vidar | 438d6c2d58ecf3acd3ad86b69b17519824a5b51a51698fa48507494c27570859

Analysis

max time kernel
114s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S0FTWARE.rar
Size

17.1MB
MD5

bf2021fb9b6d85e50f4f506e7c65222c
SHA1

f2ef73d4baaef3d3081e92efd7c748595dedad55
SHA256

438d6c2d58ecf3acd3ad86b69b17519824a5b51a51698fa48507494c27570859
SHA512

c880cbc1633b2eafb2235b0d8ec6322c10f5a66867e1b2018499614acfb9c170e9f2d35e76d9c7b637d26be10c3543ed3e62c71cf526758784d592c00edfae31
SSDEEP

393216:oedpFDl0qmjH67roK/2FCvdTjS5Do2Qx79VXzh3QQ00U64:xpFDCqmjHe2FCvdnsDMZVhCXx

Score

10^/10

vidar xmrig defense_evasion discovery execution miner persistence stealer upx

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000c000000023d41-410.dat	family_vidar_v7
behavioral2/memory/5076-413-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-444-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/5076-473-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3296-505-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-514-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2428-536-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/2520-601-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-600-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-606-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-604-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-605-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-603-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-607-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-623-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2520-624-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe
4508	powershell.exe
5008	powershell.exe
2908	powershell.exe
1396	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 6 IoCs

flow	pid	Process
59	3140	S0FTWARE.exe
59	3140	S0FTWARE.exe
35	1876	S0FTWARE.exe
35	1876	S0FTWARE.exe
45	3588	S0FTWARE.exe
45	3588	S0FTWARE.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	jhyfvn.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	pkvuebr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	iexxcm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	stvzisd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe

Executes dropped EXE 14 IoCs

pid	Process
1876	S0FTWARE.exe
3588	S0FTWARE.exe
3140	S0FTWARE.exe
5076	jhdtumfty.exe
4704	iexxcm.exe
4500	jhyfvn.exe
3296	qrzpemo.exe
4844	stvzisd.exe
5084	fhvep.exe
2428	uepdar.exe
4788	pkvuebr.exe
652	ldtfpv.exe
968	Updater.exe
4596	service.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
72	pastebin.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
45	raw.githubusercontent.com
59	raw.githubusercontent.com
71	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3808	powercfg.exe
2104	powercfg.exe
2740	powercfg.exe
4468	powercfg.exe
2020	powercfg.exe
3536	powercfg.exe
624	powercfg.exe
2304	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	jhyfvn.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 968 set thread context of 5116	968	Updater.exe	176
PID 968 set thread context of 2520	968	Updater.exe	179

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2520-597-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-601-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-600-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-606-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-604-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-605-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-603-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-598-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-599-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-595-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-596-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-607-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-623-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2520-624-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2736	sc.exe
2408	sc.exe
2504	sc.exe
2380	sc.exe
4572	sc.exe
400	sc.exe
2444	sc.exe
2640	sc.exe
3816	sc.exe
4584	sc.exe
1068	sc.exe
5036	sc.exe
2448	sc.exe
4544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stvzisd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkvuebr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexxcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhdtumfty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uepdar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qrzpemo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
1120	schtasks.exe
1448	schtasks.exe
4240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	powershell.exe
1396	powershell.exe
1680	powershell.exe
1680	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
4500	jhyfvn.exe
5008	powershell.exe
5008	powershell.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
4500	jhyfvn.exe
968	Updater.exe
2908	powershell.exe
2908	powershell.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
968	Updater.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe
2520	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3760	7zFM.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeRestorePrivilege	3760	7zFM.exe
Token: 35	3760	7zFM.exe
Token: SeSecurityPrivilege	3760	7zFM.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1876	S0FTWARE.exe
Token: SeDebugPrivilege	3588	S0FTWARE.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	3140	S0FTWARE.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeCreatePagefilePrivilege	2104	powercfg.exe
Token: SeShutdownPrivilege	2740	powercfg.exe
Token: SeCreatePagefilePrivilege	2740	powercfg.exe
Token: SeShutdownPrivilege	3808	powercfg.exe
Token: SeCreatePagefilePrivilege	3808	powercfg.exe
Token: SeShutdownPrivilege	2304	powercfg.exe
Token: SeCreatePagefilePrivilege	2304	powercfg.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeLockMemoryPrivilege	2520	explorer.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	2020	powercfg.exe
Token: SeCreatePagefilePrivilege	2020	powercfg.exe
Token: SeShutdownPrivilege	624	powercfg.exe
Token: SeCreatePagefilePrivilege	624	powercfg.exe
Token: SeShutdownPrivilege	3536	powercfg.exe
Token: SeCreatePagefilePrivilege	3536	powercfg.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3760	7zFM.exe
3760	7zFM.exe
3760	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1396	1876	S0FTWARE.exe	99
PID 1876 wrote to memory of 1396	1876	S0FTWARE.exe	99
PID 1876 wrote to memory of 1396	1876	S0FTWARE.exe	99
PID 3588 wrote to memory of 1680	3588	S0FTWARE.exe	103
PID 3588 wrote to memory of 1680	3588	S0FTWARE.exe	103
PID 3588 wrote to memory of 1680	3588	S0FTWARE.exe	103
PID 1876 wrote to memory of 5076	1876	S0FTWARE.exe	105
PID 1876 wrote to memory of 5076	1876	S0FTWARE.exe	105
PID 1876 wrote to memory of 5076	1876	S0FTWARE.exe	105
PID 1876 wrote to memory of 4704	1876	S0FTWARE.exe	106
PID 1876 wrote to memory of 4704	1876	S0FTWARE.exe	106
PID 1876 wrote to memory of 4704	1876	S0FTWARE.exe	106
PID 4704 wrote to memory of 1428	4704	iexxcm.exe	107
PID 4704 wrote to memory of 1428	4704	iexxcm.exe	107
PID 4704 wrote to memory of 1428	4704	iexxcm.exe	107
PID 1428 wrote to memory of 2260	1428	cmd.exe	109
PID 1428 wrote to memory of 2260	1428	cmd.exe	109
PID 1428 wrote to memory of 2260	1428	cmd.exe	109
PID 1876 wrote to memory of 4500	1876	S0FTWARE.exe	110
PID 1876 wrote to memory of 4500	1876	S0FTWARE.exe	110
PID 3588 wrote to memory of 3296	3588	S0FTWARE.exe	111
PID 3588 wrote to memory of 3296	3588	S0FTWARE.exe	111
PID 3588 wrote to memory of 3296	3588	S0FTWARE.exe	111
PID 3140 wrote to memory of 4508	3140	S0FTWARE.exe	112
PID 3140 wrote to memory of 4508	3140	S0FTWARE.exe	112
PID 3140 wrote to memory of 4508	3140	S0FTWARE.exe	112
PID 3588 wrote to memory of 4844	3588	S0FTWARE.exe	114
PID 3588 wrote to memory of 4844	3588	S0FTWARE.exe	114
PID 3588 wrote to memory of 4844	3588	S0FTWARE.exe	114
PID 4844 wrote to memory of 4164	4844	stvzisd.exe	115
PID 4844 wrote to memory of 4164	4844	stvzisd.exe	115
PID 4844 wrote to memory of 4164	4844	stvzisd.exe	115
PID 4164 wrote to memory of 1120	4164	cmd.exe	117
PID 4164 wrote to memory of 1120	4164	cmd.exe	117
PID 4164 wrote to memory of 1120	4164	cmd.exe	117
PID 3588 wrote to memory of 5084	3588	S0FTWARE.exe	118
PID 3588 wrote to memory of 5084	3588	S0FTWARE.exe	118
PID 3140 wrote to memory of 2428	3140	S0FTWARE.exe	119
PID 3140 wrote to memory of 2428	3140	S0FTWARE.exe	119
PID 3140 wrote to memory of 2428	3140	S0FTWARE.exe	119
PID 3140 wrote to memory of 4788	3140	S0FTWARE.exe	120
PID 3140 wrote to memory of 4788	3140	S0FTWARE.exe	120
PID 3140 wrote to memory of 4788	3140	S0FTWARE.exe	120
PID 4788 wrote to memory of 3608	4788	pkvuebr.exe	121
PID 4788 wrote to memory of 3608	4788	pkvuebr.exe	121
PID 4788 wrote to memory of 3608	4788	pkvuebr.exe	121
PID 3608 wrote to memory of 1448	3608	cmd.exe	123
PID 3608 wrote to memory of 1448	3608	cmd.exe	123
PID 3608 wrote to memory of 1448	3608	cmd.exe	123
PID 3140 wrote to memory of 652	3140	S0FTWARE.exe	124
PID 3140 wrote to memory of 652	3140	S0FTWARE.exe	124
PID 424 wrote to memory of 1948	424	cmd.exe	131
PID 424 wrote to memory of 1948	424	cmd.exe	131
PID 2500 wrote to memory of 4800	2500	cmd.exe	165
PID 2500 wrote to memory of 4800	2500	cmd.exe	165
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176
PID 968 wrote to memory of 5116	968	Updater.exe	176

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S0FTWARE.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4640

C:\Users\Admin\Desktop\e\S0FTWARE.exe
"C:\Users\Admin\Desktop\e\S0FTWARE.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\tqdnftruqd'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\tqdnftruqd\jhdtumfty.exe
  "C:\tqdnftruqd\jhdtumfty.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\tqdnftruqd\iexxcm.exe
  "C:\tqdnftruqd\iexxcm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2260
- C:\tqdnftruqd\jhyfvn.exe
  "C:\tqdnftruqd\jhyfvn.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1948
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4572
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2736
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5036
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2408
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:2504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3816
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4544
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4584

C:\Users\Admin\Desktop\e\S0FTWARE.exe
"C:\Users\Admin\Desktop\e\S0FTWARE.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\gjtti'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\gjtti\qrzpemo.exe
  "C:\gjtti\qrzpemo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3296
- C:\gjtti\stvzisd.exe
  "C:\gjtti\stvzisd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1120
- C:\gjtti\fhvep.exe
  "C:\gjtti\fhvep.exe"
  2⤵
  - Executes dropped EXE
  PID:5084

C:\Users\Admin\Desktop\e\S0FTWARE.exe
"C:\Users\Admin\Desktop\e\S0FTWARE.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\bzdsaitcnl'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\bzdsaitcnl\uepdar.exe
  "C:\bzdsaitcnl\uepdar.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\bzdsaitcnl\pkvuebr.exe
  "C:\bzdsaitcnl\pkvuebr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1448
- C:\bzdsaitcnl\ldtfpv.exe
  "C:\bzdsaitcnl\ldtfpv.exe"
  2⤵
  - Executes dropped EXE
  PID:652

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4800
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2380
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5116
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\592E97329BBEF08E4019E5B43B19C9A4

Filesize
345B

MD5
ff47a2edc4b8c9e3d9fb79be68c90995

SHA1
dc1f5f3f5a1fccc5806ab5c190fb74e3f2a1fa60

SHA256
83df353c7c982191ff98d7a8d99de3a57b100d7ed15dbed8cb3e11799bc960e4

SHA512
ec76d054ebd488a1b724696b9c4a923042513f8ab728156f9a26c4b60093339321e5d54b115a4a5c20b4abd0a9b5b6424689781268ed4f0b4b976b68e12222c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
01963adc179d1e13b6a7bc0192c1e9f8

SHA1
66399d974a771e0a4af16849cbe4d8d58f9565cd

SHA256
2339b5bc37ad17385266f866379d0250ad4d338a7ebb5fb5a64601dda9a30db8

SHA512
d6ac2941a036c66d1238a4c411cdb8471e7d18ba4310d58cbab745f1332e48bc4b0bed9bd121fc852e0fa31ff3af4e152def7b0cceafb8207223a9f97d548d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\592E97329BBEF08E4019E5B43B19C9A4

Filesize
544B

MD5
8aaddfaebc206676163d8b16081030df

SHA1
f852ce082c2bc6328867b2e2d7d22ce2f1ad93a7

SHA256
bd461a47b23d36f77856a790bceeca9fb56cdc3221e1ec5c7a7e069c1e0a4b02

SHA512
adf4d3adab53959eae574e14a4b7a1cfe5c6e19225ae4f698da53e8dad7f81533ea98ca1e848c78f8b04ff9bfe856c0abfcb546a0ca94abbc1aa954f023ef0a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S0FTWARE.exe.log

Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6fb4f0022518b5f3fc2524f024bb04de

SHA1
437c3d6105f48bca2b833dabe0634ce46996e49a

SHA256
e590cb6fe7a5e30780e83788f0210fa792746cb9ba1e21b7a41ef3f1d54e0102

SHA512
577009318ca153f1feb6ddd0cdbf2175819a4ba54df28646a6e180b896e650939bd4b801c7e294442ec037ff75b0ba1eb555686ea730c5e65bf5e109ee06eb3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
32afb84eec5a05325b70b199f0339560

SHA1
ca2ed0c1e4840a252662381c84ab921c795a6254

SHA256
c0e7fb3ba76abcefcea8ad26abe05fec836ae75ef5a1376f2f0398386c83e37c

SHA512
2d77cfa5e16d7b1e2289c8b33335fd9315d0f3f5dd19a0a87b42b81f691f1762a3e919484e2807f1b25a7ab2db8e39c377400457bada103e07959cbe5c638b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
185b4c0f8ccaebb2317fb61002e8e303

SHA1
3e30578340992a98f3e1883529426271b4166680

SHA256
a01b08c532394bf3300849b78d7b955f37cafa16b163633512b82146db761a36

SHA512
d5166eed8972111191f3aa2457fe9617786c424405f6abebc01208f9b07914c41da05ea995fd2634fad61819e0e2e88e3514473491c68d5d83903e5353ebf59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0BE2D6D7\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojmojmgf.ark.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\e\S0FTWARE.exe

Filesize
14KB

MD5
4cf9999270fa0c3a1340cdd86898d590

SHA1
e05089621853360145f3e0b54cd6e24187be8781

SHA256
ac0acfc8841602def0afba3aa60b1abf0d18664370c0f046e11e6c6f03aedd6f

SHA512
b306bb00d31062adf484fda2622759e5d4a837155f14a70b92f77386fac07bd5e35a81cbff7fb539601b817dde5fe328585781a998e6331f7842fed917c5bffa

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\tqdnftruqd\iexxcm.exe

Filesize
28KB

MD5
753175a2a378c1448b5e6946d2421599

SHA1
1a856255b7868a050cebc02845e4af6acb3912ef

SHA256
2a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280

SHA512
07e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3

Download Submit
C:\tqdnftruqd\jhdtumfty.exe

Filesize
120KB

MD5
807dadd8710a7b570ed237fd7cd1aa4b

SHA1
d0e3a3a2b73bb2f3374a58914c8e35034ed5744d

SHA256
7e18ae103ce6fd596459cf0d5fc49832cdbd19a5780b0f2db934c2b649bc2080

SHA512
2270262a8bfe23ce2fac23e7208113be2fec093c3edd7aec456df6738cb19c02d5955c33d64df766154967d28a32947368bb2efaa6ec742031db07bce470d7f6

Download Submit
C:\tqdnftruqd\jhyfvn.exe

Filesize
5.2MB

MD5
6f163d9cd94d4a58ad722301cf9847d0

SHA1
ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981

SHA256
827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11

SHA512
5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67

Download Submit
memory/1396-368-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/1396-350-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/1396-366-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

Filesize
120KB

Download
memory/1396-369-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/1396-370-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/1396-371-0x0000000007DF0000-0x0000000007E86000-memory.dmp

Filesize
600KB

Download
memory/1396-372-0x0000000007D70000-0x0000000007D81000-memory.dmp

Filesize
68KB

Download
memory/1396-373-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

Filesize
56KB

Download
memory/1396-374-0x0000000007DB0000-0x0000000007DC4000-memory.dmp

Filesize
80KB

Download
memory/1396-375-0x0000000007EB0000-0x0000000007ECA000-memory.dmp

Filesize
104KB

Download
memory/1396-376-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/1396-356-0x00000000706C0000-0x000000007070C000-memory.dmp

Filesize
304KB

Download
memory/1396-338-0x0000000003260000-0x0000000003296000-memory.dmp

Filesize
216KB

Download
memory/1396-355-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/1396-339-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/1396-340-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/1396-367-0x0000000007890000-0x0000000007933000-memory.dmp

Filesize
652KB

Download
memory/1396-341-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/1396-354-0x0000000006DE0000-0x0000000006E2C000-memory.dmp

Filesize
304KB

Download
memory/1396-342-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/1396-353-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/1680-403-0x0000000007A20000-0x0000000007A34000-memory.dmp

Filesize
80KB

Download
memory/1680-393-0x00000000706C0000-0x000000007070C000-memory.dmp

Filesize
304KB

Download
memory/1680-390-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-392-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/1876-445-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1876-334-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/1876-335-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1876-336-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1876-405-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2428-536-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2428-514-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2520-603-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-624-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-599-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-595-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-596-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-597-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-607-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-606-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-602-0x0000000000CA0000-0x0000000000CC0000-memory.dmp

Filesize
128KB

Download
memory/2520-605-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-623-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-604-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-601-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-598-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2520-600-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2908-575-0x0000024275230000-0x00000242752E5000-memory.dmp

Filesize
724KB

Download
memory/2908-578-0x0000024275440000-0x000002427544A000-memory.dmp

Filesize
40KB

Download
memory/2908-579-0x00000242754A0000-0x00000242754BA000-memory.dmp

Filesize
104KB

Download
memory/2908-580-0x0000024275450000-0x0000024275458000-memory.dmp

Filesize
32KB

Download
memory/2908-581-0x0000024275480000-0x0000024275486000-memory.dmp

Filesize
24KB

Download
memory/2908-582-0x0000024275490000-0x000002427549A000-memory.dmp

Filesize
40KB

Download
memory/2908-577-0x0000024275460000-0x000002427547C000-memory.dmp

Filesize
112KB

Download
memory/2908-576-0x00000242752F0000-0x00000242752FA000-memory.dmp

Filesize
40KB

Download
memory/2908-574-0x0000024275210000-0x000002427522C000-memory.dmp

Filesize
112KB

Download
memory/3296-444-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3296-505-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4508-496-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/4508-486-0x00000000708E0000-0x000000007092C000-memory.dmp

Filesize
304KB

Download
memory/4508-450-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/4508-474-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/4508-499-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/4508-498-0x0000000007420000-0x0000000007431000-memory.dmp

Filesize
68KB

Download
memory/4596-616-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4704-537-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4788-608-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4844-555-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5008-538-0x000001E531F80000-0x000001E531FA2000-memory.dmp

Filesize
136KB

Download
memory/5076-473-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5076-413-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5116-591-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-587-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-594-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-590-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-589-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-588-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download