vidar | 4de1f09c88032d3ec4421c72b04e07f43edf853e32808c4292929637c44534ef

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Size

18.3MB
MD5

90588afa689d1ecdedee6fb57bf5b635
SHA1

1f49217a42a8f75246c6953749441599d6d97007
SHA256

4de1f09c88032d3ec4421c72b04e07f43edf853e32808c4292929637c44534ef
SHA512

eb70df8a0134942f4e295a8ecc15845963ae89323c53f1966f3043d1c9536706729495b25ea81541cc062e6ad57e9753ca87d42555002b9477e40917232aacc6
SSDEEP

393216:9ml9mCKuyLVEvd9LpBXVujtA6UX5K0r+Xh1SgXrnKXzM6Fw:9mzmnuTBBQjtA3XDrCAIT2tFw

Score

10^/10

vidar persistence spyware stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	SetupHost.Exe

Executes dropped EXE 4 IoCs

Processes:

UvwtFdvCzZzzZKl.exeCTS.exeSetupHost.ExeDiagTrackRunner.exe

pid process

2044 UvwtFdvCzZzzZKl.exe
1448 CTS.exe
2676 SetupHost.Exe
1608 DiagTrackRunner.exe

pid	process
2044	UvwtFdvCzZzzZKl.exe
1448	CTS.exe
2676	SetupHost.Exe
1608	DiagTrackRunner.exe

Loads dropped DLL 38 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeUvwtFdvCzZzzZKl.exeSetupHost.ExeDiagTrackRunner.exe

pid	process
3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
2044	UvwtFdvCzZzzZKl.exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
2676	SetupHost.Exe
1608	DiagTrackRunner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exeUvwtFdvCzZzzZKl.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	UvwtFdvCzZzzZKl.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.ExeDiagTrackRunner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiagTrackRunner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DiagTrackRunner.exe

NTFS ADS 1 IoCs

Processes:

SetupHost.Exe

description ioc process

File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SetupHost.Exe

pid process

2676 SetupHost.Exe
2676 SetupHost.Exe

description	ioc	process
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe

pid	process
2676	SetupHost.Exe
2676	SetupHost.Exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exeUvwtFdvCzZzzZKl.exeSetupHost.ExeDiagTrackRunner.exe

description	pid	process
Token: SeDebugPrivilege	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Token: SeDebugPrivilege	1448	CTS.exe
Token: SeBackupPrivilege	2044	UvwtFdvCzZzzZKl.exe
Token: SeRestorePrivilege	2044	UvwtFdvCzZzzZKl.exe
Token: SeBackupPrivilege	2044	UvwtFdvCzZzzZKl.exe
Token: SeRestorePrivilege	2044	UvwtFdvCzZzzZKl.exe
Token: SeBackupPrivilege	2676	SetupHost.Exe
Token: SeRestorePrivilege	2676	SetupHost.Exe
Token: SeBackupPrivilege	2676	SetupHost.Exe
Token: SeRestorePrivilege	2676	SetupHost.Exe
Token: SeDebugPrivilege	1608	DiagTrackRunner.exe
Token: SeDebugPrivilege	1608	DiagTrackRunner.exe
Token: SeDebugPrivilege	1608	DiagTrackRunner.exe
Token: SeDebugPrivilege	1608	DiagTrackRunner.exe
Token: SeBackupPrivilege	2044	UvwtFdvCzZzzZKl.exe
Token: SeRestorePrivilege	2044	UvwtFdvCzZzzZKl.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

UvwtFdvCzZzzZKl.exeSetupHost.Exe

pid process

2044 UvwtFdvCzZzzZKl.exe
2676 SetupHost.Exe

pid	process
2044	UvwtFdvCzZzzZKl.exe
2676	SetupHost.Exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeUvwtFdvCzZzzZKl.exeSetupHost.Exe

description	pid	process	target process
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 2044	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	UvwtFdvCzZzzZKl.exe
PID 3048 wrote to memory of 1448	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 3048 wrote to memory of 1448	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 3048 wrote to memory of 1448	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 3048 wrote to memory of 1448	3048	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2044 wrote to memory of 2676	2044	UvwtFdvCzZzzZKl.exe	SetupHost.Exe
PID 2676 wrote to memory of 1608	2676	SetupHost.Exe	DiagTrackRunner.exe
PID 2676 wrote to memory of 1608	2676	SetupHost.Exe	DiagTrackRunner.exe
PID 2676 wrote to memory of 1608	2676	SetupHost.Exe	DiagTrackRunner.exe
PID 2676 wrote to memory of 1608	2676	SetupHost.Exe	DiagTrackRunner.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\UvwtFdvCzZzzZKl.exe
C:\Users\Admin\AppData\Local\Temp\UvwtFdvCzZzzZKl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\$Windows.~WS\Sources\SetupHost.Exe
"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\$Windows.~WS\Sources\DiagTrackRunner.exe
C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1596

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll
Filesize
14.6MB

MD5
9921c2a0d68a011620bd5916cc11e54d

SHA1
e68c1c59600d28968dafadc300225b3ef8e4ebdc

SHA256
50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696

SHA512
4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll
Filesize
1.9MB

MD5
446969e79d71cb6075f26349ac9345bc

SHA1
6efefe6037458e495a07dd86dc68bf788c638ca9

SHA256
26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3

SHA512
8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll
Filesize
6.1MB

MD5
10fe8f9a16755bf9ca3c5e94bfbf7178

SHA1
260c06924a55582d4f4dbdfe7d0bccdd00208f9b

SHA256
2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd

SHA512
c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110

Download Submit
C:\$Windows.~WS\Sources\WINDLP.DLL
Filesize
1.1MB

MD5
6ca8df94e48799196c24b7274a48fdaa

SHA1
0cb34852203277829668db49afc5d25bd382f8ba

SHA256
0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7

SHA512
e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038

Download Submit
C:\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll
Filesize
45KB

MD5
cfd98d71d80f41c3f155e573b1ffdda1

SHA1
966336882e88ca6a311c5e9948b4bb22a815bd7f

SHA256
1b202df705c429d3d1be26f71274743f0859db81aedead53bf2624d35899294d

SHA512
16d266bd3dc858bbc37fa95ad7f0a60ce654fbcf1f5c9b3f3e0abc1f7b95e86f2a04a9b0e1d98cae3e616af2129985f92aea7595aeeef898eae399e4669f44ff

Download Submit
C:\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-1.dll
Filesize
11KB

MD5
75285f0badb10b3291d8f921e76506c0

SHA1
d769aba460a768cb065346d9a9c3263af1372160

SHA256
a5af7a42ea3688d6fb5ce9388e11276bbeb3afb2e893b9f66b1bc7c9059d8f99

SHA512
f40c8f6ede3010f523ab28f41ad38e41d1fd541554b59104a7d7468ddb004efe6bd690a9467be6461ade71ce7b10b120b8cacf6c429f37fef3d3fc8318c0284b

Download Submit
C:\$Windows.~WS\Sources\diagtrack.dll
Filesize
901KB

MD5
6c3f6a6bc5ede978e9dfe1acce386339

SHA1
3b7b51d762c593e92123f9365a896ed64ee26a7a

SHA256
b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

SHA512
3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

Download Submit
C:\$Windows.~WS\Sources\setupplatform.cfg
Filesize
8KB

MD5
1405595a81a70c012ace6b3f618351b2

SHA1
9b398dbddef2a0c048790f6ca4be57899f0f71c0

SHA256
ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43

SHA512
a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll
Filesize
827KB

MD5
9aebdb604a0cec305568f2742cc6a3d2

SHA1
851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9

SHA256
82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93

SHA512
3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb

Download Submit
C:\$Windows.~WS\Sources\wpx.dll
Filesize
1.0MB

MD5
c963819dd589b833b2fde3b9e08605f3

SHA1
72613ba4e8161fb8a6d0e0237e397285747a1e72

SHA256
b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6

SHA512
5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit
\$Windows.~WS\Sources\DiagTrackRunner.exe
Filesize
77KB

MD5
76f30a1e149792d2542a253b920cbef6

SHA1
9040e0873df5cc2a64b850d1b8159b77528ba62c

SHA256
488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

SHA512
ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

Download Submit
\$Windows.~WS\Sources\SetupHost.exe
Filesize
681KB

MD5
a0b1786c1a59ddac1024956723f58a73

SHA1
828d9cdb9cc2b6c49843422da49a14ebbf44d3d5

SHA256
59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2

SHA512
a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc

Download Submit
\$Windows.~WS\Sources\SetupMgr.dll
Filesize
678KB

MD5
5492a750f2c92ef126621fe0468b779a

SHA1
64e2d1fafbc008144df94cf3160319e0452d929e

SHA256
2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10

SHA512
a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35

Download Submit
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dll
Filesize
19KB

MD5
dbeac4d60d3985a086052d56fd84228e

SHA1
44a717d41388ce53d8e77fe1bb5e34ed4b72a851

SHA256
e5ce4dbda2c7bd078056cc17cc65714787cc50daa5e61de59fafa0d0223321b1

SHA512
44b7c321f1cdaa0145c7f4766f6b4f90c6d86a9a3eb842d2a007f44b27d9b25efe89421820514080e2a45d99da4bddcb877fd754c01a4801840ea7b7228c62ba

Download Submit
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-1.dll
Filesize
15KB

MD5
4e2acbaa772797a0f86e15572fa44f84

SHA1
7f1846f886a27716ca918c65fb87458bd49fcfee

SHA256
70b4b4c427f235b2c2c7d49b3aff7c5a799b7a9616e7a11d2de5d78156665ba7

SHA512
b8143b54cf966f42abf9e2b083cd85aa1f7411fa4ceb2b8460946d708322ba2b81b93be771d8d04b027d0e22b13e68fa71bb53b6c2f6c8b3c0f5941d423d38b4

Download Submit
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-1-0.dll
Filesize
10KB

MD5
96fe4353f44be47fb877366d5f33c172

SHA1
ddea638bd1694b2eda295a0f508e4a857f8450f2

SHA256
904371b86f56414ff70d3d7a4ad878b70f8b9fd278e2b97a82a26bb13b89a9f4

SHA512
2d0a0e97ef5eba8701446891dd669735540ef185e3f8fb14053243bf4b9163e9354e5f905bd26d1910a80d8780cfe2dcc68f6f2ad9bf3275bb7efb30eeafa464

Download Submit
\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-1-0.dll
Filesize
16KB

MD5
daec93c3ac8dca1807147d304879acb0

SHA1
391cbc5e7cf40124f9640c1e7d6188e75af1b5f3

SHA256
107cf218d9af2523fb24da10b381436bb858ac0f8b1012bc56bf088983b2e9db

SHA512
ccc96c82b2cdcd36f56642cc6801de9d487ec593ccda9020efdc782cd3705e321367de7487080b5bdd10c89b9e6acf048a8f45a16c29caed5588bd6d1babe3d1

Download Submit
\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-1.dll
Filesize
14KB

MD5
8cd60551eec672a732db658555c051d9

SHA1
f675ee4b04a5a3afb758ff89e077dd401e192379

SHA256
5d0ba298919d78b726c625c7e6ad31f2632e095f7c79ac08f0ff25f8e15a4295

SHA512
d3950f90d50e90b2ba62fa1028ae6226c8fe2ee8c0517f769dafa3cc4ba81f38a50ce1676be3eb40669d7ea830752a331975867fb117937b7fffd21c2845b313

Download Submit
\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-1.dll
Filesize
18KB

MD5
40baccd1e7f60085248785bea899c61e

SHA1
d1e076fe8258ed5fb53707f639ceddaf7d5640fa

SHA256
d59814bb8bbcff15e192aa600ac09f344ac089e95034258c1ea3748363132a59

SHA512
4ad6b96b3aadfe5cccad0494e80258b709905349e82c858f27cbff4a871790bb7d0757a704f999cd86c9a788e44d286655940a81c8237e15aa2641e0ddf55930

Download Submit
\$Windows.~WS\Sources\wdscore.dll
Filesize
193KB

MD5
8929e1ce63abc413ab88f31f3a45aba2

SHA1
49f37061d17cbe0482255aacfdabf10e67839ecb

SHA256
80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161

SHA512
3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5

Download Submit
\$Windows.~WS\Sources\wdsutil.dll
Filesize
232KB

MD5
66190a933f32c6521a08c6ea76ac0fe3

SHA1
3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de

SHA256
d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9

SHA512
fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe

Download Submit
\Users\Admin\AppData\Local\Temp\UvwtFdvCzZzzZKl.exe
Filesize
18.2MB

MD5
db3fccad4aead91689d62822232d56bc

SHA1
c00ecaf95ed3b727aae581d41af99b5fbc762865

SHA256
aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4

SHA512
8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909

Download Submit
memory/2676-109-0x0000000002690000-0x00000000026D9000-memory.dmp

Filesize
292KB

Download
memory/2676-110-0x0000000002690000-0x00000000026D9000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads