vidar | 017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

Analysis

max time kernel
31s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
Size

5.5MB
MD5

2b74fd898c6ca79faa64f3d9cae268d4
SHA1

206353bb5b604968e4821e115748f9aa3df6a671
SHA256

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
SHA512

d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
SSDEEP

98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Score

10^/10

vidar evasion persistence stealer

Malware Config

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000800000002320d-12.dat	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Payload.exe

Executes dropped EXE 5 IoCs

pid	Process
1956	Payload.exe
5020	build.exe
1380	Miner.exe
3296	Shortcutter.exe
1988	whrbuflqwhah.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 4040	1380	Miner.exe	123

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\build.exe	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1856	sc.exe
2684	sc.exe
3036	sc.exe
5032	sc.exe
4140	sc.exe
1160	sc.exe
3860	sc.exe
912	sc.exe
3404	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3168	5020	WerFault.exe	91

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1688	powershell.exe
3612	powershell.exe
1688	powershell.exe
3612	powershell.exe
1380	Miner.exe
832	powershell.exe
832	powershell.exe
832	powershell.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
4040	dialer.exe
4040	dialer.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1380	Miner.exe
1988	whrbuflqwhah.exe
4040	dialer.exe
4040	dialer.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3296	Shortcutter.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4040	dialer.exe
Token: SeDebugPrivilege	3912	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1688	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	88
PID 2036 wrote to memory of 1688	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	88
PID 2036 wrote to memory of 1688	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	88
PID 2036 wrote to memory of 1956	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	90
PID 2036 wrote to memory of 1956	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	90
PID 2036 wrote to memory of 1956	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	90
PID 2036 wrote to memory of 5020	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	91
PID 2036 wrote to memory of 5020	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	91
PID 2036 wrote to memory of 5020	2036	SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe	91
PID 1956 wrote to memory of 3612	1956	Payload.exe	92
PID 1956 wrote to memory of 3612	1956	Payload.exe	92
PID 1956 wrote to memory of 3612	1956	Payload.exe	92
PID 1956 wrote to memory of 1380	1956	Payload.exe	93
PID 1956 wrote to memory of 1380	1956	Payload.exe	93
PID 1956 wrote to memory of 3296	1956	Payload.exe	95
PID 1956 wrote to memory of 3296	1956	Payload.exe	95
PID 5060 wrote to memory of 4176	5060	cmd.exe	114
PID 5060 wrote to memory of 4176	5060	cmd.exe	114
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 1380 wrote to memory of 4040	1380	Miner.exe	123
PID 4768 wrote to memory of 456	4768	cmd.exe	134
PID 4768 wrote to memory of 456	4768	cmd.exe	134
PID 4040 wrote to memory of 616	4040	dialer.exe	5
PID 4040 wrote to memory of 664	4040	dialer.exe	7
PID 4040 wrote to memory of 952	4040	dialer.exe	12
PID 4040 wrote to memory of 60	4040	dialer.exe	13
PID 4040 wrote to memory of 512	4040	dialer.exe	14
PID 4040 wrote to memory of 712	4040	dialer.exe	15
PID 664 wrote to memory of 2552	664	lsass.exe	46
PID 4040 wrote to memory of 1044	4040	dialer.exe	17

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1044

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.1231.21474.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcwB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAagB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Users\Admin\AppData\Roaming\Payload.exe
  "C:\Users\Admin\AppData\Roaming\Payload.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Users\Admin\AppData\Roaming\Miner.exe
    "C:\Users\Admin\AppData\Roaming\Miner.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4176
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1856
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1160
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3860
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2684
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3036
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4040
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:912
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5032
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4140
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:3404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:456
- - C:\Users\Admin\AppData\Roaming\Shortcutter.exe
    "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\build.exe
  "C:\Windows\build.exe"
  2⤵
  - Executes dropped EXE
  PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2248
    3⤵
    - Program crash
    PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5020 -ip 5020
1⤵
PID:1796

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1988
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
192KB

MD5
fadbd44595711acd665faff49ca44c61

SHA1
15b9edadec922fb17c06025365eca9fa0cff52af

SHA256
f1ca5fdceea61f714916768376b518fa0e2ba0753a81dc054868e3cc7e4e24b1

SHA512
f8b71dc586f97752278c1eabbbfcb7e9990c538ac4ec6d14dd99b1158a43b009b1f539a287978a29af0d11000be4f100a8a8ca04e659352df818d8aa6599379f

Download Submit
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
128KB

MD5
93ab58d4c8b6959ec301b92c56b6c638

SHA1
b57e8bb570b6fbd279c59956b22cdd112b990c42

SHA256
83e584148300c064c54eeca17498260c1769afec4d4f7a5fb6dd955f271999f6

SHA512
4ddeff69f9444789be3f00b9608deb83626d43553b905488eaceee28f9ef0abaa3d990c52e126a2c47bfd8cd9b51407c54e80fbc9ca3be58f99a3834a9743ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f5425197634af4a7f5e01c815c3c95fb

SHA1
9e77d72d51d0549fc24322316721ef4bb5236374

SHA256
3051d2b0064c9dca8df6cd5bc53732d310905201a8a65ba2e6e1ff3cfa82043b

SHA512
b622fe86f530582c9506068b5b894014c2809c432709d3d56664ec67772638eabb61b313bd2bc2dd06d41fe4165eb05451184418058133be22d7190525de45c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ez2rgoby.4sj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.7MB

MD5
69dd7fc6de96b30dbc293f01aa689232

SHA1
8460812c8f95c4474bdfee5f6734b53b2259a22e

SHA256
67d30593d5f24a1eca202c3b80a203f8dd8e7f151ed9d7882ae9a54c0f79d00c

SHA512
9f83c31dee8d860bb3c10c02fca1806ad6482dd85bff4a7066f366043cca5fd02a2f7d2b68cfb47d5d18cb056193c8b6eb2912f96ed1e72553187436a1961659

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.2MB

MD5
f24a499cd73233131d486be42235a46a

SHA1
e1e4d2dca9460eb23faf3ce248c1241430d08954

SHA256
7615c4f2de761f66ab9a22f0287f40952f336d9b890c106fccd67b28941ca3c7

SHA512
911dab21159e0ba373a8ab6438f5612cc27d55dfe469f1c94b9f4de0ad36e13414aa31b38a5aed65256680a6792a2918faaa8c201901dc9597150cff120d7678

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
3.8MB

MD5
1babefaf50ebd686e9b768a768a1160c

SHA1
b055bc81cfb2a9d0d1037926bc11f21004d4cfc6

SHA256
5ddd2b118828432e92c32b9d26cefea0392677f4ac49aae1107fe8a129064947

SHA512
31b50eb92af3d44fcda1c52958c5c3edac04b617832f2b9bbf14470bd0e03bab944d150f3a3de4d0e7059036ab6046cc7924125e06b63fa7630c6228cd9f6182

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
3.8MB

MD5
5980adf1f89441b453b70df5cd67db83

SHA1
e54fca8cd7a5af50bcb54c0e9c6115875e40089f

SHA256
801ff870a96da66c0efc606946a6d72e8d2be8f92b3645e95e4cb8648a5f04ab

SHA512
cb310882c765a7de0dbe3cd14218861ea8896a2d7edb4ac868a8d5cef2fe8e89dba5996df73216a6f096b915006b68205340db9e6bdd769e73475ae8d562dfee

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
5.3MB

MD5
b59631e064541c8651576128708e50f9

SHA1
7aae996d4990f37a48288fa5f15a7889c3ff49b3

SHA256
4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002

SHA512
571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
3.9MB

MD5
566939f02e3974806305972ec72969a5

SHA1
127e73853246a33d809285d623e6cd572b3e9b18

SHA256
52d6b811744cc968dd5c48cd0f03a20ffefe5b1540c75a5b599f563cc0d39bd5

SHA512
df26c6d5643a105482404792d55c5755bf741a81722337cbd7847bab172d629fbfbb52f9a44744c3bda9c5ff89e33a8f32a4d3665e27b189bec42c26d979ef52

Download Submit
C:\Users\Admin\AppData\Roaming\Shortcutter.exe

Filesize
50KB

MD5
4ce8fc5016e97f84dadaf983cca845f2

SHA1
0d6fb5a16442cf393d5658a9f40d2501d8fd725c

SHA256
f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

SHA512
4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

Download Submit
C:\Windows\build.exe

Filesize
188KB

MD5
ffe5ff4a06e3a7696484bbce8f3ade91

SHA1
af919d9b6b7abef80fb5c85498ffc5ec0c0ae394

SHA256
b256448e3219b2b7033b4c214c78b02db0d4e000f943fc98dffede3d8a6a7cf3

SHA512
bfeb89c2b5e7420d48879d010cfe2f4d587f1d43612fd3ab489988092d11dfd4796a306c5a4b8a6be8b78ebde2e0561bae3ee5e1d4a827aa43db8e13d55cc9a4

Download Submit
memory/60-167-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/60-164-0x0000017E4A310000-0x0000017E4A33B000-memory.dmp

Filesize
172KB

Download
memory/60-190-0x0000017E4A310000-0x0000017E4A33B000-memory.dmp

Filesize
172KB

Download
memory/512-171-0x0000026C2DD30000-0x0000026C2DD5B000-memory.dmp

Filesize
172KB

Download
memory/512-197-0x0000026C2DD30000-0x0000026C2DD5B000-memory.dmp

Filesize
172KB

Download
memory/512-182-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/616-163-0x0000013FD5900000-0x0000013FD592B000-memory.dmp

Filesize
172KB

Download
memory/616-150-0x0000013FD58D0000-0x0000013FD58F4000-memory.dmp

Filesize
144KB

Download
memory/616-154-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/616-151-0x0000013FD5900000-0x0000013FD592B000-memory.dmp

Filesize
172KB

Download
memory/616-185-0x00007FF8846AD000-0x00007FF8846AE000-memory.dmp

Filesize
4KB

Download
memory/664-186-0x00000298E8EA0000-0x00000298E8ECB000-memory.dmp

Filesize
172KB

Download
memory/664-155-0x00000298E8EA0000-0x00000298E8ECB000-memory.dmp

Filesize
172KB

Download
memory/664-159-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/712-202-0x000001F2831B0000-0x000001F2831DB000-memory.dmp

Filesize
172KB

Download
memory/712-191-0x000001F2831B0000-0x000001F2831DB000-memory.dmp

Filesize
172KB

Download
memory/712-194-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/832-119-0x00007FF8665B0000-0x00007FF867071000-memory.dmp

Filesize
10.8MB

Download
memory/832-120-0x00000276459B0000-0x00000276459C0000-memory.dmp

Filesize
64KB

Download
memory/832-126-0x0000027645970000-0x0000027645992000-memory.dmp

Filesize
136KB

Download
memory/832-134-0x00007FF8665B0000-0x00007FF867071000-memory.dmp

Filesize
10.8MB

Download
memory/952-162-0x0000026A805E0000-0x0000026A8060B000-memory.dmp

Filesize
172KB

Download
memory/952-166-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/952-187-0x0000026A805E0000-0x0000026A8060B000-memory.dmp

Filesize
172KB

Download
memory/952-193-0x00007FF8846AC000-0x00007FF8846AD000-memory.dmp

Filesize
4KB

Download
memory/1044-206-0x00000129F0990000-0x00000129F09BB000-memory.dmp

Filesize
172KB

Download
memory/1044-199-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1044-196-0x00000129F0990000-0x00000129F09BB000-memory.dmp

Filesize
172KB

Download
memory/1096-203-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1096-209-0x000001FEB7170000-0x000001FEB719B000-memory.dmp

Filesize
172KB

Download
memory/1096-200-0x000001FEB7170000-0x000001FEB719B000-memory.dmp

Filesize
172KB

Download
memory/1112-205-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1112-210-0x000001EB3F7B0000-0x000001EB3F7DB000-memory.dmp

Filesize
172KB

Download
memory/1112-201-0x000001EB3F7B0000-0x000001EB3F7DB000-memory.dmp

Filesize
172KB

Download
memory/1132-216-0x000001B7940B0000-0x000001B7940DB000-memory.dmp

Filesize
172KB

Download
memory/1132-213-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1132-212-0x000001B7940B0000-0x000001B7940DB000-memory.dmp

Filesize
172KB

Download
memory/1256-219-0x0000025102BC0000-0x0000025102BEB000-memory.dmp

Filesize
172KB

Download
memory/1256-221-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1276-223-0x000001ABDB500000-0x000001ABDB52B000-memory.dmp

Filesize
172KB

Download
memory/1276-227-0x000001ABDB500000-0x000001ABDB52B000-memory.dmp

Filesize
172KB

Download
memory/1276-226-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1328-229-0x00007FF844690000-0x00007FF8446A0000-memory.dmp

Filesize
64KB

Download
memory/1328-225-0x000001E6EBC50000-0x000001E6EBC7B000-memory.dmp

Filesize
172KB

Download
memory/1328-230-0x000001E6EBC50000-0x000001E6EBC7B000-memory.dmp

Filesize
172KB

Download
memory/1428-231-0x000001F58DD90000-0x000001F58DDBB000-memory.dmp

Filesize
172KB

Download
memory/1436-239-0x000001FFA8490000-0x000001FFA84BB000-memory.dmp

Filesize
172KB

Download
memory/1688-70-0x0000000006860000-0x0000000006892000-memory.dmp

Filesize
200KB

Download
memory/1688-16-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/1688-94-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1688-39-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1688-98-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/1688-73-0x0000000070D00000-0x0000000070D4C000-memory.dmp

Filesize
304KB

Download
memory/1688-36-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1688-23-0x00000000054E0000-0x0000000005B08000-memory.dmp

Filesize
6.2MB

Download
memory/1688-99-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download
memory/1688-41-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/1688-18-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/1688-43-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/1688-114-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/1688-71-0x000000007EE90000-0x000000007EEA0000-memory.dmp

Filesize
64KB

Download
memory/1688-54-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/1688-108-0x0000000007840000-0x0000000007848000-memory.dmp

Filesize
32KB

Download
memory/1688-107-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/1688-68-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/1688-57-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/1688-105-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/1688-104-0x00000000077C0000-0x00000000077D1000-memory.dmp

Filesize
68KB

Download
memory/3296-49-0x00000232B6360000-0x00000232B6370000-memory.dmp

Filesize
64KB

Download
memory/3296-42-0x00007FF8665B0000-0x00007FF867071000-memory.dmp

Filesize
10.8MB

Download
memory/3296-40-0x000002329BD00000-0x000002329BD12000-memory.dmp

Filesize
72KB

Download
memory/3296-156-0x00000232B6360000-0x00000232B6370000-memory.dmp

Filesize
64KB

Download
memory/3296-153-0x00007FF8665B0000-0x00007FF867071000-memory.dmp

Filesize
10.8MB

Download
memory/3612-56-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/3612-106-0x0000000006F90000-0x0000000006FA4000-memory.dmp

Filesize
80KB

Download
memory/3612-95-0x0000000006A00000-0x0000000006AA3000-memory.dmp

Filesize
652KB

Download
memory/3612-96-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/3612-72-0x0000000070D00000-0x0000000070D4C000-memory.dmp

Filesize
304KB

Download
memory/3612-83-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/3612-97-0x0000000007380000-0x00000000079FA000-memory.dmp

Filesize
6.5MB

Download
memory/3612-69-0x0000000005A30000-0x0000000005A7C000-memory.dmp

Filesize
304KB

Download
memory/3612-103-0x0000000006FD0000-0x0000000007066000-memory.dmp

Filesize
600KB

Download
memory/3612-58-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/3612-115-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/3612-84-0x000000007F580000-0x000000007F590000-memory.dmp

Filesize
64KB

Download
memory/3612-55-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/3912-252-0x00007FF8665B0000-0x00007FF867071000-memory.dmp

Filesize
10.8MB

Download
memory/3912-169-0x00007FF8665B0000-0x00007FF867071000-memory.dmp

Filesize
10.8MB

Download
memory/3912-172-0x00000143AE830000-0x00000143AE840000-memory.dmp

Filesize
64KB

Download
memory/3912-183-0x00000143AE830000-0x00000143AE840000-memory.dmp

Filesize
64KB

Download
memory/3912-251-0x00000143AEBB0000-0x00000143AEBCC000-memory.dmp

Filesize
112KB

Download
memory/4040-138-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4040-145-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4040-139-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4040-143-0x00007FF883C50000-0x00007FF883D0E000-memory.dmp

Filesize
760KB

Download
memory/4040-142-0x00007FF884610000-0x00007FF884805000-memory.dmp

Filesize
2.0MB

Download
memory/4040-141-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4040-137-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4040-136-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download