djvu | 6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b

Analysis

max time kernel
126s
max time network
135s
platform
windows10_x64
resource
win10-en-20211014
submitted
19-10-2021 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c81d1895f7472cec079c7f12419feaf0.exe
Size

820KB
MD5

c81d1895f7472cec079c7f12419feaf0
SHA1

729557420c331200cbad77b7f98a0f5841933a63
SHA256

6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b
SHA512

9fbb32e99b3a321f5c5ea1c2bea24249ca5b335514f3f6a70342609932a45aab324d71030febbd18b0aa6d63698146a384ba37da17f7a84d4018ab48660d52cc

Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer suricata

Malware Config

Extracted

Family

vidar

Version

41.3

Botnet

517

https://mas.to/@oleg98

Attributes

profile_id
517

Extracted

Family

djvu

http://rlrz.org/fhsgtsspen6

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2068-116-0x0000000004AB0000-0x0000000004BCB000-memory.dmp	family_djvu
behavioral2/memory/1060-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1060-118-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/1060-119-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3292-125-0x0000000000424141-mapping.dmp	family_djvu
behavioral2/memory/3292-130-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/188-135-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral2/memory/188-136-0x00000000004A192D-mapping.dmp	family_vidar
behavioral2/memory/188-139-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral2/memory/3952-138-0x00000000033E0000-0x00000000034B6000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

build2.exebuild2.exebuild3.exebuild3.exe

pid process

3952 build2.exe
188 build2.exe
2488 build3.exe
1740 build3.exe
Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

188 build2.exe
188 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

908 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3952	build2.exe
188	build2.exe
2488	build3.exe
1740	build3.exe

pid	process
188	build2.exe
188	build2.exe

pid	process
908	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c81d1895f7472cec079c7f12419feaf0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f708d81e-f173-4e0e-b5ad-06d497c5dfaf\\c81d1895f7472cec079c7f12419feaf0.exe\" --AutoStart"	c81d1895f7472cec079c7f12419feaf0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.2ip.ua
9 api.2ip.ua
20 api.2ip.ua

flow	ioc
8	api.2ip.ua
9	api.2ip.ua
20	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exebuild2.exebuild3.exe

description	pid	process	target process
PID 2068 set thread context of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 set thread context of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3952 set thread context of 188	3952	build2.exe	build2.exe
PID 2488 set thread context of 1740	2488	build3.exe	build3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1564 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1996 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2400 taskkill.exe

pid	process
1564	schtasks.exe

pid	process
1996	timeout.exe

pid	process
2400	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c81d1895f7472cec079c7f12419feaf0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c81d1895f7472cec079c7f12419feaf0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c81d1895f7472cec079c7f12419feaf0.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exebuild2.exe

pid	process
1060	c81d1895f7472cec079c7f12419feaf0.exe
1060	c81d1895f7472cec079c7f12419feaf0.exe
3292	c81d1895f7472cec079c7f12419feaf0.exe
3292	c81d1895f7472cec079c7f12419feaf0.exe
188	build2.exe
188	build2.exe
188	build2.exe
188	build2.exe
188	build2.exe
188	build2.exe
188	build2.exe
188	build2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2400 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2400	taskkill.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

c81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exec81d1895f7472cec079c7f12419feaf0.exebuild2.exebuild3.exebuild3.exebuild2.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 2068 wrote to memory of 1060	2068	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1060 wrote to memory of 908	1060	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 1060 wrote to memory of 908	1060	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 1060 wrote to memory of 908	1060	c81d1895f7472cec079c7f12419feaf0.exe	icacls.exe
PID 1060 wrote to memory of 3948	1060	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1060 wrote to memory of 3948	1060	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 1060 wrote to memory of 3948	1060	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3948 wrote to memory of 3292	3948	c81d1895f7472cec079c7f12419feaf0.exe	c81d1895f7472cec079c7f12419feaf0.exe
PID 3292 wrote to memory of 3952	3292	c81d1895f7472cec079c7f12419feaf0.exe	build2.exe
PID 3292 wrote to memory of 3952	3292	c81d1895f7472cec079c7f12419feaf0.exe	build2.exe
PID 3292 wrote to memory of 3952	3292	c81d1895f7472cec079c7f12419feaf0.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3952 wrote to memory of 188	3952	build2.exe	build2.exe
PID 3292 wrote to memory of 2488	3292	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 3292 wrote to memory of 2488	3292	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 3292 wrote to memory of 2488	3292	c81d1895f7472cec079c7f12419feaf0.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 2488 wrote to memory of 1740	2488	build3.exe	build3.exe
PID 1740 wrote to memory of 1564	1740	build3.exe	schtasks.exe
PID 1740 wrote to memory of 1564	1740	build3.exe	schtasks.exe
PID 1740 wrote to memory of 1564	1740	build3.exe	schtasks.exe
PID 188 wrote to memory of 1156	188	build2.exe	cmd.exe
PID 188 wrote to memory of 1156	188	build2.exe	cmd.exe
PID 188 wrote to memory of 1156	188	build2.exe	cmd.exe
PID 1156 wrote to memory of 2400	1156	cmd.exe	taskkill.exe
PID 1156 wrote to memory of 2400	1156	cmd.exe	taskkill.exe
PID 1156 wrote to memory of 2400	1156	cmd.exe	taskkill.exe
PID 1156 wrote to memory of 1996	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1996	1156	cmd.exe	timeout.exe
PID 1156 wrote to memory of 1996	1156	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f708d81e-f173-4e0e-b5ad-06d497c5dfaf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:908

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe
"C:\Users\Admin\AppData\Local\Temp\c81d1895f7472cec079c7f12419feaf0.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe
"C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe
"C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:1996

C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe
"C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe
"C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
3183751859498c44f6d0ee8e2aab2c17

SHA1
3948927d001256209b5e4b25003c3c4ccb9ad6bc

SHA256
fd7b40ffbaccd347c4daa2d0530a3b74114fcb55c78423d67750a8be92c70a28

SHA512
88de4b4c2818650f7080a9afdcbe8764f1604bbf77f08f2ce286beb5a00e6cb30352f6180f64e7b5d9790a1e5ebefde6e62d8221e55228942d5652a1e0cd4fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
98a2414b3a6062f69b5e91e8ef853e60

SHA1
a7c76d8cc77cc535d73bc6b0ee4f64527572145d

SHA256
cea0b3398c3a6ac31f4582a21afb131878dfd3e489d101af94fd3d682000dba3

SHA512
d186ac4f87a04cc56d2a120d1aa7d96f1574ac7353a7d8b237452260f11a3ebfadb556eb46ee894c75ae1bdc6dae480599c6109eb25873074546847d158dddda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dfb909eacfd71feada81d60f6328d0de

SHA1
50135dbdd56568d56627854f69bf4acde78625ee

SHA256
85889f28da18c3f43988fa269aa0ac979cb08c787639957c663392ec7ac4cd33

SHA512
979f7ceb7e092753d1fe37186917eb846d5878877096ae3848d8c6a267a899da0f959910b1b024277e6181e5658773177ffbedcbbfd02834aeb18563cdfa739e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e5b95e79a31323a7b39c2116df264a7b

SHA1
da12e2e2cf60bd2c0627a32a8180293afbd3dfb4

SHA256
9bc5a0105f726592565eb96da0c345b5c377a95f40bbad4db4a9ee8724a86d2c

SHA512
3900ad9ea95c6f9e3b1b53bb3bb77430253c6342a79ca1a6ac9380c0e7c069213339a0df343491fa0624d5464c3241f79ff2d3424c7e6511a93d774d69f285b8

Download Submit
C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build2.exe
MD5
673a786d98cb5709caaf1797142e0e6e

SHA1
4e2abf2aa7c9418a34815dc02c272a859eea23a6

SHA256
b115531ef23c109fb58c392379b7f55eff11169e1317b263da60edd9ac98f6b1

SHA512
83fcccd08944e8c578482a945d38f756ef7cb959d6796c3830fb3e582205c5924b7bb1fb495aaffeacb2f7ac838730e5e7c01e6dcce54ea624be98635b3e3044

Download Submit
C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\373724ba-c062-4390-9905-90799aa567de\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\f708d81e-f173-4e0e-b5ad-06d497c5dfaf\c81d1895f7472cec079c7f12419feaf0.exe
MD5
c81d1895f7472cec079c7f12419feaf0

SHA1
729557420c331200cbad77b7f98a0f5841933a63

SHA256
6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b

SHA512
9fbb32e99b3a321f5c5ea1c2bea24249ca5b335514f3f6a70342609932a45aab324d71030febbd18b0aa6d63698146a384ba37da17f7a84d4018ab48660d52cc

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/188-139-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/188-136-0x00000000004A192D-mapping.dmp

Download
memory/188-135-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/908-120-0x0000000000000000-mapping.dmp

Download
memory/1060-119-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1060-118-0x0000000000424141-mapping.dmp

Download
memory/1060-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1156-152-0x0000000000000000-mapping.dmp

Download
memory/1564-149-0x0000000000000000-mapping.dmp

Download
memory/1740-151-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1740-147-0x0000000000401AFA-mapping.dmp

Download
memory/1740-146-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1996-154-0x0000000000000000-mapping.dmp

Download
memory/2068-115-0x0000000004A16000-0x0000000004AA7000-memory.dmp

Filesize
580KB

Download
memory/2068-116-0x0000000004AB0000-0x0000000004BCB000-memory.dmp

Filesize
1.1MB

Download
memory/2400-153-0x0000000000000000-mapping.dmp

Download
memory/2488-150-0x0000000003380000-0x00000000034CA000-memory.dmp

Filesize
1.3MB

Download
memory/2488-140-0x0000000000000000-mapping.dmp

Download
memory/3292-125-0x0000000000424141-mapping.dmp

Download
memory/3292-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3948-123-0x0000000004AA0000-0x0000000004B31000-memory.dmp

Filesize
580KB

Download
memory/3948-122-0x0000000000000000-mapping.dmp

Download
memory/3952-138-0x00000000033E0000-0x00000000034B6000-memory.dmp

Filesize
856KB

Download
memory/3952-134-0x0000000001956000-0x00000000019D2000-memory.dmp

Filesize
496KB

Download
memory/3952-131-0x0000000000000000-mapping.dmp

Download