mimikatz | 996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e

Analysis

max time kernel
18s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

heisenberg.exe
Size

37.3MB
MD5

02cb6d1971fb53861285f273d799ced3
SHA1

16946db5c16d768c0d76fab6761c65358863fc59
SHA256

996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e
SHA512

aed27298d6186bf556da9f0856df0e053e7df67f22e25989d57b741ef1edc6d26e12f44b2b6be13d2c6c1001e5df1266b307f136a1077cc79f733661cdc77c78
SSDEEP

786432:NisAB+Mi4XOBuW8TSHh6MbpTfK9Ua895WhqvEOTVxBwBirBVeUnKyI:NihL+8+B60WhqvE6fwBO+Uu

Score

10^/10

mimikatz xworm rat trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

xihYVi6fTjrH6gfk

Attributes

Install_directory
%AppData%
install_file
Telegram.exe
pastebin_url
https://pastebin.com/raw/FdSMTxzR

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234f8-319.dat	family_xworm
behavioral2/memory/1968-332-0x0000000000E40000-0x0000000000E58000-memory.dmp	family_xworm

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234fc-361.dat	mimikatz

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234d0-173.dat	upx
behavioral2/files/0x00070000000234ec-298.dat	upx
behavioral2/files/0x00070000000234da-385.dat	upx
behavioral2/memory/2080-775-0x0000000000010000-0x0000000000113000-memory.dmp	upx

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d4-242.dat	nsis_installer_1
behavioral2/files/0x00070000000234d4-242.dat	nsis_installer_2

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5840	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\heisenberg.exe
"C:\Users\Admin\AppData\Local\Temp\heisenberg.exe"
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
  "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
  2⤵
  PID:3552
- C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe
  "C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe"
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe
  "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe"
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe
  "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe"
  2⤵
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoD.bat" "
  2⤵
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe
  "C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe"
  2⤵
  PID:448
- C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe"
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe"
  2⤵
  PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Delete Windows.bat" "
    3⤵
    PID:4332
- C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe
  "C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe"
  2⤵
  PID:8
- C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe
  "C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe"
  2⤵
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe"
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    PID:3768
- C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe"
  2⤵
  PID:3276
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    PID:6764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gay Porno DDOS.bat" "
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe
  "C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe
  "C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe"
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    PID:5452
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
      4⤵
      PID:6644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe\"" /f
    3⤵
    PID:5260
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe\"" /f
      4⤵
      PID:6600
- C:\Users\Admin\AppData\Local\Temp\Melting.exe
  "C:\Users\Admin\AppData\Local\Temp\Melting.exe"
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe
  "C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe"
  2⤵
  PID:6012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\perda-null.bat" "
  2⤵
  PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Porno DDOS.bat" "
  2⤵
  PID:5388
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank.vbs"
  2⤵
  PID:4340
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank2.vbs"
  2⤵
  PID:6068
- C:\Users\Admin\AppData\Local\Temp\scream.exe
  "C:\Users\Admin\AppData\Local\Temp\scream.exe"
  2⤵
  PID:6532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\stopantivirus.bat" "
  2⤵
  PID:6744
- C:\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe
  "C:\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe"
  2⤵
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
  "C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
  2⤵
  PID:5884

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
1⤵
PID:3292
- C:\Windows\E8E9.tmp
  "C:\Windows\E8E9.tmp" \\.\pipe\{75790D69-3E79-46EF-94EF-7040CCE68027}
  2⤵
  PID:3600

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
1⤵
PID:1604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x4fc
1⤵
PID:3408

C:\Windows\system32\mspaint.exe
mspaint
1⤵
PID:992

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2078774038 && exit"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Users\Admin\AppData\Local\Temp\GooseDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\GooseDesktop.exe"
1⤵
PID:6076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5428

C:\Windows\system32\cmd.exe
cmd
1⤵
PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat" "
1⤵
PID:5172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bruh.vbs"
1⤵
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoD.bat" "
1⤵
PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KillPC.bat" "
1⤵
PID:6908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pord.vbs"
1⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\scream.exe
"C:\Users\Admin\AppData\Local\Temp\scream.exe"
1⤵
PID:6428

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WinDel.bat" "
1⤵
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Antivirus.exe

Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe

Filesize
775KB

MD5
f49bcb5336b1e1212ae82cbb98f8dfe4

SHA1
fc87518aee297f9c18e40f4604ea048aec0342c4

SHA256
1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e

SHA512
51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe

Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe

Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat

Filesize
25B

MD5
f8ad531e39f27a37cbafc6a30133847b

SHA1
4e3b089069e7632c55c298da2fb5faad2a1bba84

SHA256
60c255795ed5bebfa182fd18f0ef19f04c1f5d9317a40a9804bf6ab5e5edecfb

SHA512
6089d92049bf5fc010cefd9e7b5f68f1f1dbb1d3e38602c0400b99c23e1885c0dc8cd516b8ddbdf52c209810a7a6e0e9c06cb4f89a93f14f51120a8333c84505

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe

Filesize
3.2MB

MD5
7810ff23f876f29cfb57b5682b978947

SHA1
3752b2236412acca972f90c527a93b65a2f74072

SHA256
3a42fea56a20ecd96ce04e358460e6c0d1fd78c62fcc59e3e5d5373b50abcc67

SHA512
b37d02e913b94536f7b979c2a4ef3b420327bcef6b3f40b3f4c26d4d28316cd8ebf4f1ab11bd2430cf7c8469c20f0e312eb1972c92d79be874c4adfeb77cb00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorBug.exe

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE

Filesize
1.6MB

MD5
3bd84863fc264eaef2829188ffce31eb

SHA1
a011d1a31afaac671c8ad7075966b30f4363b707

SHA256
bfa7d853f75e885f21fc0e8302d755713aeea8614df2a9b68af6399c2dd67376

SHA512
fdd9f9d2ff444afd252bef9b2502c354a8d359d2b7cd13dfc7ded3e800d6685ccf0ae3e0357c9657836b4fe2cfe071e54ef25efe501dff48ebc8da145c2ba7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe

Filesize
179KB

MD5
7bc3c76651c932ee205ba8ff08243c4d

SHA1
e36376e70a7f3b5c1597a60f3538e1f26e3247ca

SHA256
e398f3f90b23aa358f2786f0a15f3fac74ed3670433afc60ee733ada330beebc

SHA512
104d1516a12e8e6e107a8d71ee0ff955148a4d84914c998843af6effee55154022ed7f0cacb099abc1bccd9408e1eb08f2a146a5c5b7235d8b773023ab8f94a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe

Filesize
239KB

MD5
2f8f6e90ca211d7ef5f6cf3c995a40e7

SHA1
f8940f280c81273b11a20d4bfb43715155f6e122

SHA256
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.dll

Filesize
16KB

MD5
6f6c8f80d6c36739147b38016bd4b469

SHA1
bf0f81a00ccc595242620b15ade2a0661424d9e3

SHA256
fba607ccfd47e2b6ba04d449f1de10e3b66ba35b7d0e96f71e7c61d0c10486f4

SHA512
1b3d6da8eedc140f3836c60eadc5251870d01db99e72d33ec0b2a585e2e4b2f7e643e2a12ad42f8e6d8704e8af67ca1df728acdbe18c614a1b8f6746d0c3fbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.pdb

Filesize
25KB

MD5
5e0ccb3bd78be9cd539fef6e4005e47a

SHA1
9a28756dffdef59d36bf42cb9cc8e02e454026d2

SHA256
4e4eb668831c91756eb030045d118ebd069fda0b0e0065ee2467c4c1c382cdd8

SHA512
4c58e1d9d77c42500c3d91314257f563a6b3af627ae0d5ec257b38a8b8008b47ad10b8b3a0661bc72a12bdaf549a33453a971802542f5c719fc979fa9f6c1372

Download Submit
C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Goose.exe

Filesize
4.5MB

MD5
5f81ece0c9e38a0e748c5080f49d57b5

SHA1
59aeffa0b1c588a37e6f52a1df2832b06e34cc06

SHA256
fc55fab5d5c56d8a5701b3cf7c024501ea902d3145e0f1cedaf4c0de5e0ff9f9

SHA512
a85093aaa49fe984bbb19e3f7dc439457814284f9fb120be0eec6817397439508ae3a0b5ab00145f2b36a5b0692554558927407d5672d20f484fff04f2e74529

Download Submit
C:\Users\Admin\AppData\Local\Temp\GooseDesktop.exe

Filesize
221KB

MD5
c883e2c769ebe56240a71260b17f1b93

SHA1
4a831d4f48f6ea81db508c2a87cf860acd17edb1

SHA256
943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff

SHA512
dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe

Filesize
48KB

MD5
21943d72b0f4c2b42f242ac2d3de784c

SHA1
c887b9d92c026a69217ca550568909609eec1c39

SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hydra.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe

Filesize
444KB

MD5
4ccc1c614f8d57fff412b5cc198ab5a8

SHA1
6c1af97d6089c3bcaee67fd492746d55b48e3934

SHA256
9f7085ff7cb2b814da16a02abe921dd42b3c6b992580c8f01e29d05750a0a488

SHA512
d503834c563177527698efc29b3bc762d99beb69e92182509115f0751da0ef3d13cfbaea96d71180fae5a8e08287abf2ed1b704f98dda6dd6042a653254f1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Porno DDOS.bat

Filesize
130B

MD5
245a8ef029b610e7bb3f3a03ac50b263

SHA1
ed2c5ec2d13134747d24b2d41178751395e04dc5

SHA256
4968842207f0efe0cdc83a2ee14c5d1742b446b57769a83701fb100dcd666e70

SHA512
268718222cf4e2b02a2dd715bc49f747f2e4b32f8a0c9b5ff7211c97a85d72300e8f0b5a42114ed137ac0749cf008662f4b6694c70c536950f35e707f52b55ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trololo.exe

Filesize
1.7MB

MD5
6a11520b1ab6fc308a09c8a313645f31

SHA1
8094f8eec65aac53700a993cb73fb02ef72a3fa2

SHA256
784ba70394284aab3dcb0f7d0404eb515b9e193eaa2911dd342cef92bf85f13f

SHA512
da480c26ba2aacef2c26cde1a4f145f38c1825d2e7f3e718b3545e0d38d20d8dbe09d3438a6826188c16691a44d282034f59404ebea843fc331869e2925d1cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bruh.vbs

Filesize
56B

MD5
507a5522c34525db4c7f491ae8108239

SHA1
be65986007e4244c877aef236ece167b94f74cb6

SHA256
3427ceed0ca73c5492ae67691f611caa5b08a89bd29ee067ad7c22aaaae1a0ac

SHA512
60239d296437909ba6f8cc40c078bb9af51487af5032eb7f631c5e6c96849244bb8aa93696cc1f16b1e5ba7aa6d441cea47eb49801a987c08e89f2bfacd6ab9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\forkbomb.bat

Filesize
21B

MD5
334099ce7dc622990a731c58185925df

SHA1
f08cff36eae14c289139fa3a3262161fc49e5a24

SHA256
003fde2362d22b41985c2e15be44ddd0ac3f5272fbea6924ec2256499c11859d

SHA512
13f893e2d37201ed7dcd13586dcfdde9001fe02356f4dc33a5a2e0071f96d87bc8d8d13ebcc515c7dfe7b449db313d1330cf5d959ea8e3d09a3df4a4644dc1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\free.vbs

Filesize
42B

MD5
b7d4e96408d1c870570bc7c4a35387dc

SHA1
2f2508b906801265d2d3acbecc899570fe4b791d

SHA256
a50e401e8059fe456a0fb975f88258c8ebd2b73905657300808bb5bcee3ec782

SHA512
d52f7a1278aa7579ddc3fbdf63cbeab1aace7e067233209ae9ef961d78b7bfee29611d4fe2135d2c7813163a04ac4aa4455445bc2cad95867eb3e906dfb0eb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Курсор - писюн.exe

Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\Users\Admin\AppData\Roaming\Delete Windows.bat

Filesize
34B

MD5
092a87f032a0b0940af78f9f920e409a

SHA1
388a02a3384d325ac369036850c5a6a00a0d48bf

SHA256
dadba73ba4c42ae35d8bb86eb16e026e113d37bd5c679b9931b2e81ff928d91f

SHA512
5a074599f9058987d1d1385ab75a3b96b5fbc1d39d93e5676427c7f8d612431c8a2e44904e4ff30099621520797889bc5296a6b95c71091a61002ffbd295e51c

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram.exe

Filesize
79KB

MD5
3805abbd3aea5d94acaf1ed10e5e23e9

SHA1
776abdffe0d8c34c25085f541b16249bdbc08ce8

SHA256
b39e41e32b18e5ad96b2a50cd72a5eaffde73e2a75c21bc70beddb28176495e3

SHA512
0a5b0feac05ff58f2baf1f0c3ac5884645af7b8c5f71ea1cf276194ff6bec034d8ef61de088b6574bc3453ac53a3fb83410b74a13865372fcdcdc8170c40e040

Download Submit
C:\WINDOWS\302746537.exe

Filesize
22KB

MD5
8703ff2e53c6fd3bc91294ef9204baca

SHA1
3dbb8f7f5dfe6b235486ab867a2844b1c2143733

SHA256
3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

SHA512
d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

Download Submit
C:\Windows\E8E9.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\System32\usеrinit.exe

Filesize
139KB

MD5
4acd14244d2cd76d06939163127cfb10

SHA1
75f3e3c764f7d20c9950f5410f753f3210bcc2e7

SHA256
29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb

SHA512
001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

Download Submit
\systemroot\system32\mseeeeee.dll

Filesize
718KB

MD5
8736c2a37ff0adf6f03d94bb34d1f784

SHA1
e4867b136e100c9d45f6adea593c9a636134f308

SHA256
dbe318e7c72f9558f836c920510a5245ae5af29996b62f661399ce3724458ec3

SHA512
2bbb22540e6ae0ebdd7c5303f67fb3911025a9f8f68c1c192edf5247a66bff885e292dded093d4522488b9a98f5bb00f24b00374e8eeb219184faacc95818848

Download Submit
memory/8-246-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/8-267-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/8-295-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/8-245-0x00000000009D0000-0x0000000000A52000-memory.dmp

Filesize
520KB

Download
memory/448-159-0x0000000000D10000-0x0000000001174000-memory.dmp

Filesize
4.4MB

Download
memory/1968-332-0x0000000000E40000-0x0000000000E58000-memory.dmp

Filesize
96KB

Download
memory/2080-775-0x0000000000010000-0x0000000000113000-memory.dmp

Filesize
1.0MB

Download
memory/2540-151-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2828-940-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/3276-931-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3292-201-0x0000000002110000-0x0000000002178000-memory.dmp

Filesize
416KB

Download
memory/3308-391-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/3768-336-0x0000000000110000-0x000000000013E000-memory.dmp

Filesize
184KB

Download
memory/3856-283-0x0000000000400000-0x00000000004C4400-memory.dmp

Filesize
785KB

Download
memory/4244-853-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4268-230-0x0000000000E20000-0x0000000000E52000-memory.dmp

Filesize
200KB

Download
memory/4280-402-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/4476-192-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5208-588-0x0000000000E20000-0x00000000012AE000-memory.dmp

Filesize
4.6MB

Download
memory/6076-691-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/6076-726-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/6076-692-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/6076-663-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/6076-624-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/6076-597-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/6076-576-0x0000000000840000-0x000000000087E000-memory.dmp

Filesize
248KB

Download
memory/6844-854-0x000000001B6B0000-0x000000001B756000-memory.dmp

Filesize
664KB

Download
memory/6844-880-0x000000001C1E0000-0x000000001C27C000-memory.dmp

Filesize
624KB

Download
memory/7012-933-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/7064-857-0x0000000000760000-0x000000000081C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads