hackbrowserdata | d2605d6c7df64c9cc45fb58cefeb196489812e8e7e607556d4817aecb61681fd

Analysis

max time kernel
35s
max time network
38s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zjrtdbt3.exe
Size

806KB
MD5

707b311ccf5b3f5d49e422e447c4336b
SHA1

157b280bf0e4d55118221da9cbe9d5739204e050
SHA256

d2605d6c7df64c9cc45fb58cefeb196489812e8e7e607556d4817aecb61681fd
SHA512

c6df8c0a465d9e5fe84b3b2198cfe6a921e0b177902a49aa76e127a56b989f8d35c3adc6733973cbfe13ac10bba9bf3eac0cb182ec28be797c0d48af94c74376
SSDEEP

24576:Y2Q9NXw2/wPOjdGxY7kqjVnlqud+/2P+Aey:YTq24GjdGS7kqXfd+/9Aey

Score

10^/10

hackbrowserdata discovery infostealer persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Signatures

An open source browser data exporter written in golang. 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002aac1-184.dat	family_hackbrowserdata

HackBrowserData
An open source golang web browser extractor.
infostealer hackbrowserdata
Hackbrowserdata family
hackbrowserdata

Executes dropped EXE 3 IoCs

pid	Process
3080	tkstt.exe
5040	tkstt.exe
3432	bsrtt.exe

Loads dropped DLL 38 IoCs

pid	Process
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe
5040	tkstt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1432	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001a00000002aabc-21.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjrtdbt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3032	netsh.exe
2692	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	zjrtdbt3.exe
Token: SeDebugPrivilege	1432	tasklist.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3080	3012	zjrtdbt3.exe	78
PID 3012 wrote to memory of 3080	3012	zjrtdbt3.exe	78
PID 3080 wrote to memory of 5040	3080	tkstt.exe	79
PID 3080 wrote to memory of 5040	3080	tkstt.exe	79
PID 3012 wrote to memory of 3432	3012	zjrtdbt3.exe	80
PID 3012 wrote to memory of 3432	3012	zjrtdbt3.exe	80
PID 3012 wrote to memory of 1432	3012	zjrtdbt3.exe	82
PID 3012 wrote to memory of 1432	3012	zjrtdbt3.exe	82
PID 3012 wrote to memory of 1432	3012	zjrtdbt3.exe	82
PID 3012 wrote to memory of 2692	3012	zjrtdbt3.exe	84
PID 3012 wrote to memory of 2692	3012	zjrtdbt3.exe	84
PID 3012 wrote to memory of 2692	3012	zjrtdbt3.exe	84
PID 2692 wrote to memory of 3032	2692	cmd.exe	86
PID 2692 wrote to memory of 3032	2692	cmd.exe	86
PID 2692 wrote to memory of 3032	2692	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\zjrtdbt3.exe
"C:\Users\Admin\AppData\Local\Temp\zjrtdbt3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\tkstt.exe
  "C:\Users\Admin\AppData\Local\Temp\tkstt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\tkstt.exe
    "C:\Users\Admin\AppData\Local\Temp\tkstt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5040
- C:\Users\Admin\AppData\Local\Temp\bsrtt.exe
  "C:\Users\Admin\AppData\Local\Temp\bsrtt.exe" -b all -f json --dir browsers
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C netsh wlan show profile
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.5

Filesize
16B

MD5
9f36605efba98dab15728fe8b5538aa0

SHA1
6a7cff514ae159a59b70f27dde52a3a5dd01b1c8

SHA256
9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd

SHA512
1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.bak

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\14129_ExportUnblock.mp3

Filesize
375KB

MD5
d81d0af24b94b005598037b5872f0f77

SHA1
0059ba692a0277784e2d51c3fb74086bf288d601

SHA256
10f58c19a349b699aa5ffccd1cceb104b3e4cdc03dccd4fa1b34e8d1e967c081

SHA512
5fc1e623c7dcb2f9e11382c07111f9052ec7e9785f8fe6379bd9a671b3aa60270cd570cb18e37a0fc7fbe8b1e45f4e1abd69fa06637ff15ff159a2dcb2e4fe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\19993_ConvertFromUpdate.mp3

Filesize
454KB

MD5
d0d0747ce7c784b736fa6c99c777deef

SHA1
adb42e67fad9273cf2265d1f8dbc552f46d71513

SHA256
a42c3ba3a2712d4af0e6620a75b196cf141c5ccec1213ade168e38732aabb49e

SHA512
ca4a23e168f648ac4fab553d70263b4c7fa57217686409b17e54db3f927d9ec81f38538c1ad2e34a5b9ecdc7b31f6676bbb015fd38f0b5cea2bc9cb43cc77813

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\23604_SkipMeasure.png

Filesize
664KB

MD5
c58fbc3a342f0fe2d800758b94750032

SHA1
fa3c7d3e6dd58a84af0207035ba465e5c548959b

SHA256
b2bdc2c21358522283dab294769133000e27beaff67209f1183614e58f47206d

SHA512
6a6b6f24869bdaf5a18fba7286580bedf3bcaf7e8d5a03e075247ac81a38c0b1d81770021b2ab9c8e97ac087b607e63311e9b39ebd7744027e28a56b1510a015

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\2828_StartSave.mp3

Filesize
432KB

MD5
57b98a258d45d78ad26c29677c843d3b

SHA1
095997770bc7661be124b799b313080337f53d0a

SHA256
c134af25be58a852ea16631a4df6d840ba7f5d826a538048d87e01351de00558

SHA512
c908c78d8285666b714d789723627ea193bf3cf924c7ae7d8b0ea677f399ec4b8ec42433b64caf7f2a6df026defbd7b01e2e778b6746808f2c9f239442696244

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\32206_RegisterInstall.pdf

Filesize
396KB

MD5
8ef016c8b53bb57a4f27d7fc3952f43f

SHA1
d3d5927576afdc3a659f0a8f253861dd839c96ce

SHA256
0c5fb5a4e3a591200c23d14d3372cd75ec8c178456e916d710eefb5903643e09

SHA512
70d2cb538f0dab27780ce64297b426f08a0b2373c61706764a24034991fbbf91fad8b04106f46b647b0e6541ed5325087d48116b04fb85c4f4277c1aa0e4641d

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\34995_UnblockSelect.csv

Filesize
205KB

MD5
70735f0f481968ce48e26d8f02c3e1ab

SHA1
def7e75d82825c47146a5ecb1fe24f995251535c

SHA256
c182eddea2232d5bdb5c3704b6eca9e27d70af4729ade1c71d0ad5b39b379d88

SHA512
bc74a721c7c873e9061a66508ec641b00af9631d4b629df42bebce7d7b5b32f732d5ab94fbd40ae4003c3e51bb1d717147ea206d818e87c7c7035699140c1e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\36525_NewClose.mp3

Filesize
380KB

MD5
6bb40c0c235e79c6099281bc3a20fc65

SHA1
6221ef3561d94a7d8c70b78f5af5e5e342034bb8

SHA256
292e4c06b1b76009107c4adc766e9516052b4364483772163335b9b49c35eee4

SHA512
1d17b00df9106433f0588773a84a0069eb583f9c1b0769aa77968d2f179c29d7ddb4af71d08af32866ee5d9fa42965daee0cd214ed398313cd0d9eaaecde2c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\36976_SuspendPing.mp4

Filesize
987KB

MD5
37974738b8063b5b9c9081c555f96da9

SHA1
3a96030f5dda12778ef13d67c6a041e5af1a4eab

SHA256
383a2f82829b3f3ff4b149cd37123dd360c90711e45fc254950f72baafe74f63

SHA512
5422366d90eddb769d6a2bbcd75c0fac2eda84a6b9e3ad1cc3225bfdd2bf117d6e7d7885072eb79cc203e1648724d2a7e0357b9a20c994601552a838d4b4361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\38258_JoinConvertTo.pdf

Filesize
195KB

MD5
40a1a90470c474f626558492fddbcb0e

SHA1
e3d21efb4f0466d8c01d78429db77232c1193435

SHA256
f42f88920caa08c874da6bce1072dd530e9a9965dfe70d9926b5417b9eb5e508

SHA512
f795fb52ee2ec56ea66a2c48506de3a4d64decc2bf28d15606544878abd27f70201a4826c31f863f4709b67228f3ad4cac719c01195ffcade46722eedba10990

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\38905_TestHide.doc

Filesize
928KB

MD5
adfad24f2828a0d3bcd64d49f6e37fb3

SHA1
a6af355fc0d62e4fd4b68b2b7e40ad8d6f729e08

SHA256
4cfe3213fc54fc71122c2a47cbb557493872cd376dea0a311df30a159729915c

SHA512
7afc298456d8b1f70db5bfc9d7795c2023dee02d14b5b33386e7de1d303135ee1b8d7413e22db2b1e8d61f23876d6b99a27bd41fe18b99921ad1ff5b7a939183

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\43272_CopyBackup.vsdx

Filesize
386KB

MD5
7ac674a35303c3d00344235755707b2a

SHA1
1a8942c81983c507c30c6594f097c5a4429cd936

SHA256
23d6f7b3f27bba05a9982219a1edace8e422e1d7d60c57a88307959bde3c39a7

SHA512
48a96772b1a2ba8f59e5df3596d425cb6eea2203271636d0df966d61c3949443396123c50187010fa811d4558137d904105db18a974341fb7f9b064b0d19c4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\52552_WaitSwitch.jpg

Filesize
755KB

MD5
6489c35bbf779d2c4fac980ab852d576

SHA1
398639f3153f590d52e791b7f09657ebc994f69d

SHA256
48d8584f74f785fb1d5fb04d76be95dbdef7cf763fac2860ff8f3460a4756c96

SHA512
a1f7890aca517edf2e0b1791b6f52390d6b19b39fe244e006c0acccb50e9b9b103b2a91b75bf85e9397e25742e0508f22f2037438eadcac6365e87331b503a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\60987_AssertResume.docm

Filesize
346KB

MD5
545256fd34fe966ddf743cbe99287729

SHA1
088f8a05c5ee4e8e4c6a2e043e36dce69c4e18a6

SHA256
476246c51ee4b06128905979090ba05599994016d2b5ef495c85f0a9f47cb31c

SHA512
e1bfbfbde2c8dab949a95b632bd93cf9ecdbd2b205dcd61b4822f3cf6ab0b737167bb0587d36f995bc3853723f313a5aba8f942b4c6ee5e27961a23be3e58fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\74690_UninstallResume.css

Filesize
851KB

MD5
cf1cf962281e8e45b2ecea8434449bd7

SHA1
9099ca9dcc85ee10d4d7758a493203cda2b83b78

SHA256
fe21ccc73efa1b083ccfb665a5958a4050893e6e985ec5a86d898d12cf222ab3

SHA512
c749cd3e89b31b9a17725d395ad0e4ae7f2dc52c5b1c1cb454fb96c14b494c3c777067031f969715a4f384f618f5ccde2a812cb2667ec1db150979677a6d27b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\76104_SearchStep.jpeg

Filesize
799KB

MD5
7b9a408b89bc0f5b23614bde12bcd677

SHA1
63ee8e0cad0705d5c12a13e3431483863d3e6c8c

SHA256
c47fd624f49d880aba34abf97c0931874f11bf6bf37e1006bb9c8b42ad282ce3

SHA512
a20540451cc3453217547190be53d7481eb31e2230303cfc108e16861fa8e00b1eaf75fdb9e78f400bc1413657c6e3d0360ae3aa92826b4f8ed9be35eed526f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\77045_RepairBackup.wpl

Filesize
274KB

MD5
332a590b27a7870ffee6757ca8fdb309

SHA1
6079d30f5d69f27f2e4659f2ba1b9f995532ec68

SHA256
95c493117d2de969e0a2cad416ec399f15d94d871dcb2288214bb17323b989e3

SHA512
804a07e13ec9b346150319cf240b5132a51f9c8e033885589d77c9258fbe5c7fb563fab83b809df9dfb49bd60018f4d4a790ab2c5d3470129a443d772d833f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\78987_RestoreAdd.csv

Filesize
496KB

MD5
e22f1e167c0313f10f3b13656507eded

SHA1
255b7fc29ed8231f691d01018633947781c2b2d9

SHA256
2883c3a16a95b492242f593306476046ad62866bd06410119e525810e5d45228

SHA512
8d2fc6af6768e1679bcbe4f3ed07c2f150b040818dce92a012cb769bbb9f050c5452358c280e944d4ac9a8021f6a2ad529b7994b042e682ac716fe2af6e5633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\87070_CompressUnlock.txt

Filesize
642KB

MD5
8e728206a7d9a7874a753ae6a7336f03

SHA1
d4679036c2ed0e9cc76571f5af7a7c17a93ce6f3

SHA256
1e79fe736906ed1d4564c4559651a5797f200ebcb7c6b13752a59301e70f8d1d

SHA512
608b3416c65228fb21933d941634cc0eef5adddc8f111b6e2a90f0510efe875c79d3a195f04330bb17aae23769e70de21a4667d50bed8067f7e003793936b806

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\92368_DisconnectApprove.xls

Filesize
215KB

MD5
cee356ee91c9481661dd0fe7ea23e600

SHA1
43e474610eee2f70bb8ce00d114d563449734ba3

SHA256
63bd87ff94ae87b6ab35680b03bff8203dcda9241bd498080e4052baaf8a0a9d

SHA512
779d578b2e4fcc5b1fd16377c97adcc84b16767ac64bf329b27ef7a39e0e31ec03f07ec954e9a60cf432510e4b756c4686230373fce893ae303b72d22788bdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\92963_PingResolve.txt

Filesize
484KB

MD5
0a8eed3446ee2ab1dfbc79e81865272c

SHA1
c0a600fffb29fae899c2e40530e06b2b6be25846

SHA256
1e786e80ef4e991cf8df35edf3907d9de1643fa4baa6bcb85e84313cb13e2971

SHA512
55073aca61a0a186c272a9ec8f207f375614c45c8554082b6b2ec93e66c30de4f59df7543a34a2c97dc5ccb944cd95be7df4d112739d6405268efe52210f2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\9744_SearchDebug.jpeg

Filesize
392KB

MD5
7783c18c4d51922b332f6444f24b11fb

SHA1
1333e172271b47ea1e2541068b9296644543e8f0

SHA256
49cf14295f79fdb93de328c1de8a21fd9f6ad806d434e8699ee5ee0273529a84

SHA512
88d3e57d4bad2ac826fec6c9817136acb489f4b923e0d9ea34dadb039d2459597d032345824b1c6b7ff9622b46ed30f3895796a4b99a254edc7851f53fb8152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\9747_ConvertFromResume.cab

Filesize
230KB

MD5
8619f6da34fb8a70bd9afc56c276cbaf

SHA1
4b006bc2edd194ce35a53b1f0ed552b53a080900

SHA256
a4c01dbda6c4731a689d96cc688da93f6dea7c9593f6692fa343842f86c10a04

SHA512
ba6267e78af93feee96d4d8ec7db803e621abb8efd7b29299510fa81c5efdbb595bd4e4d38aab87139478d77f91e7b27249c41698ee8fb08c78de2689c8175e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB]RPHBTALT_181.215.176.83\Common Files\locations.txt

Filesize
1KB

MD5
2f837f7a965f053b175b90b08dd66615

SHA1
56ae75d85973dbd8b90a9bda522188527ac4debd

SHA256
2d6a3ee494fba0c211c275fc697cba2a36358aa38ded0d3295254c341f0c1544

SHA512
6f6c2227003c3895924a050cf419d4048dcc73800c10cd8e2eecfe3c5b2d500004dc7000ccda4f6aebe7cf3e4e911bac0596920bbb54ec7266ef08029b697671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
2ce3043d6fbd62bcbe6948a1e6a789f0

SHA1
7a5e9bc5a96bd2ec677927fb014073e7cdb70f3b

SHA256
c5a4ac8202a0211163938b6306e3a678cc461ed8e283f4c4601748d2e50783a3

SHA512
8fca5216d65c66640541b31e21a7eb18f510c5c0d3420bff5581337875a6f68dd808f35d61a759a26aad9ae4f50aa1580e8d90e016d9acdc5aa2d04cfaad4377

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
8d17946e6b1936061203afe20cddb5b0

SHA1
589dac4d2864fdc0219b0de3973b2ee0023cd5ea

SHA256
bb9898057572f17131bb63d513c19901e29d2e29215f7a93d6d84fa537475f0b

SHA512
3354942781e4d36b84d83ab6959707d29f6e25d3614b15a228d63d084f6f2a280bfc9153f24ea0fef489fa7043e21eb67e4b6d3ad7d073fde37f6206462f5931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
12KB

MD5
606e85b094ae6752e1099a176aa20f09

SHA1
35e9355ce75b57111d3793502636d5fcd78d34a4

SHA256
917fa3438b61cc207d73bd72cda6c42cd08656a2187fd9ca2860c67c12677238

SHA512
19de7b6c567e997825f2f08773c45a3562bc3980248de31738395cafa0306707a82f912a8b9b1dba440162443e1554e87ef5586776189b763576d9a7aca9e587

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
f3cfd044825e9c08ce37a8034e2ed786

SHA1
51637c5678aedf528adef8036c53513495fcbb44

SHA256
bcbe37f565b91a127e40634db8e7e1b8b1ce3e1344f3fa082496b93d75435b80

SHA512
fd9f8ae46a438138c31408ebf9129dd507a8fd6dc24f24eae2b2dd8bd90e8b78afb0aef82a314ca5566d4d1bb7d166642dd2e7d7ea8e484c0261f623b2c1c15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
4db0ac98329ae64cec9c28570af52968

SHA1
8f7d327c1049c27b0df6bc6c2017cc302ba99a10

SHA256
5a43e3809403668ed6c6f17a71828eb8cd0dcb64afc09b815a4b9f05c3661714

SHA512
515e0b972a644620c27b3c074aee62b8ba5aa679b0e1c936f616c5537a83c7ca762b7a6c7acc3279ab235d1d344db9423cdc1abf7c72775d4bbfb2cb24cbf6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
11KB

MD5
dae7f4dd6792fb84c91bd45d44ed6c96

SHA1
a88eb81d4d72adc4c7f7402338f9d5760957efc3

SHA256
01eb2117f0223f0447cd16b5ec79baf3430871da8ef461404ba13592d2e8a89c

SHA512
66e98ae82073abb24e9053203f41cebb4ac30a461fe2a62baa1190970e1be7567f495914e017ec94b6b911bab721e63a7ff2d1d85e29d5824ab3d9bc9fb9fce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Hash\_BLAKE2s.pyd

Filesize
13KB

MD5
1dee6707a941e02202a47c58408ed538

SHA1
511387a5a611119ba81377931da5a8da5c429b78

SHA256
4e76a0be3e295571172cf1d06dbcc48f715357bb496d8567d9376667326fa5ef

SHA512
f29063d04151c9df75ca2c138fba5f9e4da551f0fdfa7a8a83390df0dcde064038ba87eec4c852a87d80cef0dc38306aed1121d06a6b337e4cc722e4057c432a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Hash\_SHA1.pyd

Filesize
17KB

MD5
2efa942a436ca17562fb49bb66acdcc4

SHA1
50b2841914e9a1237ac29c7a681f0951c03d59a4

SHA256
4810a6392848b3ff20d67a531a26daaf2e1f2fe37cf61c0245d24cb0fa00177d

SHA512
bad96c34d318b975330f720b422c758ddc91ae6ab34b873f9a68f060f52552939654ac7a78d49ea787d7f182e293c604f772bea9e027d0159a43c9f06957d392

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Hash\_SHA256.pyd

Filesize
21KB

MD5
15e2c2434668d1648d9147156b0a44c6

SHA1
bea635adfd889381cc324d2612606e409518261d

SHA256
ebee833d40ed09abccff1f415b4a4cb1ec6f8d84431067980b09a36450edb9f8

SHA512
197818202b07f97dc370f456a1f59a5210c8af7e8221d6e0bbf8a96e8190668dd29d353bffb0f833fc622b8f797558708446cdde7a062ecd8c66d67b87262445

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Protocol\_scrypt.pyd

Filesize
12KB

MD5
308c6e862a3554f1b5587d003f4b1bbf

SHA1
800955d3a24065766e5825c8324b7f48cd02f073

SHA256
671aad8b7fae31e076df50c947cd198369eea6379e6fa1b058596e528f5da561

SHA512
35b27a6320a8046f7e7bc42b9af8414b076f5334467576a0e83c6d7992ec3675f73cf0fc72ae6da402ff70dd16fcc0c29287ab27ad04bb346d5229d62deb54a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\Cryptodome\Util\_strxor.pyd

Filesize
10KB

MD5
174b652c8e6c40c36c8ab06a20a34c01

SHA1
f3cb9321100dce3a8d79b0fc517cc58e05d26e41

SHA256
42af8d99fc975720585d25d767fc825d4922c088b6c2b13ee2de23e439523610

SHA512
9f0c444069e477a043c85f606bf1a3fb695773dbc16d1124a4b2d771ea0385b797552031433cb625d7dc9c8d490eb0ef8fa2c13aa628ebba58df6a0530913f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_bz2.pyd

Filesize
83KB

MD5
dd26ed92888de9c57660a7ad631bb916

SHA1
77d479d44d9e04f0a1355569332233459b69a154

SHA256
324268786921ec940cbd4b5e2f71dafd08e578a12e373a715658527e5b211697

SHA512
d693367565005c1b87823e781dc5925146512182c8d8a3a2201e712c88df1c0e66e65ecaec9af22037f0a8f8b3fb3f511ea47cfd5774651d71673fab612d2897

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_ctypes.pyd

Filesize
122KB

MD5
c8afa1ebb28828e1115c110313d2a810

SHA1
1d0d28799a5dbe313b6f4ddfdb7986d2902fa97a

SHA256
8978972cf341ccd0edf8435d63909a739df7ef29ec7dd57ed5cab64b342891f0

SHA512
4d9f41bd23b62600d1eb097d1578ba656b5e13fd2f31ef74202aa511111969bb8cfc2a8e903de73bd6e63fadaa59b078714885b8c5b8ecc5c4128ff9d06c1e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_decimal.pyd

Filesize
251KB

MD5
cea3b419c7ca87140a157629c6dbd299

SHA1
7dbff775235b1937b150ae70302b3208833dc9be

SHA256
95b9850e6fb335b235589dd1348e007507c6b28e332c9abb111f2a0035c358e5

SHA512
6e3a6781c0f05bb5182073cca1e69b6df55f05ff7cdcea394bacf50f88605e2241b7387f1d8ba9f40a96832d04f55edb80003f0cf1e537a26f99408ee9312f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_hashlib.pyd

Filesize
64KB

MD5
d19cb5ca144ae1fd29b6395b0225cf40

SHA1
5b9ec6e656261ce179dfcfd5c6a3cfe07c2dfeb4

SHA256
f95ec2562a3c70fb1a6e44d72f4223ce3c7a0f0038159d09dce629f59591d5aa

SHA512
9ac3a8a4dbdb09be3760e7ccb11269f82a47b24c03d10d289bcdded9a43e57d3cd656f8d060d66b810382ecac3a62f101f83ea626b58cd0b5a3cca25b67b1519

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_lzma.pyd

Filesize
156KB

MD5
8cfbafe65d6e38dde8e2e8006b66bb3e

SHA1
cb63addd102e47c777d55753c00c29c547e2243c

SHA256
6d548db0ab73291f82cf0f4ca9ec0c81460185319c8965e829faeacae19444ff

SHA512
fa021615d5c080aadcd5b84fd221900054eb763a7af8638f70cf6cd49bd92773074f1ac6884f3ce1d8a15d59439f554381377faee4842ed5beb13ff3e1b510f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_queue.pyd

Filesize
31KB

MD5
7d91dd8e5f1dbc3058ea399f5f31c1e6

SHA1
b983653b9f2df66e721ece95f086c2f933d303fc

SHA256
76bba42b1392dc57a867aef385b990fa302a4f1dcf453705ac119c9c98a36e8d

SHA512
b8e7369da79255a4bb2ed91ba0c313b4578ee45c94e6bc74582fc14f8b2984ed8fcda0434a5bd3b72ea704e6e8fd8cbf1901f325e774475e4f28961483d6c7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_socket.pyd

Filesize
81KB

MD5
e43aed7d6a8bcd9ddfc59c2d1a2c4b02

SHA1
36f367f68fb9868412246725b604b27b5019d747

SHA256
2c2a6a6ba360e38f0c2b5a53b4626f833a3111844d95615ebf35be0e76b1ef7a

SHA512
d92e26eb88db891de389a464f850a8da0a39af8a4d86d9894768cb97182b8351817ce14fe1eb8301b18b80d1d5d8876a48ba66eb7b874c7c3d7b009fcdbc8c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_ssl.pyd

Filesize
174KB

MD5
6a2b0f8f50b47d05f96deff7883c1270

SHA1
2b1aeb6fe9a12e0d527b042512fc8890eedb10d8

SHA256
68dad60ff6fb36c88ef1c47d1855517bfe8de0f5ddea0f630b65b622a645d53a

SHA512
a080190d4e7e1abb186776ae6e83dab4b21a77093a88fca59ce1f63c683f549a28d094818a0ee44186ddea2095111f1879008c0d631fc4a8d69dd596ef76ca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\_wmi.pyd

Filesize
36KB

MD5
bed7b0ced98fa065a9b8fe62e328713f

SHA1
e329ebca2df8889b78ce666e3fb909b4690d2daa

SHA256
5818679010bb536a3d463eeee8ce203e880a8cd1c06bf1cb6c416ab0dc024d94

SHA512
c95f7bb6ca9afba50bf0727e971dff7326ce0e23a4bfa44d62f2ed67ed5fede1b018519dbfa0ed3091d485ed0ace68b52dd0bb2921c9c1e3bc1fa875cd3d2366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\base_library.zip

Filesize
1.3MB

MD5
aba776964e87291a556a2d5389476d1e

SHA1
41c45c987bb01d44901a9c6c41817196fe2aa799

SHA256
a9790e38c2e50f57e9b892ae16ebf726af09b185342b76ba57eb600b2d8994d6

SHA512
4dd38b435437472f3b8ef52aa145894aae33c9541e6eeace846debc64863d9831841b39c5ff9b9683e66979e229b29751a8509ba423eca79db06cff54dbf9363

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\select.pyd

Filesize
30KB

MD5
79ce1ae3a23dff6ed5fc66e6416600cd

SHA1
6204374d99144b0a26fd1d61940ff4f0d17c2212

SHA256
678e09ad44be42fa9bc9c7a18c25dbe995a59b6c36a13eecc09c0f02a647b6f0

SHA512
a4e48696788798a7d061c0ef620d40187850741c2bec357db0e37a2dd94d3a50f9f55ba75dc4d95e50946cbab78b84ba1fc42d51fd498640a231321566613daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30802\unicodedata.pyd

Filesize
1.1MB

MD5
b848e259fabaf32b4b3c980a0a12488d

SHA1
da2e864e18521c86c7d8968db74bb2b28e4c23e2

SHA256
c65073b65f107e471c9be3c699fb11f774e9a07581f41229582f7b2154b6fc3c

SHA512
4c6953504d1401fe0c74435bceebc5ec7bf8991fd42b659867a3529cee5cc64da54f1ab404e88160e747887a7409098f1a85a546bc40f12f0dde0025408f9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsrtt.exe

Filesize
9.3MB

MD5
7be18f7881115b4b9fa5b19bc5da7e23

SHA1
838839f163f8cb146ef9078956fe9a733d096299

SHA256
e28e65b42f2596dc34c9845728e4ee6884d3e42b20397a9c4fcbe8cd63f8c193

SHA512
50e8ee8c98f151cce3e7ea6a1eb5952a97d49bac553cd684e9f4d2bc631d41a07186b3ea412f8704873b00098513408f08d3c3229a52ec36b5592238650dbff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkstt.exe

Filesize
9.6MB

MD5
5dc53cbb8e11b7b2b4ea4711df467792

SHA1
a5adeb2f1d7086de7c5f0def8a579d276b7a0268

SHA256
403f67db8d434c6c9d12716139fb281317ca78dd29b5385331b977cd07d9cf4d

SHA512
b4c3a451011dfd593bd0317cb7a60191d17235bdf311b5f479c697a452a4463d2734007b810dca10e7c4d2fe2486d0ed814b955f01d5b7c6c6b4be4389dcc93c

Download Submit
memory/3012-11-0x0000000006EC0000-0x0000000007466000-memory.dmp

Filesize
5.6MB

Download
memory/3012-6-0x0000000005E30000-0x0000000005EA6000-memory.dmp

Filesize
472KB

Download
memory/3012-16-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/3012-15-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3012-14-0x00000000082C0000-0x00000000082DE000-memory.dmp

Filesize
120KB

Download
memory/3012-13-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/3012-179-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/3012-8-0x0000000006860000-0x0000000006882000-memory.dmp

Filesize
136KB

Download
memory/3012-7-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3012-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3012-5-0x0000000005D10000-0x0000000005D8A000-memory.dmp

Filesize
488KB

Download
memory/3012-4-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/3012-3-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/3012-2-0x00000000057D0000-0x0000000005882000-memory.dmp

Filesize
712KB

Download
memory/3012-1-0x0000000000CB0000-0x0000000000D80000-memory.dmp

Filesize
832KB

Download
memory/3012-520-0x0000000009F00000-0x000000000A257000-memory.dmp

Filesize
3.3MB

Download
memory/3012-555-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads