x0000000000113000-memory.dmp

Filesize
1.0MB

Download
memory/4860-380-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/5424-745-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5424-344-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5648-300-0x0000000002B00000-0x0000000002B68000-memory.dmp

Filesize
416KB

Download
memory/5648-270-0x0000000002B00000-0x0000000002B68000-memory.dmp

Filesize
416KB

Download
memory/6448-732-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/6448-603-0x0000000006620000-0x000000000662A000-memory.dmp

Filesize
40KB

Download
memory/6448-722-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/6448-733-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/6448-590-0x0000000000840000-0x000000000087E000-memory.dmp

Filesize
248KB

Download
memory/6448-757-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/6448-800-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/6448-646-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/7436-659-0x000000001BC40000-0x000000001C10E000-memory.dmp

Filesize
4.8MB

Download
memory/7804-701-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/8148-697-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/8148-703-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads