vidar | 8b34e6283a4e30009a0ad792723817cfb0d5cdbbbe119948aa6e887bd59e1620

max time kernel
196s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 17:51

Sharing

Copy URL

Twitter E-mail

Reason

Task went missing from backend

Report Analysis Logs

General

Target

66bddfcb52736_vidar.exe
Size

190KB
MD5

fedb687ed23f77925b35623027f799bb
SHA1

7f27d0290ecc2c81bf2b2d0fa1026f54fd687c81
SHA256

325396d5ffca8546730b9a56c2d0ed99238d48b5e1c3c49e7d027505ea13b8d1
SHA512

6d1fa39560f4d7ca57905bc57d615acf96b1ef69ca2a4d7c0353278e8d4466298ed87f514463c49d671cb0e3b6a269a78636a10a1e463dba5c83fe067dc5df18
SSDEEP

3072:XqsEJybpRHuJKKBardRei4UGvI96/ZO6RAkeOCeP9sZy28se:XqsMyNRHuKikUi42KZO6PffmZy2d

Score

10^/10

vidar 877956da9963e0825aa43a159a358f24 credential_access defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

10.7

Botnet

877956da9963e0825aa43a159a358f24

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/728-4-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/728-7-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/728-9-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/728-415-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/728-416-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 4 IoCs

pid	Process
4728	monero-gui-install-win-x64-v0.18.3.4.exe
5168	monero-gui-install-win-x64-v0.18.3.4.tmp
3008	_setup64.tmp
5264	monero-wallet-gui.exe

Loads dropped DLL 1 IoCs

pid	Process
5264	monero-wallet-gui.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 728	868	66bddfcb52736_vidar.exe	83

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Monero GUI Wallet\opengl32sw.dll	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-62BN5.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-1N84L.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-1LLNN.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-daemon.bat	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-S8PHN.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\unins000.dat	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-export.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-ancestry.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-depth.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\unins000.dat	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-TFAF0.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-NO2B7.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monerod.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-wallet-cli.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-gen-trusted-multisig.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-usage.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-51PCJ.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-gen-ssl-cert.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-SC0JU.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-NB4Q7.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-CFLT4.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-wallet-gui.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-import.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-prune-known-spent-data.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-prune.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-OEAHT.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-6DNOF.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-1IU4M.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-N15MG.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-SDH4D.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-2VSK8.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-wallet-rpc.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-PA2CA.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-QT3FN.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-TEIK5.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-TAB9F.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-mark-spent-outputs.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-stats.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-CKRRM.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-31JI2.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-S4219.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66bddfcb52736_vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monero-gui-install-win-x64-v0.18.3.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monero-gui-install-win-x64-v0.18.3.4.tmp

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5820	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\DefaultIcon	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\DefaultIcon\ = "C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe,0"	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\URL Protocol	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\DefaultIcon\ = "C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe,0"	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell\open\command	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell\open\command\ = "\"C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe\" \"%1\""	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\ = "URL:Monero Payment Protocol"	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\URL Protocol	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\ = "URL:Monero Seed Node Protocol"	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell\open\command	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\DefaultIcon	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell\open	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell\open\command\ = "\"C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe\" \"%1\""	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell\open	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed	monero-gui-install-win-x64-v0.18.3.4.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5264	monero-wallet-gui.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
728	RegAsm.exe
728	RegAsm.exe
2820	chrome.exe
2820	chrome.exe
728	RegAsm.exe
728	RegAsm.exe
728	RegAsm.exe
728	RegAsm.exe
5168	monero-gui-install-win-x64-v0.18.3.4.tmp
5168	monero-gui-install-win-x64-v0.18.3.4.tmp
4964	msedge.exe
4964	msedge.exe
4244	msedge.exe
4244	msedge.exe
4056	identity_helper.exe
4056	identity_helper.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5264	monero-wallet-gui.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeShutdownPrivilege	2820	chrome.exe
Token: SeCreatePagefilePrivilege	2820	chrome.exe
Token: SeDebugPrivilege	4012	firefox.exe
Token: SeDebugPrivilege	4012	firefox.exe
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	5168	monero-gui-install-win-x64-v0.18.3.4.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
2820	chrome.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
5168	monero-gui-install-win-x64-v0.18.3.4.tmp
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe
4244	msedge.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
4012	firefox.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe
5264	monero-wallet-gui.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1476	868	66bddfcb52736_vidar.exe	82
PID 868 wrote to memory of 1476	868	66bddfcb52736_vidar.exe	82
PID 868 wrote to memory of 1476	868	66bddfcb52736_vidar.exe	82
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 868 wrote to memory of 728	868	66bddfcb52736_vidar.exe	83
PID 2820 wrote to memory of 3716	2820	chrome.exe	86
PID 2820 wrote to memory of 3716	2820	chrome.exe	86
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 4608	2820	chrome.exe	87
PID 2820 wrote to memory of 2388	2820	chrome.exe	88
PID 2820 wrote to memory of 2388	2820	chrome.exe	88
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89
PID 2820 wrote to memory of 2980	2820	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AAEGHJKJKKJD" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff91705cc40,0x7ff91705cc4c,0x7ff91705cc58
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,16103674387256005935,271579672443768069,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,16103674387256005935,271579672443768069,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16103674387256005935,271579672443768069,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,16103674387256005935,271579672443768069,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,16103674387256005935,271579672443768069,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,16103674387256005935,271579672443768069,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4300

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2364
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2812d360-81bc-4fbc-a93c-1c48d589fdd0} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" gpu
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e94fe7d-0db4-486e-9427-eb328d3bf862} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" socket
    3⤵
    PID:3732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2960 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f615e40f-f2d1-44a1-9424-6ea3d3a1884d} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -childID 2 -isForBrowser -prefsHandle 4224 -prefMapHandle 4220 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b2b0b63-4dea-4837-bc1a-332cfb688024} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 32493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a287714-623c-4250-8580-2cea5db92e3c} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" utility
    3⤵
    - Checks processor information in registry
    PID:3112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -childID 3 -isForBrowser -prefsHandle 4820 -prefMapHandle 5096 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e58393-a5c8-4717-ae2f-96ad1a3b54af} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5264 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6762cac8-5be8-40e8-a713-ccb016ebef67} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:5404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f94e297-5fc9-4708-8fdb-1adb0721fb85} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:5420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 6096 -prefMapHandle 6088 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6c426d1-0989-484a-adc8-8fea5b036431} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 7 -isForBrowser -prefsHandle 1100 -prefMapHandle 5216 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b521aff-46ad-460e-9535-cdf31b29ad90} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:5180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3408 -parentBuildID 20240401114208 -prefsHandle 3392 -prefMapHandle 4132 -prefsLen 32653 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee9e13ce-3d30-497f-90ea-5d92355f1308} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" rdd
    3⤵
    PID:3984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 4184 -prefMapHandle 2692 -prefsLen 32653 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b63a048-2456-4c52-a523-fe2fcca944d7} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" utility
    3⤵
    - Checks processor information in registry
    PID:6028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 8 -isForBrowser -prefsHandle 6452 -prefMapHandle 3392 -prefsLen 27344 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f3ac7fa-c17d-431f-ab52-5720fca759bd} 4012 "\\.\pipe\gecko-crash-server-pipe.4012" tab
    3⤵
    PID:2732
- - C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe
    "C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\is-CH6T0.tmp\monero-gui-install-win-x64-v0.18.3.4.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CH6T0.tmp\monero-gui-install-win-x64-v0.18.3.4.tmp" /SL5="$D0032,99679275,832512,C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5168
    - - C:\Users\Admin\AppData\Local\Temp\is-JQOVD.tmp\_isetup\_setup64.tmp
        
        helper 105 0x4A0
        5⤵
        Executes dropped EXE
        
        PID:3008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\Monero GUI Wallet\ReadMe.htm
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9147e46f8,0x7ff9147e4708,0x7ff9147e4718
        6⤵
        
        PID:4572
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:5516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
        6⤵
        
        PID:5284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        
        PID:1644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        
        PID:3676
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
        6⤵
        
        PID:640
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
        6⤵
        
        PID:8992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        6⤵
        
        PID:8988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
        6⤵
        
        PID:8816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8688630556505136493,6549548837801980224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        6⤵
        
        PID:8808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Program Files\Monero GUI Wallet\monero-wallet-gui.exe
"C:\Program Files\Monero GUI Wallet\monero-wallet-gui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Monero GUI Wallet\ReadMe.htm

Filesize
8KB

MD5
960b1d19967d1c006e57392c722a8da3

SHA1
4acb31152ff6ff71f8ccb3972e68e29a17610432

SHA256
e95846594909d9d8e78ba3b5cf2fa8554320f74e4a6682d677a7df0f666d964e

SHA512
5fbac8ee3b742ced8230ec7095237eba55d94fa9f07d83c168189c8ba1c50f7babe64cb2038a70cd3a70346f8f1806db2c272b450a6cb9be23515195a5f3f9a8

Download Submit
C:\Program Files\Monero GUI Wallet\monero-blockchain-import.exe

Filesize
17.2MB

MD5
750c295eb2881774764866dcad9f203d

SHA1
5a074716eec433ff9279b20f306de84c1fc71870

SHA256
6cad362c47ad393a142d36972f96e15b504e0684a85f900f388bd16dd19c48e6

SHA512
9377ac9999f37dd6f939b851cb41346a6954526b2fcc3271dd47592a819acd0f25dfb326b2d951fa5b5e3b44f175d51f2e6b72df1539d88e31d5d5bcc6bdd98b

Download Submit
C:\Program Files\Monero GUI Wallet\opengl32sw.DLL

Filesize
20.0MB

MD5
7dbc97bfee0c7ac89da8d0c770c977b6

SHA1
a064c8d8967aaa4ada29bd9fefbe40405360412c

SHA256
963641a718f9cae2705d5299eae9b7444e84e72ab3bef96a691510dd05fa1da4

SHA512
286997501e1f5ce236c041dcb1a225b4e01c0f7c523c18e9835507a15c0ac53c4d50f74f94822125a7851fe2cb2fb72f84311a2259a5a50dce6f56ba05d1d7e8

Download Submit
C:\ProgramData\.shared-ringdb\data.mdb

Filesize
12KB

MD5
9dce56833647e292ef9d8ef200d0ec79

SHA1
27f67b46291d9fe5d4980987745249c19aa09dff

SHA256
cc136d66038535f9c9ca2c0c050eaae960adb4b93108798b325b8fa011d8569d

SHA512
bb6b225715d0f138b62b33aa7282d9fa45dc76843710f74af1e61757fadda3983860980c38be27861f9db0fe6aa65a496f47ccab3f7aeec99332051ef9209c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5cbb0a65de9b9a2f2ffc38eae62ab7b5

SHA1
401270a2af8614d2f9c8df9da3af2f9c18f73f28

SHA256
52b58538c21125d6b6be320e86d093f2dc59edf539b32d678e7ec5790ea83f07

SHA512
8d242833d840fb3b4e4559805ede3c7e13a680a1510a009f8343abd2839e0f885468d1ba35638824ac7ce2dc750187cfd4d07e932b0685562f79d57891a30796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
2e6b57db0204fb34db5253b89beb9f77

SHA1
2ad7f1f1093653a844de7965ec4292ae3da98abb

SHA256
bb7037603f131c2192ed9d30d687254b235a34a1662df0e6ab42f84032f9fd8e

SHA512
7c1712bdcd70574ba9b59d10dc6f1ac3c501c05fc3b6e1bd14192a95cc19ceb858cf395687f45208ad368cfc5a2151269ce732e0be2c95ef3aef28cfd8023001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
025edb7483281494c7831fb4bdfdf6a8

SHA1
50cdbfd7dcc2c6aa3bdeb948c4d6cb0bfa20629f

SHA256
3aafed3a19ea6191fee151c00d240cb8528efd92a748cb9d0c7982d5754c09e4

SHA512
896cf3f79f94cc1d8a92515fde8d173f8ad565c7521efb63b4dd5715cbb01a286e46d2ff157a7ccab4753c65611ecc650de52f0cccbfeee0abda23d8bb20eaef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
67c63817f28d27c8f7621f6a93fc0c40

SHA1
5483f8244ca11bf14267c3acb6821626b0855b45

SHA256
bfe6621478e63c63a23eddb44025b1ee30aaced5463f15971abc90d311524b38

SHA512
7022cc5d1f639bb540c6d816e462f4d7e7021a9505821563fefe845dbac46c992b2aeb79c773bf20b6f45412892eb9e5b0b0d03e67669e8ffb2dfaad3b5513e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5a785855-c652-4d9c-b112-66093addbe6b.tmp

Filesize
10KB

MD5
0782bd308bf0d7caaa2ce57c00153278

SHA1
730931f0d5bad36f06a3d7de8307914a94af96bd

SHA256
67ecda6c83714c0f4c9abfa641a144fb1bd93a482b26c2714166160dbc19025e

SHA512
1fc8f2d4f24c90bce334df29dfaec8b60c8f2f12be32233ce4c268f76c7ce9d7d2e4840387e40a14d38c3646c74c37311484a6310d83a1dcdd12e9a92f30adb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a794a8c2ec1070db364841eeced7824d

SHA1
a77b0dabc21103df2b0d288720055a93f7ec76f1

SHA256
2dac4138cea14a4e9ce1423d3fcb1671de0cb61491f50494e0685e44be34ca0e

SHA512
b5645f6e2c5b0e9fe054da5dfe34586232d323efa022e784f731e6b3eb3ab10ef990770341aad8c2633b00deb0eea4f97a96e7a684a2ee25184470b008fc9cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
978ad27630c0c3b4de32d23bc44f8fcb

SHA1
fd40ce86cdfecb2cbe05c548fb56a1758068b753

SHA256
7ac0d5d7db57ef4bf38ce47d1ff463573712e7dc9af49935d63325f82f22b2cc

SHA512
58f1a197b71e530514379e4c614a9c02d51bf67c39f08ae20ca9746fe8f07a295387a5bfc9a0f4da5106000947572c6b5d5f645bedc26b5895d66cbe02d3c7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
01f02c2ce9458425931a8a27c14a7d45

SHA1
16df8f8eca8b8f2756b2faa66bdd1de70524c94b

SHA256
3f6489f47cda139910377981ffa6c3a8a53d009320791009b5af2d987604c253

SHA512
00f2620bae7fdd6559a88435c097a0fbc26f8ebe747816764a05a758a808f23686c9ee1fdc36c66700d3f0c7483d17c80a1bd18140c3014b6dd9bebc9a6bccff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CH6T0.tmp\monero-gui-install-win-x64-v0.18.3.4.tmp

Filesize
3.0MB

MD5
6a2d673b6efdc19d2d2b729ad0753616

SHA1
460bd03135b6260c6e21f72cd580eb4135de4915

SHA256
312c0bc9aca766675b3703286b5290f4f16ade6bf82f2840cb13d1288a8ea17b

SHA512
6bf76907ab93e1cf166331b6bb8d0779d05b0b68be2b93ab14572f219381b9253a4e61cd0b6b1cce685ab5606b0bc7715204fb5ecf4976c9a603dc1c7eee1f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JQOVD.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
ae5a40d6eb08d5cefd9331cfee53c4d7

SHA1
3e79f89e7eb20c0ecf438211b0430a2a0de9422f

SHA256
35b7069affe9518af89bbaf6d5f5e39c8f07bd18363172fe19fa82b1ad0aa49d

SHA512
511f0cfe8f234ece939093d3db9fc0668768762d8f0a103303c56ae89db6440f1c3cb954f385807d9fabb5de9d811bcff40fe52c3780bfb108d2f971516eced9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
13KB

MD5
31c3a1e911309aa71ee148cecc92d6bd

SHA1
ab8c4e70019ef77aaaacdd54ad6dc856687b2cec

SHA256
7ebcb3f9a7795f8dca8556ccf057fb72f7654501bf3fa2a66ac0fb0c5378cd1a

SHA512
cde125fac0ccf0cf1dcb2f352148036fd9d91d9b4465f3ed7ecb2fceafb278ce2860b95fb410afe73423ce45b8142c6706f979120b8028cdb5804225702c02a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fc98b689e9ced0180929a09f06f44fde

SHA1
4cd174a512ab39a904f27af61b011cdbae310064

SHA256
e81e44e40899049fa8e39c9c944140f8d490271183abf7621cc75a697c4c2693

SHA512
0b0f8f835a3c9df8a93fffeb4d8ec68cca85ca00b4f786072fb8fd91e1c460f2c4725e7de2b9f85d9a5d374d8a53665ee10368c6f072c7f084e51ebabaa389df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7564e83cf5a401368d09bcb0b05ad16f

SHA1
5a3795b4e8bd8b19b5b6fe702f0b3115bcab7df3

SHA256
a8e27e16ecb411a5e0554b768d26c59f848506b0954ef4c335d7b7b537a76feb

SHA512
ef6b85490001b1922813731f14b7baf70e1665ca69e22265b6d5f04b8f011dc96ac86200df51c18565ff0fa0e0a6946d158ea9edebd2ad1573fa7e92beeb83c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
03e501d762c1f78c6664179dfc83bb22

SHA1
13443c9f1108a767f7abde1d3ffa5553975c83b0

SHA256
58ac2a81f196067a9934dfe6f47b45bd1ae1f066bc6b0586674352b97b1e413d

SHA512
9bc3d8c3ccecb4d67bc2f2c3b3a75d0276db40c0b262440845e94d8bce24c53f38baa0c3a1af25ef8902f9e8b250b08bed8976587f53cdb9562b26346b313007

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\0695a5f8-6e0e-4c80-bd89-50239c57f38e

Filesize
671B

MD5
92181f6769f4ef78a17f7999b223e6ba

SHA1
3b4a78abe0fdc4ec28c2592f362e641e11b84746

SHA256
2ece8236d6cb6ff26b7e396fd9fc3849a466bc7a938229b9b5f1a6e88d35138f

SHA512
540cae06feb1f986d8dbd7387d260fff5c710012d016a18bbc3f926469a6ac698aafbbb7dddb5376c05a78f1cf8ac3ba0831e2e703648b890dc8b22f1907a2c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\d272edd2-2869-42b1-9317-1436d773a871

Filesize
28KB

MD5
d24278483f3ba48cee56a529ba5b4c8b

SHA1
12d61110b87220b7327d14a5d28b5dc5c5280418

SHA256
2c9e4688427667ca8aeae48b18c79058dca5d278c697e6939146c0304a14e16e

SHA512
ca153c80e759320f6493e167381d81066ec2e049f8d93f22eb46b9e0176ff2806fa593233a89095ca01476fccccf895d176db2547665d93a7e2d13463a3c808f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\d504e7dd-b138-4082-8aaa-d5f60800ad72

Filesize
982B

MD5
f9cc91f75aedee26ab59c651728dd2c9

SHA1
e0c409fb8911405cb0bdf9cb390a0b5bee0da476

SHA256
7782aad9b0929901a3c38f225d924662f12382b2545a6d897488bf257586b040

SHA512
2e7365fe4e347492b1d8901af66cf81e2cdd00a61aa672176fd87fd897643d5bca65d82961a538e6b4482fb51027ec14939e04af63dcbf247da1132a62429163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
10KB

MD5
00a712befe319d80d0d78d1c8e4613bb

SHA1
378beec77681360326cafcd337c809fac0a7c199

SHA256
dff2778e1c6e904367e5c1c7e834abadc994f6a00edbb4decfe3d138cf10b2d2

SHA512
744cdbad7fd2df33ac85a73f7a3995e9ee5288105d043b1775c77c5df179408633dfe1441c56fea11b2018d3b814c4e648adecd6ac4b58d3e842736b55c979f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
9KB

MD5
a19cada5995573b1d5567d5b8978279b

SHA1
855ea33d573f77561367e5cb9f12f22156329773

SHA256
b32c49c3696f4fe8e7010f0c3504cc1c6dc4a2ceaf8f480a4e46a9e861d94d1e

SHA512
372992f2cde5de10b86eacce6f7c198263231069b7e288a5f41a29e1a40a41a1e92b22407b70fac31db2275c177d7eac5d209fa1d8d471c3ce56a6cf95231130

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
5fee014c2605570cb885eb567d8d574f

SHA1
1baa3fb771b50ee77f4583db5595aafa7ade445c

SHA256
169c82f6b078aca9c9c82056e5ddb9f1cffd3266f0c60f4679071f4202f02970

SHA512
1f3eab4b7e62d4d4546caa69d3992d214b051593bfa50aef3c399f23f0ef744c970e55b739644408cc38df655e0f97f88f733fd4a9f6a43343f2150a53615344

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
0f2dedeb16633b982d460a44153b7624

SHA1
3d3e8fd9d0fc2b83ed63b8f4b264073629b81c8e

SHA256
cfb9401622df5655ab7d9a03bb2f6ad9ffa1e17b1aedeb84c16e850fa817bd7e

SHA512
33b16236ad9a03695da7de85de960566722393ecdd6e3ed68f74ef2da6d31709bfe2d78dab279d206e9283fa8e5dd4cfd1877f16356e5d220f75c4a9c130f8e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
d5fc75048927750f799e00f9656a42df

SHA1
a7b6d2a93faa1aacad5fdc4ad0efef0f03c6ae91

SHA256
b0c82b1619a00c386049e8dedd77168d61ce87184d2c10886947354db61f9ca0

SHA512
c551c6bc3f0c044b17d002edafc9b6914630cb8646b0b30c90a9be48bb748b202c5126493dd0e0e1012eea0b51ff0cbf3fda2f8209cfec079d6cf949e11bd920

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
7aa16d4ca07a987b9d3d7643f699f31f

SHA1
cb27eb1c90e94565d835ead380476cdb9631bde4

SHA256
f960390742d2f35627722ed7c03ee308de9bcc74f19e05a1520230e5798a398b

SHA512
54685a5282fa8fec9ba08bfac71e445d9c66dcf1688ce09d6344905d66ee840f0d4ef94fc4991f4d45cbc249fb543432bf5fc6f8f7dbec6c2a9726c10b12d4e6

Download Submit
C:\Users\Admin\Documents\Monero\wallets\Admin\Admin.keys

Filesize
1KB

MD5
4686b12884965e7dd798ca47447fb4f3

SHA1
2bd91abc68045118024526dadcd578cfb5ed9a50

SHA256
1e3ded07499a6769c5ea80f81121622683b9c8458a63fbe0c47415a745a68e57

SHA512
e4541d3f6a8101a4e22891b03bec94da83f5e337321c3406fccb9d5152597a7517f0c6f75164cf967e65348ee7c8e67e02ec77e312586cbcaa4795a9df0f13e9

Download Submit
memory/728-416-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/728-415-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/728-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/728-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/728-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/868-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/868-428-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/868-11-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/868-1-0x0000000000690000-0x00000000006C6000-memory.dmp

Filesize
216KB

Download
memory/4728-964-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4728-824-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4728-844-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5168-847-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5168-963-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5168-845-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5168-877-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5264-998-0x000000000A8B0000-0x000000000A8B1000-memory.dmp

Filesize
4KB

Download
memory/5264-1002-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-994-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-996-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-988-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-997-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-987-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-986-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-985-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-984-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-983-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-989-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-1000-0x000000000C3F0000-0x000000000C3F1000-memory.dmp

Filesize
4KB

Download
memory/5264-1001-0x000000000C3F0000-0x000000000C3F1000-memory.dmp

Filesize
4KB

Download
memory/5264-1006-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-1008-0x000000000D610000-0x000000000D611000-memory.dmp

Filesize
4KB

Download
memory/5264-1005-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-1004-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-1003-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-995-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-1016-0x000000000D8A0000-0x000000000D8A3000-memory.dmp

Filesize
12KB

Download
memory/5264-1018-0x000000000D870000-0x000000000D871000-memory.dmp

Filesize
4KB

Download
memory/5264-1017-0x000000000D870000-0x000000000D871000-memory.dmp

Filesize
4KB

Download
memory/5264-1015-0x000000000D8A0000-0x000000000D8A3000-memory.dmp

Filesize
12KB

Download
memory/5264-1014-0x000000000D890000-0x000000000D891000-memory.dmp

Filesize
4KB

Download
memory/5264-1020-0x000000000D610000-0x000000000D611000-memory.dmp

Filesize
4KB

Download
memory/5264-1019-0x000000000D610000-0x000000000D611000-memory.dmp

Filesize
4KB

Download
memory/5264-1012-0x000000000D870000-0x000000000D871000-memory.dmp

Filesize
4KB

Download
memory/5264-1011-0x000000000D870000-0x000000000D871000-memory.dmp

Filesize
4KB

Download
memory/5264-1009-0x000000000C3F0000-0x000000000C3F1000-memory.dmp

Filesize
4KB

Download
memory/5264-1021-0x000000000ACB0000-0x000000000ACB1000-memory.dmp

Filesize
4KB

Download
memory/5264-1024-0x000000000EF20000-0x000000000EF21000-memory.dmp

Filesize
4KB

Download
memory/5264-1022-0x000000000D610000-0x000000000D611000-memory.dmp

Filesize
4KB

Download
memory/5264-990-0x000000000A5F0000-0x000000000A5F1000-memory.dmp

Filesize
4KB

Download
memory/5264-992-0x000000000A8B0000-0x000000000A8B1000-memory.dmp

Filesize
4KB

Download
memory/5264-980-0x0000000008F90000-0x00000000093D2000-memory.dmp

Filesize
4.3MB

Download
memory/5264-981-0x00000000093E0000-0x00000000095E2000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads