Analysis
-
max time kernel
211s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-10-2024 14:14
Errors
General
-
Target
https://idmcrack.co/
Malware Config
Extracted
vidar
11.1
3b2656dcd01356a64d8b2ad0b1c7ac79
http://168.119.104.177:80
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 11 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 11 IoCs
-
Enumerates processes with tasklist 1 TTPs 12 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://idmcrack.co/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://idmcrack.co/2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {503ee68e-fa4f-49b3-8c6b-a90f9ea131cf} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2488 -parentBuildID 20240401114208 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20b7b6f3-6509-46db-a501-3739484da337} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1672 -childID 1 -isForBrowser -prefsHandle 1648 -prefMapHandle 3356 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9d6b5ec-4851-4e42-9b91-104223198482} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ee0d345-ab33-4b6d-a510-4b29ea6cf616} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4420 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4424 -prefMapHandle 4416 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fdaef6f-32de-4ccb-bd77-f54a464227cd} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5368 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09407e5f-ceb3-4632-8498-94c5be8641ea} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5084 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05715131-1c19-4c26-be6a-f5f1de14117f} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f3a1310-992d-46da-858c-841150d5d9a6} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 6 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c571f5-df01-41d1-bb03-42f4764d3913} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 7 -isForBrowser -prefsHandle 5996 -prefMapHandle 5992 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1e4140-8d59-4189-a129-8b7f84baa8b3} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6320 -childID 8 -isForBrowser -prefsHandle 5328 -prefMapHandle 2716 -prefsLen 29604 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4158dbfe-f9f1-48ed-8b7d-d182653f0e3f} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 9 -isForBrowser -prefsHandle 6632 -prefMapHandle 6648 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1332 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83c0e124-3332-4c06-95e4-b5716dcc2d46} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\" -spe -an -ai#7zMap12377:114:7zEvent162901⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\" -spe -an -ai#7zMap29001:168:7zEvent238881⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-R5KGQ.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-R5KGQ.tmp\Setup.tmp" /SL5="$901C2,1809912,795136,C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-6L2OC.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-6L2OC.tmp\Setup.tmp" /SL5="$D02DC,1809912,795136,C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\micropegmatite\file.exe"C:\Users\Admin\AppData\Local\micropegmatite\\file.exe" "C:\Users\Admin\AppData\Local\micropegmatite\\fatiscent1.a3x"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\PassCode.txt1⤵
-
C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-GIBH9.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-GIBH9.tmp\Setup.tmp" /SL5="$110206,1809912,795136,C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe"C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-TIVN0.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TIVN0.tmp\Setup.tmp" /SL5="$120206,1809912,795136,C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\@!!Se-tUp_2244_PassW0rDSS!\Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\micropegmatite\file.exe"C:\Users\Admin\AppData\Local\micropegmatite\\file.exe" "C:\Users\Admin\AppData\Local\micropegmatite\\fatiscent1.a3x"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\1Z7DhPiJ.a3x && del C:\ProgramData\\1Z7DhPiJ.a3x6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\micropegmatite\file.exefile.exe C:\ProgramData\\1Z7DhPiJ.a3x7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1010⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\#!!Se-tUp_2244_Pas$WordsS!\Key.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38f0055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
19KB
MD50b62e4f38f7fe1b3a4606975dbea9665
SHA1b00389d552ea91f3df3f10dfbd5f0731a4a09700
SHA256ef2fd3b4990058199d6e71d32947ca3a573d51fadf5f2b35eeeb6ac224147a51
SHA5128e4f283fd854f3a14669eaf6199c11ce77bbe3014cee8577f7230bb21452f9693346b79682191f9f0ed67dc1a5e7dee318c207473facf9b81c5210fc5a84130f
-
Filesize
3.1MB
MD582455d588415b850159fb5a4bd60ae58
SHA14d54a9ba74c3f39037b95fe18d45a9a4994a1c56
SHA25629d8a9250a3ec59c08d84dbba027b472878148857affe949c5f879bfb1a0dbe7
SHA512059165a7299942b11f48f15dd7409d55d5d81d7accc2b9a2a0ebe78e585a22f7d1a04372ffb71e9db6148b0619a8dccf98cf3ffa12d8fab7e019aa3406d982ac
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
556KB
MD5b289eb4f7367fbf55036362bb9d041eb
SHA11e2db681eed75930c8e421f8dabf4199061db2d0
SHA256405e01f52e6cb445d2bc1df1191cf767ee5e4f7c5ecdce10ba8dd9d7ab89c157
SHA51204f44f8556986af331c308342621741240e3c12ba26dd1428efaba4aebd79ecc3fd1607f12855f704cf10881eeb90f2e99acbc570be53f5c9d58c81e072618b4
-
Filesize
61KB
MD5311305da8432836b0f533123f3e0d4fe
SHA1f262cb8059c0fb771ed58bac5fb76239e4da6919
SHA256b6ff2f94a90a7e8a6922f53ffed379a9a738e438e2b53718aefa860993843b67
SHA5122a639ee658ccea7d0015950586a2c2794b352d50c5bc6ee3b576ada08e883276a466e24ea6767c132a53f2eb25070305d8fff34bac4c8e3a4d8086ca6f65e710
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
6KB
MD5762d3648a0a96e6c196ad8b2079bab69
SHA1cb66d0488efba1a2b4bccdd5b94cf334b7fc8238
SHA256f3645b40ba93a5ecc1ba05f66bb6267858929fd7b9107a9babeda538dca8e3a2
SHA512766e7ff3fe2f6e20311bbdd47dfcaeb20363096ff933ab01792aed1dd24fb86d8ff7d3a43b411b807e8f7367973c30cab57b9a500c85e95a23b5ee396fb36990
-
Filesize
3.2MB
MD54e4b097ca2e9788a40e87b56dd44808f
SHA15a3f7973f552295a78867c6a795c834812038962
SHA2561de025e10aecbac7bd9a38c18b8e7cbe62398cca09825773cf3a6588f30275e6
SHA5126ec80dd8635a9b1daa2d263f1bf0d55394382f307822a668cd5e08621683e5c3fbf5f8f2a55534844056af712deb0b279813ebd4eceddf871331b80d85834654
-
Filesize
8KB
MD5a5bad48736c00185fe8993d8f8e8c8ac
SHA13df497303b7de9f7b111de41e38b4c81b9449b93
SHA25603c0f2407c9923559a541cd02e69f422d83b184871d91a2fdc95637d5f4b8c40
SHA512842474ce2737724ea211341e4ce7223ded33e62cdd378373ae4361e87b90bc6711142a452f19d954be96c7b892e0423b0d51d888c9990a82881ff4b410666582
-
Filesize
18KB
MD5f6e4de562aa03dc26d92a86847e72a0d
SHA19ce3cc2b63d4b0b2ed1ab60184e4223951f272cb
SHA25677e45645ca9f072ad55755af1aed0581e4e9f7b95d51a704bd4e601ae8bc030e
SHA512f73ec06f515d5184dfe1abc48826dab936d8aeb06b1d8dca07ef90bf94c9ffe581664a76d5b3404b3c72c261e1c7fe6b60b4f125787543cc0f31366afce1db2e
-
Filesize
512KB
MD57e12d73d119bd4bf236e67cba1273598
SHA122862c9ee6b5a52294d9c2718124f366f7a4e200
SHA25696bd57c8123f2fa1aefa5156a3b8a10f23b4d06ceba6d33bba8ff978d27e7795
SHA512a87825658a6687990ac5c158dbff2a1b507e23e88503cb905fc483501688f38f26b918411dc6f9fbbbb125ae5df1e537b6bc56a33331a61f0e9d15439de75f66
-
Filesize
5KB
MD5f6a4467403457580e8c91c00dee8f4ea
SHA1af09a4b5142a6ff53e9d92b60774c5e9e0882a9a
SHA2569847f883eaa72bf4c58c59f75c8c62989a03408e9bbd07ab687500785762f5ad
SHA512a9c5ea8bb2e0ddc030a799a894f246564d9beb2c117dd3e61fdd64bce93a9f832dd23f20983ed5c4b72021b1f802157a931eda6f04dc768097df079871185d63
-
Filesize
6KB
MD582f71c5d98eb6120afd10f334b504198
SHA10b38f1c576a7669a2cbd130b111580b7392a4725
SHA25637b05700b968317854a5023ddc49d80a6e4991816ea3764707dca051749f579e
SHA512e3eadcc70b3268b2e4d331f2327941136130540d53d5bdf9527c0dca7f451851c6a1d6e56e581d4c3171f9607750e25e2415d18a69722a6d53edc4aae2282911
-
Filesize
6KB
MD5814ad1405c5a539139b6a17314efe413
SHA15d9bd1c3f6a5e1db56fa6ffc2280e293686eeabb
SHA256d4dcd3f45a234fc612f50033aff781b1b2566d7d771b144f7261a712784bcd63
SHA512b37faf46c44641f80cfa8e8b98bff25da5b329da1ebdabe15e737bd5b04dad22a8beba927a4e2971af793fbcc1af777e930cc8c3c96a50a8438623b862911364
-
Filesize
21KB
MD50fe995ee7ba5e3fb508206a04462fb45
SHA113ede464a5e4aae2d1f1d00d2c2132cc9d97afa7
SHA256a8f794effe2d7a3855bdd0a3359004ddb656918f855c664927b863509257b7e7
SHA512ef3a496025e34fc6c4777f69307346536fafe22ce58ad2b52178f0839583d250ed2a607f0bb73d98c351c8ee999de8c397a7c7f28448ccf66d1df6c688e37085
-
Filesize
26KB
MD570fbd613c879c5778f27d18b433b6446
SHA19e390ec723e6a34588c9d87eccf73b43234775fd
SHA256519c91f1eba91952ddfc6e878aa7a7c31114712808724862066bb9ea279d5fe1
SHA51260097e6af07fe7cde6c6019ab3584dd0844c6df59877902723cba78629502fa594c15c08244d77ef5d1db081af33d1ff6a1ec6a2b0001e93e7f3e120c3ee8a5f
-
Filesize
671B
MD5eb3c4628147ddf96ab0af27cb9926a47
SHA12285db76bb1ef8d331b282d056cdec5d603ddc4d
SHA25636c559c2d1b391f8f1a39a3d82b6663e1e3415589ce45e4c0a7e7cf5aeaada42
SHA5128a270b31d22509dc0484b2b7675297bbe18e1a66203294100eebec336adb5d5dae29f278081110cccb4ce29feba11aa381f68c2ae67e206eb4b0e959b2292cca
-
Filesize
982B
MD545d1dc46bba4d568f0d1bdd9e4eedd30
SHA190c6286eef1c01e15e22b6df0ddd351fda1753a6
SHA2569e20dad4574c61acc417592d9a345c14af79e1b6b989f889609d1f0ca347125e
SHA5125fafd0006b325b477749c22adb6e1ded282c39e57e13ff03d8ca8ad955958219ec583be58e3f24b8986d7f57e4e589599394d47da5fb9153596f4f1b3be220b4
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD58d1ba36357090ec391f0bf81f9dfb889
SHA14ba90c72a3a0e836a963bb62397b6d425ad3759f
SHA2567e390e838c6464925cc2884d919e93adfec1a28288b56aefaeaadb35abdfff7d
SHA512de2de3727578ced4d008fe677c78955f9cc937be605715b6d5748c516d319ea8d37aca173b85324df9dd506440f7487f5af1ddc22fe7679869e316c7bc5f7d4e
-
Filesize
12KB
MD54ed9f3733450a5589ffca9558594f4c1
SHA129e84dd0aacb1d17885a006b7a3f314b8072d2d0
SHA2563cb9127b4c7bd02da4056611e6fbe6168c46b65c32be2f6144382d31a65334c2
SHA512d094759669e13251be8e6428bac169450c38fc6c26c5ac38dde7bc0d6aec66470b64b32eed06e4169a69df96d0e58d15d8306e86e48e80b5372b66e5e1007c89
-
Filesize
11KB
MD5b9e4c4be6ed9e3c83ea426033ce65068
SHA1d339e92e028977dd005569cbbb5f72aeaa1d641a
SHA2567aa4df04b5f55a7e81c0de0b3c2c66fe4bef9465ab297bbf4dd45fbcdeb8e7b4
SHA51203d0404ca16c070efa180b52a0e75e04c6cf819a7314da87c583594958c9c35ac51eb91b57ac42cfcad2c005eb60a4cc87894b72f909e7dfde48a9e7d312ba07
-
Filesize
11KB
MD5c6cd261f18c2f766b42811e1b11c5262
SHA11396757e6f125a30ece82b841e32ef84322a83c8
SHA256e4dc795543d55c785ecf6b3579822ecdfcf21ebb18f9cac365f120e814f93095
SHA512ce15e6b70ba2caec7275cf038d63bb224266936217735b153d58a863d920a1ebae8f2d6bebbc048c2d84153915caa55784b2f9b039ba2b6b2d645a580eb6feab
-
Filesize
288B
MD56b77a9f779399e95d1cee931a2c8f8ff
SHA1826efd4feb0d50fcce5696111af7c811b81adcd9
SHA2563a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3
SHA512ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f
-
Filesize
5KB
MD52d3315ea1c550f3edd406b184f2bfbff
SHA12bcc7ace8a4231401482f35610680196481a40a5
SHA256c848d7357fcde88ea1b7bfbfcac39d0641d72855f00b637456b59aac5671ad32
SHA512f178ef28c719607cb8856fbc58c133ffcf0034a7926c996734a26577fe335095ee0e5ea46bc946054454f03d1309084054868adb7245fb9b5763321a9ae108ac
-
Filesize
11KB
MD50cadd98e1d8145c504e8046321a3c245
SHA1f69567a27fdc0c910b31fecb0a344362b7df276d
SHA2568950f43162e916636bc92599d1006a7a66fe8b51ea2d5da43429c1f976a0a5f9
SHA51274fcd93dd1d301f9b73c36d4714537cf937a8cc86d053dc11a4f45e6859fded0aa085b37ceb1cb33d040b48acf5ff2a786428148f7941975ba2858b7483a6a77
-
Filesize
7KB
MD590e4a0fc5d9ec60158b2040c1887e7d9
SHA1f76f848c10c70d2b3f3b91d49aca5a5b146e2171
SHA256ca812c57375272194dbafa81e36fc94eed4a58d88e10113b507745701d211715
SHA5127948bbbffd06dfb5fb2e8b44b08f0722ac8bec3408951ca445d1ae899fc531938d4194ebf4c6bfaa0c551d79766c9038077ff6760f974667772368d11e7788ed
-
Filesize
31.6MB
MD5f4f88594945ea7ddf91f5f8c0990e646
SHA1336af3820b2a3e546b7af0b324ca66f5ee4d0788
SHA2567443da9e16f6f12c19e93df8b91e1e37466d4e5dd84c41631959b53270223f61
SHA512cf2ea4b0dc85c9a76c43816443c2d099126f099ecd7c1e5bc0521fab6f8a8cc45047b2ce3112aaf95d3030ef4c8daaa8fc14976bf3e1ee751c29ad9d3e8b04be
-
Filesize
31.4MB
MD5d9afb0714311248038f00eb64900676d
SHA18981de8b709e762fb573c976af00b35bbb028742
SHA256dc4568b50e3674febf57a13b67ace20bffeaee4e7a0dd1e3e95a272c6eb1c32b
SHA5129585bbe3f0159449d04146363249846f06c428e178a4b34a3967c71256107c7b45f34e8774055f2d31812300b96382b9b73aa6447807d003ce5ec35d59aff202
-
Filesize
2.6MB
MD5b58b905323ee060cf353276b89e94955
SHA146742736ff7ef1fb35e59a3d283cde5ba531bf65
SHA256eadfa17e9ad005f8c54c490f0a13e2fd43cb4ccac8763ef5548375869e9a6049
SHA512ae987bea9c0bfc8f04c0905acbfc56973e5e3a497920842f2fdc55006ad5ab160dd74e40f792057aa5d48d7d87b04be88c5cd5cf8a91ddef085cd3a04d0b65d2
-
Filesize
7KB
MD5e7b140b81385dcfe2f10bc3a7ab27797
SHA177627d3761b225091924070c0ee0ba6d9a9e97fa
SHA2566991524fb4f77f0b62566d05ab00c08632de14a70c73bc78911485390cf6325a
SHA5126c0eea7d93e065b26a9f5ab58298af9c24c1e1fbafab445ceeedaec681fd99496d797cf75d9165e724afd9ce6c341618585842c9cd687874a417ad1c272cb7b8
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.2MB
