adwind | hxxps://gofile[.]io/d/Kgm891

Analysis

max time kernel
83s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Kgm891

Score

10^/10

adwind discovery persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LqgqEAfScHLiPPRhEQFBaawoWuLEo\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\LqgqEAfScHLiPPRhEQFBaawoWuLEo"	kdmapper_Release.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Miro_External.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Miro_External.exe

Executes dropped EXE 5 IoCs

pid	Process
3988	kdmapper_Release.exe
4680	Miro_External.exe
4208	Miro_External.exe
1756	Exaro Free.exe
3136	Exaro Free.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1735223140307.tmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1735223155667.tmp"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Miro_External.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Miro_External.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	msedge.exe
632	msedge.exe
728	msedge.exe
728	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe
2300	msedge.exe
2300	msedge.exe
3988	kdmapper_Release.exe
3988	kdmapper_Release.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe
1756	Exaro Free.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3988	kdmapper_Release.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	232	7zG.exe
Token: 35	232	7zG.exe
Token: SeSecurityPrivilege	232	7zG.exe
Token: SeSecurityPrivilege	232	7zG.exe
Token: SeDebugPrivilege	3988	kdmapper_Release.exe
Token: SeLoadDriverPrivilege	3988	kdmapper_Release.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
232	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2992	OpenWith.exe
3988	kdmapper_Release.exe
3456	javaw.exe
1872	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 2844	728	msedge.exe	83
PID 728 wrote to memory of 2844	728	msedge.exe	83
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 3168	728	msedge.exe	84
PID 728 wrote to memory of 632	728	msedge.exe	85
PID 728 wrote to memory of 632	728	msedge.exe	85
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86
PID 728 wrote to memory of 2020	728	msedge.exe	86

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1884	attrib.exe
2208	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Kgm891
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f2dd46f8,0x7ff9f2dd4708,0x7ff9f2dd4718
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12199001769828127950,16674978288744649319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4136

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27217:86:7zEvent8592
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:232

C:\Users\Admin\Desktop\Miro Private\kdmapper_Release.exe
"C:\Users\Admin\Desktop\Miro Private\kdmapper_Release.exe" "C:\Users\Admin\Desktop\Miro Private\driver.sys"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Users\Admin\Desktop\Miro Private\Miro_External.exe
"C:\Users\Admin\Desktop\Miro Private\Miro_External.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4680
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Miro_Private.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3456
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1735223140307.tmp
    3⤵
    - Views/modifies file attributes
    PID:2208
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1735223140307.tmp" /f"
    3⤵
    PID:4796
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1735223140307.tmp" /f
      4⤵
      Adds Run key to start application
      PID:2880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exaro Free.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Exaro Free.exe"
  2⤵
  - Executes dropped EXE
  PID:3136

C:\Users\Admin\Desktop\Miro Private\Miro_External.exe
"C:\Users\Admin\Desktop\Miro Private\Miro_External.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4208
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Miro_Private.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1872
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1735223155667.tmp
    3⤵
    - Views/modifies file attributes
    PID:1884
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1735223155667.tmp" /f"
    3⤵
    PID:424
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1735223155667.tmp" /f
      4⤵
      Adds Run key to start application
      PID:4112
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\Exaro Free.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Exaro Free.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
03a3e281c6f8e73e9ca72926857ee423

SHA1
6c7d847b9be75d92ce39fa0a76a2abcb96448f45

SHA256
6b9a2a993b6cf253d878161c11568269ad8e7719a9b21568d40083ddb7dcb19e

SHA512
f6c2d7334f7d3e800e7dd4c26fed207da75e7104fb7e1ed5114efe5d5922706bc2c7f76b186c1a839d30fac22f48c4f667f958b9a38d0de81517356ba302f3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2a12c477-d246-40ac-93ce-6dbc4a266039.tmp

Filesize
6KB

MD5
d71a3663084dc8ce07a8ce87e5603a8b

SHA1
3df1e270ec9518128e1cf44a070804a938fd2e57

SHA256
3b35022efb2fd8ce38d06f0cf837f60ca5ada61c0d20cf85586d7e14a96257d7

SHA512
94c4c583e9b4727b4596f0efe4207de06584c1e51e63da991bdf6f8d0f961fdc87dad414cd77bff36340217b23c0afffaa61f7707c1d21233c26bf8dbfd93618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6d680e4e2becd537faf466c6847153c5

SHA1
f8278da938939ef1cf4712b0751aa9463cbdec8c

SHA256
07aa41c23030c3799d241a93a1349a81a30bdde2e4016bf7a8762892eeaed9fc

SHA512
4976dd71c532e451e939b05109b06248a922b36f2a2a182e4a229dc5065a8aac7147ffe7d98cf6642a939a3eb9d2d0e23eb2f7dc6e356035a6a9ea69b914963f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
b15ca352a2f208a7f0fcce0996404cb7

SHA1
c4bbe66ab7d727e190e511b276b25a52d7d41df5

SHA256
21f7392ea9180d4bfaa71f853089c07c2d2023604274f4ad8790ec7308343959

SHA512
d00a1135f39eb765f53c55ec2e99683863c610404617e6c0fd41a1f4f7fffacb22ce22cc887ca4a70989491a643d764c2306c8a77302f5f98402278e3e466f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
23e7dfdb5e40096b1b34389ca8f402f0

SHA1
b9939c79a0c518a867d0fd2c1d374358a14df19b

SHA256
84cab5822fc2267670ba4b346987a82e88b556553f26f10e9d831c9a125f0aad

SHA512
67ae616fa6bdb6f364d34a66df474d2ff14e1f0298eee879d6e04104490d4de0cad398c4bfd9268bc7dee11a50efe7bd59e0882ccbb336ce0ac2547c379678b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
725fd1cef2b67767bc84ea03bc338717

SHA1
cd0017204d9ad15ef8597ff60d8723aec7b1c1ca

SHA256
70f6a87b848cf2b145e7274aa7eb7d522321303a97b71ce079aba98f755dbdb4

SHA512
5dd10c60ecfea26cce99b6dfc8b7133f73d152962b10e3ef10a83999a807ef99734ee68dc6c4662fc35f05a5ad14c29b69da11210dda674596c93b85d03c7c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d5c261a20ce807b48579ec721c3b058

SHA1
d09d458051dea17de27bfe78ca12d764e82822fb

SHA256
5da6136001812067fa6fe4cc22b99196b4efb7496e952e2c722cbab83954535b

SHA512
18f9306128d49fcb2d131c502ce2bad2189b9f1c85d406800b47dd6513fb155aada9d1a66de43817bdd4959a3bff357333f781c289e47648c1a672b789bfb35e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bb3f9f9d814a1b0d611583a8d6eeb146

SHA1
8d8516edf9fdb0e31624699055ea85016df80804

SHA256
fa5c9bea820bdc4a6049fb195deb4f19ee5e0430221157912e716d95b6fce27e

SHA512
a04d386a683ea85c28c50fefe671e9cb669b1f197dd2802e80bb2e6183769bd986464442768023ef3d3f0b5cdef1eb76141de31e4f289e77f6a7075f485f4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Miro_Private.jar

Filesize
639KB

MD5
44d09f1a88724eca1cccb74123884fe5

SHA1
d34b8ed89755ff38ea2072c8867ab70128da8552

SHA256
d17d2079a17fbfcd78b0777e4cc42e74e8975bd8b1797a64cf2701b06ac0a4e7

SHA512
13fc984c5cf2140d01f1b51d3e977c448737567742aa55fb513695db2be3f5467f465a03c0fab1b56c54c7c686bce189a1ce6715e675927abbf66de6eaf9a0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Exaro Free.exe

Filesize
303KB

MD5
b492c996cd21a55a6e2669b780c27331

SHA1
a69cce52e6d74482f5af36de0545bc8165cca3bd

SHA256
9c30c51076da59f19d8b2cbbbbf7059c701e549f00169586a5913032b31a0427

SHA512
3a04afbdc3ec66b16bbba49ab900bfcbb90698a8c2c6d7e29716ecd5c70ea6cc1739e56e4658d7b91032b300b27b7e447a835c3a22b4e318876db39e57d8c68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4380655116885694433.tmp

Filesize
28KB

MD5
e156c63647f598ca81684053a0afd6c1

SHA1
beee9dfb65d26236a11396db75ba0cdf15811abd

SHA256
8cfb8bf41c561813d075aa5fa529d27173541660aaf54572099448fe341f9346

SHA512
308f27b5f978c08263a55c36857b584e117985c901a49479e7cbbd9dc8fbc7d00eadb1b38202143fa18110b5a09bf0e08a0a5605805c74263de3cc27839dcd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4972315313869746823.tmp

Filesize
44KB

MD5
41a8efe024f94057249c70a89aa6f98d

SHA1
19786b1c710388d744431958aad412a50b50d1c2

SHA256
602b48e91a1b888ff654a4df9508a0c8e984de8a69e5c5e6264ea5e50adae894

SHA512
1865a87f922875fe36995e878de194d5235d7e39a89aaa53cffe3755f23c0d2b4d602955d9393854639192f34e9a7653a48fda9d5ab62de6edb11c7f01ce1348

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio5058865469293782967.tmp

Filesize
45KB

MD5
1eb5900cf9d66e87509294cba36e947d

SHA1
af4eaaa667860a2fd4f797312195a9b74d5d1288

SHA256
b118129dec6a198c718784ac98eb9d85cd581bf8c2d847275b163a80d557ec4e

SHA512
57b57bd6365db852976859bb1ea6efff4b658ec60ebaf7e15cd9b0ce17808009b5b0f9e94577ffcc33098b1fd1fd9ae9bfaf92cb729ee04511e1e2c5e18acfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6192977843237730116.tmp

Filesize
45KB

MD5
a5863c72cfbb34ef5a68040090db903b

SHA1
bb8fa5ece2666d7435656770d230c52bfae1bac3

SHA256
5dedfca04fdbe7643815bb9cc6625095ee951ed2bc2a3ad64226ecb56d4968e9

SHA512
4f064b80629f2a1686fa8697b8704e93f4c50aa18b55ac26a27c930120ed278c58f3841778788fffb2c23f091214a0b845f487e45c3b3cfbda6d2cd53cc71dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio6548075907097723388.tmp

Filesize
28KB

MD5
38a0aa824a997ef54859cf41771a139c

SHA1
632eae23236feef00384b39a0fe589918dd23315

SHA256
6b4aef94b928b3033ccf610b13a2bf6ec2fbfe92132b709e60ad96694388c286

SHA512
b8728f9978c689db6b479c3b488df3368c27b2709788dcba257b8ab7e377547a48b2ac39afbdec8004229bb97a8127286ea5f9b62f0a64a7da09d974ee8462ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7319030500220814834.tmp

Filesize
26KB

MD5
41cefe2c588e09ff5d4c0eb7c273bf6c

SHA1
93faca16f8577903471d78dc175bb30cb6d2284e

SHA256
172ff62e9e38f2e00881a8be4fb767b47da91dc5a90f2adc40d9ab70edaa4cb1

SHA512
1d426daf2a559cc713b4f496ed42e56f385a3bf55bf8ea2ee77cca0803435b378a71f8e4e2f5c9ee4170670ff0e274e39a09159de613cdad8dabb3106dce58a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8283098323201771112.tmp

Filesize
26KB

MD5
57513b3a644b34f5e7398ab01eca61e0

SHA1
5c9d004ab6db900bba00d74dc8d37184abbabe6f

SHA256
18b78098e0e3f597be1e13e3ae07d129c2ffc948877b61692289129b8f5905a2

SHA512
17d1b428d83d1deb0151f93d24678101a1b537822ae5f5b6696311c207871de3f9868fe71de55d56487476c0d22f2edb7adc87d206c8cf19dc325ad3bf01f2c0

Download Submit
C:\Users\Admin\Desktop\Miro Private\Miro_External.exe

Filesize
1.2MB

MD5
b157d9d217ae948efe0952beb617e853

SHA1
f489cd7f72ae2ca48702f323b7e5cc4f60101323

SHA256
55927b426c6a264dbfa198ab6aa6fabdb90d0fea7f39d3fdb953cc33e90d7e1c

SHA512
6684b39b557910ccca6e9d31783ece5d524ee66930319c685c381a680c053673e102da05a793c8ce7197b7bba6506013b71f723c60560f84725926b79022f613

Download Submit
C:\Users\Admin\Desktop\Miro Private\kdmapper_Release.exe

Filesize
136KB

MD5
33b35f9efa880293fd8c0c7b2fc84aa2

SHA1
fddfe1fc9a06be652c2bd4ffaedb3ea2e8ed50bc

SHA256
9f0ee16c4bff6ec6f5a8df1ddce6a4d5b0d2c2b1d0beefc9c6da79093f264659

SHA512
2f9d19830ada8500842a4dd3a7875fa71e740b417e7925bacf9776c6cd9f5338534d9cd22c9f781609fc7f17fcb45035dbb7c3586b5a372d719076f32b05c668

Download Submit
C:\Users\Admin\Downloads\Miro Private.rar

Filesize
1.8MB

MD5
1fccc4142827e79e76603ef1b8cb9837

SHA1
9145a342ed7a9b5b86d546fb641db2ab7f0b19b1

SHA256
1931ebffdd8bd6f5677580dfb75e78b8d0554cf6c261c98aeacf3c5f3313c925

SHA512
d1bc249d54292192d95684275599682c63ba061511f2195ed944758326537f773612d4c08e2baf42ceaaeab723b08617ecbfc103faadc7a2a38dd6ce09a31b21

Download Submit
memory/1872-502-0x00000262A1E00000-0x00000262A1E01000-memory.dmp

Filesize
4KB

Download
memory/1872-474-0x00000262A1E00000-0x00000262A1E01000-memory.dmp

Filesize
4KB

Download
memory/3456-343-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-276-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-268-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-264-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-261-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-248-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-746-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-756-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download
memory/3456-758-0x0000027ACD8A0000-0x0000027ACD8A1000-memory.dmp

Filesize
4KB

Download