Analysis
-
max time kernel
411s -
max time network
336s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 08:44
Static task
static1
General
-
Target
Setup.exe
-
Size
675.4MB
-
MD5
14cf56e3094e94a6bcd9f1b18c2e9726
-
SHA1
b4d6a5f8f6cc0429c02d5b9d0be1e29172010d3c
-
SHA256
e42c58c29931bee78061436503afbbef40e74c43da2c6291e0e09213add1c5e6
-
SHA512
122f873501c376615139f7387c33cc533b83af4555f92fe0c09fcca837fdc1f3af2a3659f44c037748b06c613d014160304cf487eb68c154086f0d3749292e65
-
SSDEEP
196608:L0bq45mmYPrOLaxhyEjILWjDLGfCYZmJu9JgU04IcW7fIxOntw93/sDF1kIQyXjX:obq4o3jOLaXILWfSbg
Malware Config
Extracted
vidar
https://t.me/g067n
https://steamcommunity.com/profiles/76561199707802586
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0
Signatures
-
Detect Vidar Stealer 11 IoCs
Processes:
resource yara_rule behavioral1/memory/4188-61-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-66-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-107-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-108-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-113-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-114-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-115-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/4188-117-0x0000000001800000-0x0000000001A49000-memory.dmp family_vidar_v7 behavioral1/memory/536-757-0x0000000000C00000-0x0000000000E49000-memory.dmp family_vidar_v7 behavioral1/memory/536-769-0x0000000000C00000-0x0000000000E49000-memory.dmp family_vidar_v7 behavioral1/memory/536-778-0x0000000000C00000-0x0000000000E49000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VIDA.au3description ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation VIDA.au3 -
Executes dropped EXE 4 IoCs
Processes:
JRWeb.exeJRWeb.exeJRWeb.exeJRWeb.exepid process 2992 JRWeb.exe 3484 JRWeb.exe 5880 JRWeb.exe 5044 JRWeb.exe -
Loads dropped DLL 6 IoCs
Processes:
JRWeb.exeJRWeb.exeVIDA.au3JRWeb.exeJRWeb.exeVIDA.au3pid process 2992 JRWeb.exe 3484 JRWeb.exe 4188 VIDA.au3 5880 JRWeb.exe 5044 JRWeb.exe 536 VIDA.au3 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Setup.exeSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
JRWeb.exeJRWeb.exedescription pid process target process PID 3484 set thread context of 1608 3484 JRWeb.exe more.com PID 5044 set thread context of 4364 5044 JRWeb.exe more.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
VIDA.au3VIDA.au3description ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VIDA.au3 Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VIDA.au3 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VIDA.au3 Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VIDA.au3 -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2428 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641246190209411" chrome.exe -
Modifies registry class 6 IoCs
Processes:
taskmgr.exe7zFM.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3604 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeSetup.exeJRWeb.exeJRWeb.exemore.comVIDA.au3pid process 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4812 Setup.exe 4696 taskmgr.exe 4696 taskmgr.exe 4812 Setup.exe 4696 taskmgr.exe 2992 JRWeb.exe 3484 JRWeb.exe 3484 JRWeb.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 1608 more.com 1608 more.com 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4188 VIDA.au3 4188 VIDA.au3 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4188 VIDA.au3 4188 VIDA.au3 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
VIDA.au3taskmgr.exe7zFM.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 4188 VIDA.au3 4696 taskmgr.exe 4952 7zFM.exe 4504 OpenWith.exe 4232 OpenWith.exe 4912 OpenWith.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
JRWeb.exemore.comJRWeb.exemore.compid process 3484 JRWeb.exe 1608 more.com 5044 JRWeb.exe 4364 more.com -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
Processes:
chrome.exepid process 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskmgr.exe7zFM.exechrome.exedescription pid process Token: SeDebugPrivilege 4696 taskmgr.exe Token: SeSystemProfilePrivilege 4696 taskmgr.exe Token: SeCreateGlobalPrivilege 4696 taskmgr.exe Token: SeRestorePrivilege 4952 7zFM.exe Token: 35 4952 7zFM.exe Token: SeSecurityPrivilege 4952 7zFM.exe Token: SeSecurityPrivilege 4952 7zFM.exe Token: SeSecurityPrivilege 4952 7zFM.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe 4696 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
VIDA.au3OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 4188 VIDA.au3 4188 VIDA.au3 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 4504 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 3816 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4232 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe 4912 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Setup.exeJRWeb.exeJRWeb.exemore.comVIDA.au3cmd.exeOpenWith.exeOpenWith.exeOpenWith.exechrome.exedescription pid process target process PID 4812 wrote to memory of 2992 4812 Setup.exe JRWeb.exe PID 4812 wrote to memory of 2992 4812 Setup.exe JRWeb.exe PID 2992 wrote to memory of 3484 2992 JRWeb.exe JRWeb.exe PID 2992 wrote to memory of 3484 2992 JRWeb.exe JRWeb.exe PID 3484 wrote to memory of 1608 3484 JRWeb.exe more.com PID 3484 wrote to memory of 1608 3484 JRWeb.exe more.com PID 3484 wrote to memory of 1608 3484 JRWeb.exe more.com PID 3484 wrote to memory of 1608 3484 JRWeb.exe more.com PID 1608 wrote to memory of 4188 1608 more.com VIDA.au3 PID 1608 wrote to memory of 4188 1608 more.com VIDA.au3 PID 1608 wrote to memory of 4188 1608 more.com VIDA.au3 PID 1608 wrote to memory of 4188 1608 more.com VIDA.au3 PID 1608 wrote to memory of 4188 1608 more.com VIDA.au3 PID 1608 wrote to memory of 4188 1608 more.com VIDA.au3 PID 4188 wrote to memory of 2976 4188 VIDA.au3 cmd.exe PID 4188 wrote to memory of 2976 4188 VIDA.au3 cmd.exe PID 4188 wrote to memory of 2976 4188 VIDA.au3 cmd.exe PID 2976 wrote to memory of 2428 2976 cmd.exe timeout.exe PID 2976 wrote to memory of 2428 2976 cmd.exe timeout.exe PID 2976 wrote to memory of 2428 2976 cmd.exe timeout.exe PID 4504 wrote to memory of 2720 4504 OpenWith.exe NOTEPAD.EXE PID 4504 wrote to memory of 2720 4504 OpenWith.exe NOTEPAD.EXE PID 3816 wrote to memory of 3640 3816 OpenWith.exe NOTEPAD.EXE PID 3816 wrote to memory of 3640 3816 OpenWith.exe NOTEPAD.EXE PID 4232 wrote to memory of 2728 4232 OpenWith.exe NOTEPAD.EXE PID 4232 wrote to memory of 2728 4232 OpenWith.exe NOTEPAD.EXE PID 2388 wrote to memory of 4832 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 4832 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 3580 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 4772 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 4772 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 1988 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 1988 2388 chrome.exe chrome.exe PID 2388 wrote to memory of 1988 2388 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exeC:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exeC:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\VIDA.au3C:\Users\Admin\AppData\Local\Temp\VIDA.au35⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIIEHJDBKJKE" & exit6⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- Delays execution with timeout.exe
PID:2428
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1560
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VIDA.au3"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO853C9C29\10002⤵PID:2720
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85363799\1662⤵PID:3640
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO853C3A4A\.text2⤵PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd4c4ab58,0x7fffd4c4ab68,0x7fffd4c4ab782⤵PID:4832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:22⤵PID:3580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:4772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:1988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2884 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:2152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:2936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:3396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:3792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:3964
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:3180
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff68513ae48,0x7ff68513ae58,0x7ff68513ae683⤵PID:1756
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4516 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:4516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4844 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3600 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3588 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5148 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:1896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5260 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5308 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5444 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:2488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5496 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5504 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:4596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5520 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:1136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6060 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:4708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5796 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:1020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5576 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:5568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6032 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:5808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5312 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:6092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4680 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:12⤵PID:6128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3620 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:5196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5388 --field-trial-handle=1932,i,17058151714064643761,1318385114835449948,131072 /prefetch:82⤵PID:5200
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks whether UAC is enabled
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exeC:\Users\Admin\AppData\Local\Temp\nodealt\JRWeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5880 -
C:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exeC:\Users\Admin\AppData\Roaming\nodealt\JRWeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5044 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: MapViewOfSection
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\VIDA.au3C:\Users\Admin\AppData\Local\Temp\VIDA.au35⤵
- Loads dropped DLL
- Checks processor information in registry
PID:536
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3777294602\payload.dat2⤵
- Opens file in notepad (likely ransom note)
PID:3604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD540faa0c4150091170644046bbe98ca75
SHA1d07b30afeaad31c52a1e9dcc2b5362065cc46625
SHA256c3973eeb11e12431e06d1ef84661ade738e2f9d653e09bb1882dfdee5f887158
SHA512afa3bf63f9211982ff39b058d0dc8b5ade5339ed68615df5f0c16477dac454897dc1d61e67d78ef1191c1f5859407828d297a5102ee7f28addd10449fd07c85d
-
Filesize
27KB
MD570dc4f19424ed6d1eb3edf2e3acffdfe
SHA1f5e03c8717997457ab5875098caf342e959c52fb
SHA2564f0529047afe2ad52d6b531440745c009727a374b0302784e5993ad85b3030c5
SHA51292d0562b604a951bcfcea32569343eeee2c400149faa84375b8eab5f4432bf97bb833b5f9c7c287b1f8f1a330bda52cc9a5868cd35a56789beb7ffc1e9cf7580
-
Filesize
245B
MD5d703180b6eebf6528a92f779f435f5e0
SHA10b71ce956734835065df57b1b307f03d683b55f2
SHA2568b84bc47fb5fe3546a684b849c6c609ebbfda5120d6d88bd04785eb01e8d14f9
SHA5120ce7386b7807d6b78c11f875914243a10262e773e1efd753e02cbbf2e435ca5c6cb6ac4b093ccef99408537a62503d83e99f0478bc57e78352e3137c594c9f94
-
Filesize
293B
MD51b9a7734607e6ec54212eaf0fa05c0c8
SHA1b0a1edd285bc7b42a393da4ea2d995a37e0f383f
SHA2560252dc7b19350a0d41b2525023a71683ec89dd5dc5c05f38af3a32ac7697ee76
SHA51239a9c55422086ac2f32a9b99d414d76977500f58d717ecef27fbc49c34560c492a2cbf5c28a2ec8249a9652d07961a80f094ee4d256720c21396716f69b6c1ec
-
Filesize
271B
MD5b88f0a471c25f8ea407ca6aa92f607e0
SHA1be034b90ced5283d56d4a5d3bc8e3fb9f176d40c
SHA256336b948be4ae73a825017966e977c2f34e3ca686f2e2b1dabf3ad28f4a9eb842
SHA512f980bbb91ca0450fd777f6cec1717efc32f5f3d8138c8f783b68ca399ccf90529aa546d1018834d60aa79901aeaab40200d56cbed9619cd0f16743213dc862f7
-
Filesize
33KB
MD5a5a1532990497f13dc8ee42f26fe3e26
SHA1a4d6584bc2fe40130dfc2f13df7b3dc0055d44fa
SHA2568b9abb9c5dcb83c9b9992c223aa08be98ddd89aec669df3f45e8c74a0c2a0631
SHA512a31b52f01a4f1ff5acfc4bf1fdde6124676616ca0234bf6ec9e1e91136b3321bf9b2ee381c5f478fa2c61224be5a911bb292782fd0f0f290c49eaa880501b6d4
-
Filesize
62KB
MD523a2e22d42ebade53e3044674237b7e7
SHA1fa04df9948afc3d01088c85749eacffdf5083f66
SHA25690294bb3229a5ca92414704471b54b8c1d0d5e7f24a5431a4c89f02668eaf2e3
SHA512efa431b2a422280b76e245daa8fd7ef3e5010d8877209ecd161b06de865d1b30e0893c75808193202b5cdf9b77518ab4b7b954f40f5aa0fc41c78ed32639d1d1
-
Filesize
1KB
MD5576b26c57518470f7344d141cee98428
SHA1bcd75f91718dd7b93d444d92b98749b9537a4516
SHA256d3b49023c2024b8359c2565f5a20edb0a4a80ba474c2af159a256992def95bcd
SHA512bd09350c9166f1d7cdadb12fe5bd3b59bb8e450f69af36fdfec3a8af69b01d7082a13e5eda47864dc44ed77275f64bf2967da2f3974d6e03fea3bc1561b10871
-
Filesize
264KB
MD5503d466cc0bc9f3a37addf47fd9cfec7
SHA17cc760121a736ca811fd59833b23a015cb0ff1f3
SHA256e66ccfbee3168dde480eebbf093e467afe015ae16aa5740fdd8502303893e733
SHA512954ad87ee8aff66819135eae27a0366ea970a7c3190577986b5bac21c123b49412612e31e43aa6f761ae13218fa81b0f30bdc71c3d2e33100e30cf0cf8ced66d
-
Filesize
14KB
MD534c11a90c51e8fd37353e06faeb7d07c
SHA14983e2c589f5bf4985366d5354da5e7a50abfcaa
SHA256bbaa3a98acceb581ec8695e4b37198a45ae7822dff881e211ff2141852816ee2
SHA5121a892c7513d7297ec05cb9dfb34a689af865e2e8f817d7ea6a7b09d60347f20e2b3e9bb1c80ecf0e00fff9259e8ac56f8928526ebe75336819945c5d9cbbddd3
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
4KB
MD55c20d98852edde46a39457a70f312b93
SHA196ff8f9b49843a3df7b56efb1abdcba7f5a28606
SHA2568fb40f970619a4e7c08ff9786f3070c31e8dceb0ce9a1e0dd296d111352d0ebf
SHA512d3ff5493f546bf62ee414166bb0ea05bf31ec494e886b938430f72e16f9674ba5e1a46a7752c39bb523bd0ca944f4912ca1cbd546609507b69dfbb309ecea89f
-
Filesize
1KB
MD5439f3f4ea1ea41c93de91b22860cfaf1
SHA1c25ffcb0af08610748a1dfa66e858aa7acc168cd
SHA25683771f49e9f3f39882c3d6915be7f31157c14faf86e7cd175d156efb16334f56
SHA512248662f2eff76a101b648ff26d30659e14318104e78f751ff75200ceeaf693482be16f82cffbf3bf483e1ce5d11ba909844a7da27d3eb5752220453e9d90a759
-
Filesize
356B
MD50f2c410b3a5cdff1c2ba1d4e0b663efa
SHA16fdbc459b9c01dbdd06ba524382682b7351bb67d
SHA25610c9166100202e21dd0eeda2cc9dfab0edb94c993404e47f62f02dddaf02c511
SHA51245df9113a4d5bc48dcb443ec02c6db20ce2effc30a1c1d1fa7359121065bcc66255778831145ad36551a406c09c10cbe5081befacb010aa7b9a79a7653c70250
-
Filesize
4KB
MD5ad44178267f5212293b130198eaf572b
SHA13d69ae5b6a17bb65e398fdeaa3968e7c253af8c3
SHA2562be3fe51a8e00855a5ce73d6ca124aaef702aca38e90aee897f6939bb31e4a10
SHA51211059ee9068852207f43759e67529babdb0606a7026cabcf335da6050f413fe23f3251678e804cab156c9f085e216f0fee927dff22ee951b72638a04d3fc2675
-
Filesize
7KB
MD5a7763d34a229f9ce1ef0e6ed314f8028
SHA19dbbfd776de48bdf9bcaf2e9d523b8480787b2f1
SHA256f2c6220beadb0f9946c612f95f5ecb896c1e899a790b8862b88aef9322a50522
SHA5123eded09ba9f3adbdd3163049f582b385b985d0860120b9f883a8981502e32ac5dac1c9f0810edb98b49ce3b8daa68483ac6d46b0d8acfd877d0f1d1639e440ef
-
Filesize
8KB
MD5a9d22116f161bb12796e5f0009fe957e
SHA19be9fcef2ac34009869672fc8c26281f27b35f3d
SHA256704ca1c9949225e3f77d3eec752b164b2bfb832d527662c1e340856afe3bb308
SHA512416fb1c64b5be7c1b7cf052a5bd1463e5fa3f79529f82810dc52314aa1c3b329e3d779d47f87d3b8ded7e92db2f07e82b81d5b0349e336d67a4e5191fa979e06
-
Filesize
6KB
MD5953a4e7fefa59d685da2d1a775f4957d
SHA10cea014f45fc2e911e867902543419cb9d5d73ca
SHA25620e664922fd077e46d96a4b6c26b3537b9c9d7d0a55553d1eb1d2222fe136f9f
SHA512e3dff04be50961665ccb0cc1e98f3c4faec40a5f5720872ec09e35ee3a4b586e7c61df26e65ce9950ae7ed75fb1a692b31ef190012a1e230072ea946a598b4fd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e0f3c472-c8d6-4d5a-b048-e7182ad9b833.tmp
Filesize16KB
MD51c6096632e720bae19f3c1a5850d2a98
SHA16520a437d89bda0991d7371807f7a5a61f2ecf1f
SHA2565a2d35c511d0ea8179f3b71108a94d3b0959c792431d26247bcb5a2c8d70d3d4
SHA512efcd7368f2774c00f49d709f35a6162362235aae3757fadeb8e998d8ea9878f2841bfb1e847c248cb26623884b2cfcdf8cf23596ee3e6094ec45e46fe383aa83
-
Filesize
281KB
MD5d2df4aa4500c40cffb78e13083334c70
SHA12cf823d34cb368280a313f90003f08cd6629c6a1
SHA2561c582620737fe82d6a484af61990c9c6aae1d7b2ba491db741e16da7429169af
SHA5128ecd94045e73dc4aa4979d6a95582baeb0f2baaeb4ee295b57d28c49f1c6060125aa699c86c98e5c754e1ca80588d25183ca4fa446c681f7a9da1af1be525d9c
-
Filesize
281KB
MD5bd53e7cf931a6e62def9dc032c8620ee
SHA1e13084584fe4c9ab8cd45f62038512d75e9c5b46
SHA2561ad10bad511013484c59553d7095d3ab9552e21cd1d9850d2c21ff1a6bf2f03f
SHA51207e5cd5f85d61dd7b2cce0be9f4a90393b7d2edbc1e00d0002ca690af58151967e64bfcc33e52b22cb1e89b442a8b0a297eb69ff222a74748affc4950f639c4b
-
Filesize
2.3MB
MD590e744829865d57082a7f452edc90de5
SHA1833b178775f39675fa4e55eab1032353514e1052
SHA256036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
SHA5120a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323
-
Filesize
80B
MD58140596ab00b98a11c13e6977d2d0977
SHA158abc231c2b5ac778a543a5dffcfabe867a6758d
SHA25654f5e2ecbfc4f87380ca7466337676b99d0c4a21f806cf83f69fd48934c857ab
SHA512ba6525eee05af1251d92c55d302cd8efa36873128857ca7244e8766f267249878ae0a9d6ac42ec74099606f3708e7eda171eadb037880b2518ce0f934d5e174f
-
Filesize
570KB
MD537545704cd94410041e41f7b2d95d901
SHA18e9612760cf3d292149679485dc68b3033c590e4
SHA256e5852635547d75252b6415bc614590e9c288d264e1e8cb6e19aff7568fa6aa01
SHA5124b95cbd1ccb2a5d4ec3d6d843e20dc2ef7e9c9a90f051b20f3ebe6a4e8d112873ddd21533f1dc99a7dc5dbfe4f887c65c3fbdf929e95fa58585beb3ea65dbac2
-
Filesize
252B
MD508e5fdcbcb2ab21352c8fc0e05b07ddb
SHA125d4fcfaba7226a6b786bba3bcbad3ed7391b385
SHA2567de7438fb4425f608109111fdce25be7d2381938f6c5984bcfb14b3b88e9c883
SHA5129d9b269ebca11f9fd72836761131141239e406d741155e0621f80046e6919cacf17da58b6a006f6737784d4a7c0b9572eaaedd9e721a55bbaab8fc2b2afb18c9
-
Filesize
1.7MB
MD55f0f5d62d37f3678d3e10e85b9588ecb
SHA1b0a219b49e24939017959c1f5545b02abb23a62b
SHA256d9e370f998611db2e9095f7dae91293aa7971e7ef2c01d976ab2ae9a3112973b
SHA512ca0ccabbb6f8641c9cd880481df2ef08060b308ef7db1d1bc78c7a0f1e750ad18a0875c714ef2f0f3cd89000db4004f4114486dfd8a7ded286327df2ab213999
-
Filesize
2.7MB
MD5269b7fe84066adeabdc1ccf7b8d0641a
SHA11148ecb7e08a4ad4f334d524b348c2dea033120a
SHA2567c654bff9135e6b86c1aa7c40e29c704dea1945c96a559169bfc3300191b180d
SHA512a1e1a7885dde35f0aa7f003422ececa24bc8f8013252b527d1dc3dcb6ffd83cc29c7fd112942a4813e46ba2e5f276235569f282c74a9fe33aed5c001ab93eea3
-
Filesize
1.7MB
MD54aefc0b6ff2fe1864c229571ee703ff0
SHA13c6a2bd3d6399e373d8f9b32f181695bf0b0f9d9
SHA256ee0769ed0429544c09ac64369f884d68773cf8347dfe6e4ae5e7de5037219b4a
SHA5128b5a7d024729d5b4ce29a225cddbdf45d1cffb51be8323c2f2b3b0eec2c7fc15905302757d91667f8b182aaa1fca5f1bf3bfb120c03ad0ca14ea236e7d1ed92a
-
Filesize
1.1MB
MD5c047ae13fc1e25bc494b17ca10aa179e
SHA1e293c7815c0eb8fbc44d60a3e9b27bd91b44b522
SHA2566c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
SHA5120cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c
-
Filesize
157KB
MD54a99cb402c0d843b61a83015e0d3d731
SHA1ac59e7722c85fef8050a715e6f4c3a3e5085d98e
SHA2564ae3f7437a6991db64eac8e5d2fa02e9edce56ad98aaa273006963fed39548a8
SHA5121eceb6ff5f53a98e61f21c90de9242e46c9607817eeb7ce77f500a5b225e123ac52b357c7729b334063cd8c8b37c2fbe38e76c1a5ee77244b176aa3e08d7eb18
-
Filesize
1.2MB
MD54f43217ff7e7fcb652b20534150b9f0d
SHA1035e35018b9c88309c8fdd7edde4d3add42606b8
SHA256223b47f477447d6584a7d27a10e92694a5a9c4c3823e126a2753a1e700128017
SHA512e06b90045ad605de2fae14a65959e684d4a64a85dec8eedf26b179ca16d3d17601afa2766a4cbde4f2061f70ee99f4d9746d7edc1a0e93648abe366616560479
-
Filesize
65KB
MD5d7046da347cd1c24f9af82a326413734
SHA1a8ecd6cd212e0b866ef9611bf07b6826262da0c4
SHA256580209f46352f01b832c81a836e72d05819d33502f51bdda6212eefe0b7675d6
SHA512cd0327dce2c68ee800e204972a88afc30b59e93847a4837fb72ddb2ee0de73e40b8e4450d7f800d50adf239ee0bdf6a1818e21c05677d1893906fc898f59c9de
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e