vidar | 017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2024 02:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
Size

5.5MB
MD5

2b74fd898c6ca79faa64f3d9cae268d4
SHA1

206353bb5b604968e4821e115748f9aa3df6a671
SHA256

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
SHA512

d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
SSDEEP

98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Score

10^/10

vidar d165eae423b0d6c5abd85327c20d845d evasion persistence stealer

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
d165eae423b0d6c5abd85327c20d845d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000700000002324e-14.dat	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002324e-14.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002324e-14.dat	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Payload.exe

Executes dropped EXE 5 IoCs

pid	Process
3964	Payload.exe
4672	build.exe
2252	Miner.exe
112	Shortcutter.exe
4812	whrbuflqwhah.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 4876	2252	Miner.exe	128

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\build.exe	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2692	sc.exe
440	sc.exe
3392	sc.exe
3836	sc.exe
1668	sc.exe
4680	sc.exe
1444	sc.exe
224	sc.exe
320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2248	4672	WerFault.exe	103

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2700	powershell.exe
2700	powershell.exe
408	powershell.exe
408	powershell.exe
2700	powershell.exe
408	powershell.exe
2252	Miner.exe
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
4876	dialer.exe
4876	dialer.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
2252	Miner.exe
4812	whrbuflqwhah.exe
4876	dialer.exe
4876	dialer.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
5876	Process not Found
3140	Process not Found
1984	Process not Found
5908	Process not Found
5752	Process not Found
4048	Process not Found
636	Process not Found
1932	Process not Found
3908	Process not Found
4832	Process not Found
5916	Process not Found
3288	Process not Found
660	Process not Found
1320	Process not Found
860	Process not Found
1368	Process not Found
1228	Process not Found
6024	Process not Found
1248	Process not Found
4852	Process not Found
6072	Process not Found
440	Process not Found
808	Process not Found
5384	Process not Found
5304	Process not Found
1508	Process not Found
6104	Process not Found
5912	Process not Found
6136	Process not Found
6080	Process not Found
4072	Process not Found
3972	Process not Found
4116	Process not Found
4192	Process not Found
4216	Process not Found
4212	Process not Found
4248	Process not Found
4756	Process not Found
4336	Process not Found
3464	Process not Found
4352	Process not Found
4816	Process not Found
4836	Process not Found
232	Process not Found
5144	Process not Found
848	Process not Found
4668	Process not Found
3092	Process not Found
6120	Process not Found
2624	Process not Found
2768	Process not Found
5948	Process not Found
4428	Process not Found
6108	Process not Found
4168	Process not Found
3552	Process not Found
4844	Process not Found
3832	Process not Found
1576	smss.exe
720	Process not Found
4000	Process not Found
5340	Process not Found
736	Process not Found
3864	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	Shortcutter.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4876	dialer.exe
Token: SeShutdownPrivilege	376	dwm.exe
Token: SeCreatePagefilePrivilege	376	dwm.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAuditPrivilege	2588	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe
Token: SeTakeOwnershipPrivilege	2676	svchost.exe
Token: SeLoadDriverPrivilege	2676	svchost.exe
Token: SeSystemtimePrivilege	2676	svchost.exe
Token: SeBackupPrivilege	2676	svchost.exe
Token: SeRestorePrivilege	2676	svchost.exe
Token: SeShutdownPrivilege	2676	svchost.exe
Token: SeSystemEnvironmentPrivilege	2676	svchost.exe
Token: SeUndockPrivilege	2676	svchost.exe
Token: SeManageVolumePrivilege	2676	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2676	svchost.exe
Token: SeIncreaseQuotaPrivilege	2676	svchost.exe
Token: SeSecurityPrivilege	2676	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
764	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2700	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	100
PID 1876 wrote to memory of 2700	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	100
PID 1876 wrote to memory of 2700	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	100
PID 1876 wrote to memory of 3964	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	102
PID 1876 wrote to memory of 3964	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	102
PID 1876 wrote to memory of 3964	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	102
PID 1876 wrote to memory of 4672	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	103
PID 1876 wrote to memory of 4672	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	103
PID 1876 wrote to memory of 4672	1876	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	103
PID 3964 wrote to memory of 408	3964	Payload.exe	104
PID 3964 wrote to memory of 408	3964	Payload.exe	104
PID 3964 wrote to memory of 408	3964	Payload.exe	104
PID 3964 wrote to memory of 2252	3964	Payload.exe	106
PID 3964 wrote to memory of 2252	3964	Payload.exe	106
PID 3964 wrote to memory of 112	3964	Payload.exe	107
PID 3964 wrote to memory of 112	3964	Payload.exe	107
PID 3692 wrote to memory of 1576	3692	cmd.exe	218
PID 3692 wrote to memory of 1576	3692	cmd.exe	218
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 2252 wrote to memory of 4876	2252	Miner.exe	128
PID 3392 wrote to memory of 1084	3392	cmd.exe	139
PID 3392 wrote to memory of 1084	3392	cmd.exe	139
PID 4876 wrote to memory of 632	4876	dialer.exe	508
PID 4876 wrote to memory of 692	4876	dialer.exe	7
PID 4876 wrote to memory of 964	4876	dialer.exe	12
PID 4876 wrote to memory of 376	4876	dialer.exe	13
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 4876 wrote to memory of 396	4876	dialer.exe	14
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 4876 wrote to memory of 764	4876	dialer.exe	15
PID 4876 wrote to memory of 1040	4876	dialer.exe	17
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 4876 wrote to memory of 1052	4876	dialer.exe	18
PID 4876 wrote to memory of 1060	4876	dialer.exe	19
PID 4876 wrote to memory of 1180	4876	dialer.exe	20
PID 4876 wrote to memory of 1216	4876	dialer.exe	21
PID 4876 wrote to memory of 1288	4876	dialer.exe	22
PID 4876 wrote to memory of 1372	4876	dialer.exe	23
PID 4876 wrote to memory of 1408	4876	dialer.exe	24
PID 4876 wrote to memory of 1416	4876	dialer.exe	25
PID 4876 wrote to memory of 1436	4876	dialer.exe	26
PID 4876 wrote to memory of 1448	4876	dialer.exe	27
PID 4876 wrote to memory of 1544	4876	dialer.exe	28
PID 4876 wrote to memory of 1624	4876	dialer.exe	29
PID 4876 wrote to memory of 1676	4876	dialer.exe	30
PID 4876 wrote to memory of 1744	4876	dialer.exe	31
PID 4876 wrote to memory of 1788	4876	dialer.exe	32
PID 4876 wrote to memory of 1856	4876	dialer.exe	33
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 4876 wrote to memory of 1884	4876	dialer.exe	34
PID 4876 wrote to memory of 1892	4876	dialer.exe	35
PID 4876 wrote to memory of 1964	4876	dialer.exe	36
PID 4876 wrote to memory of 1972	4876	dialer.exe	37
PID 692 wrote to memory of 2608	692	lsass.exe	47
PID 4876 wrote to memory of 1300	4876	dialer.exe	38
PID 4876 wrote to memory of 2068	4876	dialer.exe	40
PID 1448 wrote to memory of 2808	1448	svchost.exe	608

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of UnmapMainImage
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2808
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:896
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5764
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4832
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1256
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372
- C:\Users\Admin\AppData\Local\Temp\017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
  "C:\Users\Admin\AppData\Local\Temp\017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcwB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAagB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQBsACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3004
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:408
  - - C:\Users\Admin\AppData\Roaming\Miner.exe
      "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:1576
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2692
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1668
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:440
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3392
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4680
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:1444
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:224
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:320
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:3836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1084
  - - C:\Users\Admin\AppData\Roaming\Shortcutter.exe
      "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:112
- - C:\Windows\build.exe
    "C:\Windows\build.exe"
    3⤵
    - Executes dropped EXE
    PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 2200
      4⤵
      Program crash
      PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3124

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3264

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3248 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:3
1⤵
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1732

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4672 -ip 4672
  2⤵
  PID:1668

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:2980

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4812
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1436 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:5996

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:1576

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000084
1⤵
PID:3976

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:632

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:2808

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
1⤵
PID:2936

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 00000084
1⤵
PID:4868

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:2988

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:2328

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
PID:3432

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:4832

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
576KB

MD5
afad3055199aabdfa76491cd518a9c4b

SHA1
9a573625ea5b7f90f0fef788da754aa60c178abb

SHA256
70c7468f6690b4bb0e7acd5e74a45a6f07d0d129ee2aaa89bc4c282b5fb6428d

SHA512
02f7fcbd04048990f65eb7820ef9797bca1196f9b72ce82eae939165923f65bda85e400240ac64f69763aec3183cf03210f493154587762faa02378853d96334

Download Submit
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe

Filesize
256KB

MD5
519798f44b8063d626eb5236b7c51700

SHA1
f961c8fa490f0e06d3f5422e8235d38fa1fd1745

SHA256
18db398eda016442fedf3ecacdf95a59efb9c2a4441e62b5a2adb4973d09c838

SHA512
ca9c5b3c119c7c2dca35113086eaf26ba88b535537222507c7712af175b2a4daab74cc3f956e8e619897de92450577ce216ddf7654c9c5747b64c227f2bc4b68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
a647414e63ce59cf9687e5a51190ece7

SHA1
3e25425574ebb15c063844761a9af29ee9c3ed99

SHA256
85160f5506d3d5bc7dba2a60d663d6f26ce76825500113f55b9b460121d49ad1

SHA512
4438a8a8450ebc0736737f4941ea149f0ed80ad2e97dff3293039f795cd4f04256de1099644f80b6b480ab89b2a98111eefa5be48260b6bb543b05ccf47754ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
5b11fd821061ff07a306800cf42a45f8

SHA1
ba659be366bb3827061eee6a21df3c00f1265371

SHA256
5802fe2f0af337fe409e3f9e9dc034dcf79289de9f95dce161132820b1f6de4f

SHA512
98b0349261ed2400c11880b0f4054bab14bc5ed704be0c81d18dfbf3b0e0bddd7d93ae45fb5d35a5c20a2f13a6780402d45b5fc6367ed5f654fd1dcb1a3c9cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hldvhp0n.t1z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
1.5MB

MD5
18cd8293ded2b3c2eecf5e22626b8b5e

SHA1
6e3127de2c70bae5b23e22d464ffbe2a36e25c86

SHA256
b4a6e705e68017ca33a872a0b8a85be32094f1b38482b7ba78fdea8f6d389df0

SHA512
2bffdb1677c423c32bb9751374bb6f5f8a98c03edbd3fdaddfbc1e616b30c7114f779365a1ca1bf9501c1fbca322756f29b3365901a54db8a2628d5973d56f52

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
1.1MB

MD5
ff8c182f812acbcfce0dadb0f5bcd3d3

SHA1
0bd09476ab307f42634747f42ae49ef482b2cf7c

SHA256
cd5e981a021742ce482d615a5593e8a236e0e7cb4674475a018f6dce1e654dcd

SHA512
31754fc9fc4bd0ad5a0fb46830f81af2bf16d196aa026b556b72db665472c17f46c3ee54100e05dbea4aac5362b399620310df06a02bced579ceb09972cffb00

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
916KB

MD5
ad7c825a91fe2c5bf43d767f30efd94f

SHA1
07365794b585483901eda236d9131030380035ff

SHA256
45c50c048f4db71a3b28181da6700814e6ce43714ecbdead7009ee44e3b5405e

SHA512
38102963c0e260aec90c58a4c5f37b72635e3dbe6975d03a99a8632cac12bd9af430bc5c4a39c656163e1eabd0767db037826dc48d36982dab7274816c71371b

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
710KB

MD5
e607bc7ad017792f5274632d1d37009d

SHA1
dbb8783e0b33c1e1ec5df7d2d0b0e41e23bfe2e2

SHA256
623b38a9cc6cb976b3efff0bc2b803b64efa5fa6009014e282d80b6928c07dad

SHA512
47523705b74fedf247422f728d57ae4abedc0f395ed7667fb1635e0e7c96b03fd2a06774633df3153d9867fb9f75ca8ffb269e9586b47ed1ae3f81908d0ec0d5

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
2.1MB

MD5
ec01ab4419fe8657892e73cef1585c91

SHA1
cb4931ca9114a40b9f8543544ffd5839a96347f9

SHA256
607aac36e5a4ca517b704e37bc7c30ef8baa29d594b2858b1f955c3a39718f9b

SHA512
9b782181d78378d77e4df93f7818b75848fafdd43654c696ec638219dbff0ee2be7e322183a9ea97e3b3eaa92d38e3ed5970087401f7f05f21b3f50def15e1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
850KB

MD5
5c38e1ce6a4afbf43eb2415e94dab539

SHA1
402a9cc00f2972f8aeac37733d6bd79f7e921f72

SHA256
ff113665d81aa68fc3c0d5ad83d9c63cb102ed2e0b13fd118446095e9c975755

SHA512
f87fafbed8b803381335e28bad52d8acbf6e7a118bf9318a480effbcbe58c2c4683b7bb4ede130f762af5283ca06e80e3bb2bd553d46c149981ef931071a0585

Download Submit
C:\Users\Admin\AppData\Roaming\Shortcutter.exe

Filesize
50KB

MD5
4ce8fc5016e97f84dadaf983cca845f2

SHA1
0d6fb5a16442cf393d5658a9f40d2501d8fd725c

SHA256
f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

SHA512
4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
19KB

MD5
f5e780ab5a3e0532996e9359a8b63125

SHA1
1f438b9e1a0e7c2900561dd5da6c875195fdf9bd

SHA256
0152dd4a1f0d925ff8451c27bcef41456f312fa6588058610f1aeaa6ea90e2e1

SHA512
c1dd4fcf779576c4c5fae96dc1020817b9c3b9a93b14c8c8900a56ca423a8798d87f725400eca098e536ae5714983cf8eca421d4f6319871ca73bb3696b517ce

Download Submit
C:\Windows\build.exe

Filesize
188KB

MD5
ffe5ff4a06e3a7696484bbce8f3ade91

SHA1
af919d9b6b7abef80fb5c85498ffc5ec0c0ae394

SHA256
b256448e3219b2b7033b4c214c78b02db0d4e000f943fc98dffede3d8a6a7cf3

SHA512
bfeb89c2b5e7420d48879d010cfe2f4d587f1d43612fd3ab489988092d11dfd4796a306c5a4b8a6be8b78ebde2e0561bae3ee5e1d4a827aa43db8e13d55cc9a4

Download Submit
memory/112-41-0x000001C113600000-0x000001C113612000-memory.dmp

Filesize
72KB

Download
memory/112-147-0x00007FFC3C160000-0x00007FFC3CC21000-memory.dmp

Filesize
10.8MB

Download
memory/112-43-0x00007FFC3C160000-0x00007FFC3CC21000-memory.dmp

Filesize
10.8MB

Download
memory/376-154-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/376-150-0x000002AF29320000-0x000002AF2934B000-memory.dmp

Filesize
172KB

Download
memory/376-171-0x000002AF29320000-0x000002AF2934B000-memory.dmp

Filesize
172KB

Download
memory/396-160-0x000002BC59B10000-0x000002BC59B3B000-memory.dmp

Filesize
172KB

Download
memory/396-162-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/396-173-0x000002BC59B10000-0x000002BC59B3B000-memory.dmp

Filesize
172KB

Download
memory/408-124-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/408-116-0x00000000071A0000-0x0000000007243000-memory.dmp

Filesize
652KB

Download
memory/408-72-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/408-34-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/408-68-0x0000000004D10000-0x0000000004D2E000-memory.dmp

Filesize
120KB

Download
memory/408-66-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

Filesize
3.3MB

Download
memory/408-35-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/408-46-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/408-69-0x0000000005FE0000-0x000000000602C000-memory.dmp

Filesize
304KB

Download
memory/408-88-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/408-40-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/408-90-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/408-92-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/408-26-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/408-152-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/408-220-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/408-95-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download
memory/408-105-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/408-122-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/632-159-0x000001CC64890000-0x000001CC648BB000-memory.dmp

Filesize
172KB

Download
memory/632-142-0x000001CC64890000-0x000001CC648BB000-memory.dmp

Filesize
172KB

Download
memory/632-140-0x000001CC64860000-0x000001CC64884000-memory.dmp

Filesize
144KB

Download
memory/632-161-0x00007FFC5D18D000-0x00007FFC5D18E000-memory.dmp

Filesize
4KB

Download
memory/632-164-0x00007FFC5D18F000-0x00007FFC5D190000-memory.dmp

Filesize
4KB

Download
memory/692-167-0x0000020271B90000-0x0000020271BBB000-memory.dmp

Filesize
172KB

Download
memory/692-169-0x00007FFC5D18D000-0x00007FFC5D18E000-memory.dmp

Filesize
4KB

Download
memory/692-144-0x0000020271B90000-0x0000020271BBB000-memory.dmp

Filesize
172KB

Download
memory/692-145-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/764-163-0x0000024527170000-0x000002452719B000-memory.dmp

Filesize
172KB

Download
memory/764-166-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/764-194-0x0000024527170000-0x000002452719B000-memory.dmp

Filesize
172KB

Download
memory/964-172-0x00007FFC5D18C000-0x00007FFC5D18D000-memory.dmp

Filesize
4KB

Download
memory/964-149-0x0000019400380000-0x00000194003AB000-memory.dmp

Filesize
172KB

Download
memory/964-153-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/964-170-0x0000019400380000-0x00000194003AB000-memory.dmp

Filesize
172KB

Download
memory/1040-197-0x000001343C8D0000-0x000001343C8FB000-memory.dmp

Filesize
172KB

Download
memory/1040-177-0x000001343C8D0000-0x000001343C8FB000-memory.dmp

Filesize
172KB

Download
memory/1040-179-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1052-183-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1052-200-0x00000246A44D0000-0x00000246A44FB000-memory.dmp

Filesize
172KB

Download
memory/1052-180-0x00000246A44D0000-0x00000246A44FB000-memory.dmp

Filesize
172KB

Download
memory/1060-185-0x0000023A310C0000-0x0000023A310EB000-memory.dmp

Filesize
172KB

Download
memory/1060-201-0x0000023A310C0000-0x0000023A310EB000-memory.dmp

Filesize
172KB

Download
memory/1060-189-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1180-192-0x0000027817A90000-0x0000027817ABB000-memory.dmp

Filesize
172KB

Download
memory/1180-195-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1180-211-0x0000027817A90000-0x0000027817ABB000-memory.dmp

Filesize
172KB

Download
memory/1216-196-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1216-213-0x000001EB37600000-0x000001EB3762B000-memory.dmp

Filesize
172KB

Download
memory/1216-193-0x000001EB37600000-0x000001EB3762B000-memory.dmp

Filesize
172KB

Download
memory/1288-215-0x0000029F24BB0000-0x0000029F24BDB000-memory.dmp

Filesize
172KB

Download
memory/1288-216-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1372-219-0x00007FFC1D170000-0x00007FFC1D180000-memory.dmp

Filesize
64KB

Download
memory/1372-217-0x000001AFC1090000-0x000001AFC10BB000-memory.dmp

Filesize
172KB

Download
memory/1408-228-0x0000024452600000-0x000002445262B000-memory.dmp

Filesize
172KB

Download
memory/1416-233-0x000001EA3BBC0000-0x000001EA3BBEB000-memory.dmp

Filesize
172KB

Download
memory/2700-45-0x0000000006230000-0x0000000006252000-memory.dmp

Filesize
136KB

Download
memory/2700-73-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2700-19-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/2700-175-0x0000000006DC0000-0x0000000006DD1000-memory.dmp

Filesize
68KB

Download
memory/2700-47-0x00000000063B0000-0x0000000006416000-memory.dmp

Filesize
408KB

Download
memory/2700-87-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/2700-39-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2700-91-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2700-155-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2700-93-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/2700-42-0x0000000005AD0000-0x00000000060F8000-memory.dmp

Filesize
6.2MB

Download
memory/2700-44-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2700-222-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2700-94-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

Filesize
200KB

Download
memory/2700-106-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download
memory/2700-121-0x0000000008340000-0x00000000089BA000-memory.dmp

Filesize
6.5MB

Download
memory/3168-75-0x0000027C19D80000-0x0000027C19DA2000-memory.dmp

Filesize
136KB

Download
memory/3168-123-0x00007FFC3C160000-0x00007FFC3CC21000-memory.dmp

Filesize
10.8MB

Download
memory/3168-74-0x00007FFC3C160000-0x00007FFC3CC21000-memory.dmp

Filesize
10.8MB

Download
memory/3168-76-0x0000027C19B40000-0x0000027C19B50000-memory.dmp

Filesize
64KB

Download
memory/3168-77-0x0000027C19B40000-0x0000027C19B50000-memory.dmp

Filesize
64KB

Download
memory/3168-89-0x0000027C19B40000-0x0000027C19B50000-memory.dmp

Filesize
64KB

Download
memory/3168-120-0x0000027C32450000-0x0000027C3259E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-186-0x00000210E7CB0000-0x00000210E7CC0000-memory.dmp

Filesize
64KB

Download
memory/3508-181-0x00007FFC3C160000-0x00007FFC3CC21000-memory.dmp

Filesize
10.8MB

Download
memory/3508-190-0x00000210E7CB0000-0x00000210E7CC0000-memory.dmp

Filesize
64KB

Download
memory/4876-126-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4876-127-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4876-132-0x00007FFC5D0F0000-0x00007FFC5D2E5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-131-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4876-133-0x00007FFC5CE70000-0x00007FFC5CF2E000-memory.dmp

Filesize
760KB

Download
memory/4876-129-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4876-128-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4876-135-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads