vidar | d213b75523db2e3678178d0cb992aa0a1a6e0b7378578e638160b9bf30d23815

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S0FTWARE.zip
Size

152.1MB
MD5

c4e6c468339dec6f0a3129bb418de4e8
SHA1

da45658d7c47c66e825436896cb157294d9c0419
SHA256

d213b75523db2e3678178d0cb992aa0a1a6e0b7378578e638160b9bf30d23815
SHA512

d4a0e2361b879095033d5345b167b134da868ad6cffc7c447cad2844e9d42f7c212d0f1a79dcb523870ef24c20f4c5c39873203319ac7f02d8d498bdbb36653d
SSDEEP

3145728:m1cZZPJb63kzIvNI9Wt2ij4Hv8j9oe2APzKqMbplU0weB/FoEIEQOjYDLxJJ:kAZPJbIkzIVIjij4HeorAPzdMvUd6h3k

Score

10^/10

vidar xmrig 467d1313a0fbcd97b65a6f1d261c288f credential_access discovery evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

467d1313a0fbcd97b65a6f1d261c288f

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral2/memory/4480-19-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-21-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-28-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-44-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-67-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-91-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/2012-125-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-128-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/2012-136-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-155-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-161-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/2012-165-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7
behavioral2/memory/2012-280-0x0000000000400000-0x0000000000D78000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/3420-229-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3420-235-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3420-232-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3420-231-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3420-234-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3420-233-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3420-228-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
676	powershell.exe
3124	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
4480	S0FTWARE.exe
2012	S0FTWARE.exe

Loads dropped DLL 2 IoCs

pid	Process
4480	S0FTWARE.exe
4480	S0FTWARE.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
84	bitbucket.org
85	bitbucket.org
132	pastebin.com
133	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4296	powercfg.exe
4728	powercfg.exe
5096	powercfg.exe
4296	powercfg.exe
2164	powercfg.exe
2156	powercfg.exe
3292	powercfg.exe
3452	powercfg.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3420-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-229-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-235-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-232-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-231-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-234-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-233-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-226-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-227-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-225-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-228-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3420-222-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1204	sc.exe
1020	sc.exe
3012	sc.exe
972	sc.exe
1352	sc.exe
4444	sc.exe
2956	sc.exe
4408	sc.exe
3364	sc.exe
2848	sc.exe
3924	sc.exe
1932	sc.exe
3884	sc.exe
4828	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1304	2012	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	S0FTWARE.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4664	timeout.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2348	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
4480	S0FTWARE.exe
2012	S0FTWARE.exe
2012	S0FTWARE.exe
2012	S0FTWARE.exe
2012	S0FTWARE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1860	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1860	7zFM.exe
Token: 35	1860	7zFM.exe
Token: SeSecurityPrivilege	1860	7zFM.exe
Token: SeSecurityPrivilege	1860	7zFM.exe
Token: SeSecurityPrivilege	1860	7zFM.exe
Token: SeSecurityPrivilege	1860	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1860	7zFM.exe
1860	7zFM.exe
1860	7zFM.exe
1860	7zFM.exe
1860	7zFM.exe
1860	7zFM.exe
1860	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4480	1860	7zFM.exe	104
PID 1860 wrote to memory of 4480	1860	7zFM.exe	104
PID 1860 wrote to memory of 4480	1860	7zFM.exe	104
PID 1860 wrote to memory of 2012	1860	7zFM.exe	109
PID 1860 wrote to memory of 2012	1860	7zFM.exe	109
PID 1860 wrote to memory of 2012	1860	7zFM.exe	109

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S0FTWARE.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\7zO4472AB88\S0FTWARE.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4472AB88\S0FTWARE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- - C:\ProgramData\JKJDHDBKEB.exe
    "C:\ProgramData\JKJDHDBKEB.exe"
    3⤵
    PID:1220
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3684
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1304
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2956
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4408
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3924
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1020
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1932
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4296
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2164
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:2156
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:3292
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:3012
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3884
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:972
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:4828
- - C:\ProgramData\CAKKKJEHDB.exe
    "C:\ProgramData\CAKKKJEHDB.exe"
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      PID:1876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JEBFIIIEHCFH" & exit
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:4664
- C:\Users\Admin\AppData\Local\Temp\7zO447C1839\S0FTWARE.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO447C1839\S0FTWARE.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2100
    3⤵
    - Program crash
    PID:1304
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO44763589\License_msodbcsql_ENU.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2716

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:3636
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3596
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1204
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2848
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5096
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2384
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2012 -ip 2012
1⤵
PID:2992

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CAKKKJEHDB.exe

Filesize
5.6MB

MD5
cd7727ab8db0c0968981a19fab763e32

SHA1
66242a286175e43f2d1299bd2594b30ac3d7cf00

SHA256
c658854ae75c8f001ab83644793d6c692f50aeddc29d2c593d6c02c5361add51

SHA512
b6d1d2d21e5210cabd741385aa52eb328afe79d948f232c12ff8a876a8652fb1667c28d2c73fe0ab2011c69f0d946de0e56ce890ceb81150b30b64d168a80b3a

Download Submit
C:\ProgramData\IECAFHDBGHJK\IEGCAA

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\IECAFHDBGHJK\IEGCAA

Filesize
114KB

MD5
9a3be5cb8635e4df5189c9aaa9c1b3c0

SHA1
9a7ce80c8b4362b7c10294bb1551a6172e656f47

SHA256
958f70959a70caf02c0063fe80f12c4d4d3f822a9fd640a6685c345d98708c26

SHA512
5c538513eba7ebaf7028b924d992b4c32ca323ad44f7a31e21970ed6852ea8b54cf71b2f811e8bf97f2744ee151e001ea52ba43b61cd032cc5a4c886292aac65

Download Submit
C:\ProgramData\IECAFHDBGHJK\JJEGIJ

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\IECAFHDBGHJK\KJEHCG

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JKJDHDBKEB.exe

Filesize
5.8MB

MD5
c441be4f7fd0f07fdcf94657c624c3da

SHA1
bedd1f5d2feb959599b370590f62f02cbb3d2d3f

SHA256
47c6484dde4d9ca23a7667b1b71c5ed88d7cdd3dccf57485333ceda0153e5684

SHA512
c753bfa2b84ea5dfc47dbe25b807af6dd7d79e53a780ef693052f0c5c774767ef5b277671b07c539132af11a56546de3dd18790ce3fb3c4f66ca63c6c17fd8ad

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
9f9540c515847e8b6f4f5f050460520b

SHA1
20d7c57e798339d1d542246d94a260c01fd3c7b0

SHA256
81ddd5f92a40c4655ad0db45f603fb5732fd53ce9e1a996c4e3b5a33e3ef29d0

SHA512
424afe3f2a56f72731917b580ed4f4ec8e5ac46d0ca408ece19e5de06a65529f05e05900da60e635ce34c988b2060173a15c67f2a1e81ce285b9d0bd9f00b7ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
b895b7eefaa0599d704a08e150cefe25

SHA1
1a6603aca57db18f713fee6f3dfc9df0109f72e8

SHA256
efbf70ecb0d76f8dabc4d3ec4a8e0cb1948b4e926ae8728c48a6f186ac05d308

SHA512
8c4ffaa3e5c8aa0f7395c6085cc8474073bda2306625be1f129ad1314230610767f0e768d6167786ef58929e301f7cc35783247d659af17b1651ba70f0c5ed60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\76561199786602107[1].htm

Filesize
35KB

MD5
95e85da7fe8157b83e2ee5a449f9f99f

SHA1
9008b8a348aa3d6674d74ca6fb46e26d84cf6742

SHA256
7930a206127c3ddc248878d68f3672f5d9d78e857b6a12589f0b2bd5d69b67cc

SHA512
f270d05d73f913460d0e4ba91183283f760fd4ed608cb4b2c7f92977afcac885c500a9e85f8344b5ae0a579c43c35cd4189ba6758e28784192c970da49499d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5yodzi1.it1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
3.8MB

MD5
457d059669f6a9d27767c85e70d12db3

SHA1
b383b22347accd60338ad333662df5258e0b423c

SHA256
16455bce562527decb08c0c19f6cc24930a44efc4a18dd9ddbb8cac8c61a3500

SHA512
23d2742b80a7ab85684e77bd7ffd320497627a75ec6e801b320645a3fe29861ce967f030cbe856407a24f81b05ca9addd7c2f9321b53ac61e2128ec10c9da315

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
3.5MB

MD5
373efce2d150a79737ba301d7aae1ef8

SHA1
7d03ba23290eed5314fad68de5903f1de34c0ff2

SHA256
a12c84fc1793f79d7b2f57ea57ab469c84c606a21fa6c812b8791aa9167bce80

SHA512
261c05bcd73362cb3cbe976bfb5e5f2f5c77173839164150ecd920bd617703f3e9872f46fa7d1cf5ab73898ba3aac24f08c5d38e5df850e62f5fb036d0773c8d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/676-166-0x00000279CFF30000-0x00000279CFF52000-memory.dmp

Filesize
136KB

Download
memory/1220-140-0x00007FF783A80000-0x00007FF7845F9000-memory.dmp

Filesize
11.5MB

Download
memory/2012-118-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2012-136-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2012-116-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2012-280-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2012-119-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2012-120-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2012-121-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2012-123-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2012-122-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2012-125-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2012-236-0x000000002FF60000-0x00000000301BF000-memory.dmp

Filesize
2.4MB

Download
memory/2012-165-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/2384-216-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-215-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-217-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-218-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-219-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-224-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2684-157-0x0000000000400000-0x0000000000C4C000-memory.dmp

Filesize
8.3MB

Download
memory/3124-210-0x000001F8B1B50000-0x000001F8B1B5A000-memory.dmp

Filesize
40KB

Download
memory/3124-209-0x000001F8B1B40000-0x000001F8B1B46000-memory.dmp

Filesize
24KB

Download
memory/3124-205-0x000001F8B1B20000-0x000001F8B1B3C000-memory.dmp

Filesize
112KB

Download
memory/3124-208-0x000001F8B1B10000-0x000001F8B1B18000-memory.dmp

Filesize
32KB

Download
memory/3124-207-0x000001F8B1B60000-0x000001F8B1B7A000-memory.dmp

Filesize
104KB

Download
memory/3124-206-0x000001F8B1B00000-0x000001F8B1B0A000-memory.dmp

Filesize
40KB

Download
memory/3124-202-0x000001F8B18D0000-0x000001F8B18EC000-memory.dmp

Filesize
112KB

Download
memory/3124-203-0x000001F8B18F0000-0x000001F8B19A5000-memory.dmp

Filesize
724KB

Download
memory/3124-204-0x000001F8B19B0000-0x000001F8B19BA000-memory.dmp

Filesize
40KB

Download
memory/3420-225-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-227-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-222-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-228-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-226-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-233-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-234-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-231-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-230-0x0000000001360000-0x0000000001380000-memory.dmp

Filesize
128KB

Download
memory/3420-229-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-235-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3420-232-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3636-183-0x00007FF7ACA20000-0x00007FF7AD599000-memory.dmp

Filesize
11.5MB

Download
memory/4480-44-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-9-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-13-0x000000000C860000-0x000000000C861000-memory.dmp

Filesize
4KB

Download
memory/4480-17-0x000000000C8D0000-0x000000000C8D1000-memory.dmp

Filesize
4KB

Download
memory/4480-91-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-15-0x000000000C8A0000-0x000000000C8A1000-memory.dmp

Filesize
4KB

Download
memory/4480-16-0x000000000C8B0000-0x000000000C8B1000-memory.dmp

Filesize
4KB

Download
memory/4480-66-0x0000000000D3C000-0x0000000000D3D000-memory.dmp

Filesize
4KB

Download
memory/4480-10-0x0000000000D3C000-0x0000000000D3D000-memory.dmp

Filesize
4KB

Download
memory/4480-28-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-30-0x0000000027B00000-0x0000000027D5F000-memory.dmp

Filesize
2.4MB

Download
memory/4480-67-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-128-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-21-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-19-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-18-0x000000000C8E0000-0x000000000C8E1000-memory.dmp

Filesize
4KB

Download
memory/4480-14-0x000000000C870000-0x000000000C871000-memory.dmp

Filesize
4KB

Download
memory/4480-161-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-11-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download
memory/4480-155-0x0000000000400000-0x0000000000D78000-memory.dmp

Filesize
9.5MB

Download