Overview

overview

10

Static

static

3

S0FTWARE.rar

windows7-x64

1

S0FTWARE.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S0FTWARE.rar

  • Size

    17.1MB

  • MD5

    4f4d6b8038f0161743a0417cf4075e3a

  • SHA1

    5af34fbd37ebd0ff8061a0f8d7cb513ab56cebf2

  • SHA256

    b6fc49b8355a266c4914ebdb0ed7f00820c393bd5c1f136049480e08e8af4309

  • SHA512

    6b3a9c8c567a6fb445bfdb13e51537aea77fedbe5b471b0889815eb782791f15e6b1e4a0d4e7a850d29e86f078b65e8e7ecd0e4e4de8cd1ce8b8b2fcba5647a8

  • SSDEEP

    393216:bvw+bRdjNzBnHt+XhuNADR2zZHtE12RFeWkXn9fD+dIKVBtcbNlfHX0W7v:bvwuRPzBnHt+0SF2dHtEgv2n9fydIKVA

Score
10/10
vidarxmrigdefense_evasiondiscoveryexecutionminerpersistencestealerupx

Malware Config

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

  • Detect Vidar Stealer 6 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file 6 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 18 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 50 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S0FTWARE.rar"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4704
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4040
    • C:\Users\Admin\Downloads\S0FTWARE.exe
      "C:\Users\Admin\Downloads\S0FTWARE.exe"
      1⤵
      • Downloads MZ/PE file
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\LSDI'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4304
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4012
      • C:\LSDI\bothkklasda.exe
        "C:\LSDI\bothkklasda.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4536
      • C:\LSDI\botyhkskfkr.exe
        "C:\LSDI\botyhkskfkr.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1992
      • C:\LSDI\bptyhkakda.exe
        "C:\LSDI\bptyhkakda.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:3012
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1756
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
              PID:4492
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            3⤵
            • Launches sc.exe
            PID:916
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            3⤵
            • Launches sc.exe
            PID:1432
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            3⤵
            • Launches sc.exe
            PID:3572
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            3⤵
            • Launches sc.exe
            PID:3992
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            3⤵
            • Launches sc.exe
            PID:2880
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4860
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
            3⤵
            • Launches sc.exe
            PID:4556
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
            3⤵
            • Launches sc.exe
            PID:1020
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop eventlog
            3⤵
            • Launches sc.exe
            PID:4276
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
            3⤵
            • Launches sc.exe
            PID:768
      • C:\Users\Admin\Downloads\S0FTWARE.exe
        "C:\Users\Admin\Downloads\S0FTWARE.exe"
        1⤵
        • Downloads MZ/PE file
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\NFVJIKA'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4436
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:228
        • C:\NFVJIKA\bothkklasda.exe
          "C:\NFVJIKA\bothkklasda.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4996
        • C:\NFVJIKA\botyhkskfkr.exe
          "C:\NFVJIKA\botyhkskfkr.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3856
        • C:\NFVJIKA\bptyhkakda.exe
          "C:\NFVJIKA\bptyhkakda.exe"
          2⤵
          • Executes dropped EXE
          PID:2324
      • C:\Users\Admin\Downloads\S0FTWARE.exe
        "C:\Users\Admin\Downloads\S0FTWARE.exe"
        1⤵
        • Downloads MZ/PE file
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\QWGUK'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1032
        • C:\QWGUK\bothkklasda.exe
          "C:\QWGUK\bothkklasda.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4036
        • C:\QWGUK\botyhkskfkr.exe
          "C:\QWGUK\botyhkskfkr.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:768
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3464
        • C:\QWGUK\bptyhkakda.exe
          "C:\QWGUK\bptyhkakda.exe"
          2⤵
          • Executes dropped EXE
          PID:1204
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4760
      • C:\ProgramData\GoogleUP\Chrome\Updater.exe
        C:\ProgramData\GoogleUP\Chrome\Updater.exe
        1⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        PID:4304
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:456
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3500
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
              PID:1372
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:3324
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:4388
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:1156
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:3560
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:3756
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4348
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:3224
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:3936
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1812
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:2180
            • C:\Windows\explorer.exe
              explorer.exe
              2⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:3740
          • C:\Users\Admin\AppData\Roaming\service.exe
            C:\Users\Admin\AppData\Roaming\service.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:984
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1216
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
                3⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2140
          • C:\Users\Admin\Downloads\S0FTWARE.exe
            "C:\Users\Admin\Downloads\S0FTWARE.exe"
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3012
          • C:\Users\Admin\Downloads\S0FTWARE.exe
            "C:\Users\Admin\Downloads\S0FTWARE.exe"
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4684
          • C:\Users\Admin\Downloads\S0FTWARE.exe
            "C:\Users\Admin\Downloads\S0FTWARE.exe"
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3188
          • C:\Users\Admin\Downloads\S0FTWARE.exe
            "C:\Users\Admin\Downloads\S0FTWARE.exe"
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1752

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          System Services

          2
          T1569

          Service Execution

          2
          T1569.002

          Persistence

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Power Settings

          1
          T1653

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Impair Defenses

          1
          T1562

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          3
          T1012

          System Information Discovery

          4
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Service Stop

          1
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\LSDI\bothkklasda.exe
            Filesize

            120KB

            MD5

            807dadd8710a7b570ed237fd7cd1aa4b

            SHA1

            d0e3a3a2b73bb2f3374a58914c8e35034ed5744d

            SHA256

            7e18ae103ce6fd596459cf0d5fc49832cdbd19a5780b0f2db934c2b649bc2080

            SHA512

            2270262a8bfe23ce2fac23e7208113be2fec093c3edd7aec456df6738cb19c02d5955c33d64df766154967d28a32947368bb2efaa6ec742031db07bce470d7f6

            Download Submit

          • C:\LSDI\botyhkskfkr.exe
            Filesize

            28KB

            MD5

            753175a2a378c1448b5e6946d2421599

            SHA1

            1a856255b7868a050cebc02845e4af6acb3912ef

            SHA256

            2a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280

            SHA512

            07e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3

            Download Submit

          • C:\LSDI\bptyhkakda.exe
            Filesize

            5.2MB

            MD5

            6f163d9cd94d4a58ad722301cf9847d0

            SHA1

            ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981

            SHA256

            827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11

            SHA512

            5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
            Filesize

            734B

            MD5

            e192462f281446b5d1500d474fbacc4b

            SHA1

            5ed0044ac937193b78f9878ad7bac5c9ff7534ff

            SHA256

            f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

            SHA512

            cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7249D5C122DD3AE36149A02859D0912D
            Filesize

            346B

            MD5

            b8ddc4c6f3e3b261b1b08994966b9bd0

            SHA1

            ec9f7b8fd0b8d87b652327be21c2769169a01d67

            SHA256

            46ac94ece976eb6fe0a47ca74aa73e12b9a82ef1f3ada70a4bc90e9cdf81ce82

            SHA512

            f4f4d73123c7c97282af5fb1e70d23841413cb1a170a4ad10b12e062f269a34bad4fc21624300ab4b16820417b373437a8f578fc504d06e00b6e76d39c1ce5ab

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
            Filesize

            192B

            MD5

            238979a25efb339be0872c099d2fe6f2

            SHA1

            fbebc0bb82a3fcefd2d454de9a7f40fd13b6aeca

            SHA256

            a889201aaf046517eb6d20dd2afaa55029d2e8fb759dc6717d74ad49b722d959

            SHA512

            57bdf3fec86646ee5f8443220cb8a813730d40522e6958d3572aabeb5624163e0c180f6c20abbb03d46206074271f303fb7c4978aca465418c62ddac1be036e9

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7249D5C122DD3AE36149A02859D0912D
            Filesize

            544B

            MD5

            3474b912c1bdbcb831bcb92400b685ad

            SHA1

            2eb679be750431a372aa559b0649bc85105afb88

            SHA256

            d4dc6bf97ff44d6ecac0179d3267257633a81bc8ae5cfb35c72cce6239006ee4

            SHA512

            246d1b8a6a5d44ed38eeb1ce93018a51d9d161a83d5cc37d362f0f46857db61cba9910d400bacd04e9262336812487e7f3a377e4e0f33d0d28c24dea3e020b7e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S0FTWARE.exe.log
            Filesize

            1KB

            MD5

            480c164e1147059479578928631605fa

            SHA1

            bafc2e08ba198af11d2b9c7f377150f9be21367b

            SHA256

            2d4b853c113f9478a8320cf0b1f676a89b858f35e8e8a2e706da66b25f4e2971

            SHA512

            3c0a0ee27f086a17cbee8b4f7f58d733eda8de66023f6766b573d7bfcca91fcc02baeef5ce2d7be7ae7d1d7fca9abe7d096c46e71e7826d85370827903dbff89

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            968cb9309758126772781b83adb8a28f

            SHA1

            8da30e71accf186b2ba11da1797cf67f8f78b47c

            SHA256

            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

            SHA512

            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            6bf073fb27345110e3c88aeee73a611f

            SHA1

            f31c17695aa62269af0237f4056f81de19fe9164

            SHA256

            816d1967326010df680090e19f96c47abb0866aabd8196931da1410356b82d5c

            SHA512

            999c5eefd702d9c53facd64882ccb164e6faf6921b98aba72b9bf7a88a4b29c22966a9ce4e5e2cca93cda48e53247950230386b1b96d78591a7294b27ab63657

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            8d90a9aa712089e59ee2aadf3407fd75

            SHA1

            e4d34ae7213ed3e0d0e438a81899ccfbe221eed4

            SHA256

            29a29a8951562746f1da97db5b412c262b6190bc8edd44fa31e49e96e90b43a9

            SHA512

            a2b4c2f56aea660d77df5c0911e7e7f442b69d4b923db303e6d650d8e9ec3542c72922e7e84946da12d6a45a6b2933ee4948702d9373c1aff52843c2b7ae0e8a

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            a9d00ba5957ead4f43040d5d1701c047

            SHA1

            f33619f2a76c21fb379fd2405ef1aac22d047c96

            SHA256

            cda9a33658c8582d2821e0ab4285da1400950eb8689cf58abf7bc914026a0d6b

            SHA512

            20dea8d68d71163cce60812f6fa9a32367c9e0570e84e1a567fd46e1d606bddc7b40b7ef02e801f4ad31ebc682fa3e871a3b6315b7fdc4b6d24d60c9e2a884e5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            fe1b7d5ab28972ec844154322662491a

            SHA1

            f8875789e881ab78c61101accaa4dcc3aa46904b

            SHA256

            2051e940ea5f356a34fe0f5606b274e665097e90df379af5edad02efeb396117

            SHA512

            db136584922b99f8718a8be6f5698c674917b48bd65fb70707db83e368a8435a454f6e508ba9a8db8887d7d42da375484ae66988f0ac0a850c2f5d3ba6c4e2c9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            7d0c565ed1534332138849499e7fc69e

            SHA1

            0af2e02928943fc56208f6551db9d0e1de55df48

            SHA256

            016b2b14f976394b2ce476e2ebe473663c4d53cb1a7c5efc6649082b916e59b6

            SHA512

            3cf4acd5dc3f3aea850a4b12f97bb0f6378094a1728979eba85e9d73454243db364249618ff81ebd08c71a84447484c86abbd71c25ad72af037b28cadeffb795

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmbnp0fu.qm3.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\Downloads\KeyFile\1049\sharedmanagementobjects_keyfile.dll
            Filesize

            23KB

            MD5

            5e54cb9759d1a9416f51ac1e759bbccf

            SHA1

            1a033a7aae7c294967b1baba0b1e6673d4eeefc6

            SHA256

            f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

            SHA512

            32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

            Download Submit

          • C:\Users\Admin\Downloads\S0FTWARE.exe
            Filesize

            16KB

            MD5

            aab1f7428582ab8fd7e1875b1c76f5d5

            SHA1

            052afd80cfa9061b462eac018b51ae9d1a4a9cd0

            SHA256

            93b81fca5f62c8511d4901efea8b7c17db8d3cb46c26727c0713c74608af749c

            SHA512

            d3d4a51b5358390af5f84b58de0310bc942ae8aa01b3ec262aec5be3c6f0940b6900c56ba1589c252b7825e74ef67b6bcc80f2c927f32fa75316f73c46cdf5c2

            Download Submit

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            3KB

            MD5

            00930b40cba79465b7a38ed0449d1449

            SHA1

            4b25a89ee28b20ba162f23772ddaf017669092a5

            SHA256

            eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

            SHA512

            cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

            Download Submit

          • memory/228-492-0x000000006F980000-0x000000006F9CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/228-502-0x0000000007080000-0x0000000007123000-memory.dmp

            Filesize

            652KB

            Download

          • memory/228-516-0x0000000007350000-0x0000000007361000-memory.dmp

            Filesize

            68KB

            Download

          • memory/228-520-0x00000000073B0000-0x00000000073C4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/456-653-0x00000206CB1C0000-0x00000206CB1CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/456-651-0x00000206CB070000-0x00000206CB07A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/456-656-0x00000206CB200000-0x00000206CB206000-memory.dmp

            Filesize

            24KB

            Download

          • memory/456-655-0x00000206CB1D0000-0x00000206CB1D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/456-654-0x00000206CB220000-0x00000206CB23A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/456-658-0x00000206CB210000-0x00000206CB21A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/456-652-0x00000206CB1E0000-0x00000206CB1FC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/456-649-0x00000206CAF90000-0x00000206CAFAC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/456-650-0x00000206CAFB0000-0x00000206CB065000-memory.dmp

            Filesize

            724KB

            Download

          • memory/756-657-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/984-709-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1032-534-0x00000000063D0000-0x0000000006724000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1032-545-0x000000006F980000-0x000000006F9CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1756-624-0x0000024C5D8E0000-0x0000024C5D902000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2180-667-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2180-664-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2180-663-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2180-665-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2180-666-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2180-670-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3308-613-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3740-671-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-679-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-694-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-683-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-682-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-672-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-673-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-675-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-674-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-680-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-677-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-676-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/3740-678-0x0000000001170000-0x0000000001190000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3740-681-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4012-405-0x000000006FF40000-0x000000006FF8C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4012-403-0x0000000005550000-0x00000000058A4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4036-612-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4304-352-0x0000000002A90000-0x0000000002AC6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4304-388-0x00000000075C0000-0x00000000075D4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4304-355-0x00000000059A0000-0x0000000005A06000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4304-353-0x0000000005240000-0x0000000005868000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4304-366-0x0000000005B80000-0x0000000005ED4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4304-354-0x00000000051A0000-0x00000000051C2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4304-368-0x00000000060F0000-0x000000000613C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4304-367-0x0000000006050000-0x000000000606E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4304-390-0x00000000076A0000-0x00000000076A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4304-389-0x00000000076C0000-0x00000000076DA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4304-369-0x0000000006630000-0x0000000006662000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4304-356-0x0000000005A10000-0x0000000005A76000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4304-387-0x00000000075B0000-0x00000000075BE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4304-386-0x0000000007580000-0x0000000007591000-memory.dmp

            Filesize

            68KB

            Download

          • memory/4304-385-0x0000000007600000-0x0000000007696000-memory.dmp

            Filesize

            600KB

            Download

          • memory/4304-384-0x0000000007400000-0x000000000740A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4304-383-0x0000000007380000-0x000000000739A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4304-382-0x00000000079D0000-0x000000000804A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4304-381-0x0000000007260000-0x0000000007303000-memory.dmp

            Filesize

            652KB

            Download

          • memory/4304-380-0x0000000006670000-0x000000000668E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4304-370-0x000000006FF40000-0x000000006FF8C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4384-684-0x0000000000400000-0x000000000040E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4436-428-0x00000000063E0000-0x000000000642C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4436-416-0x0000000005780000-0x0000000005AD4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4436-437-0x000000006F980000-0x000000006F9CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4436-447-0x00000000070B0000-0x0000000007153000-memory.dmp

            Filesize

            652KB

            Download

          • memory/4436-456-0x0000000007390000-0x00000000073A1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/4436-458-0x00000000073D0000-0x00000000073E4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4536-521-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4536-435-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4564-469-0x0000000005690000-0x00000000059E4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4564-506-0x000000006F980000-0x000000006F9CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4744-334-0x000000007499E000-0x000000007499F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4744-335-0x0000000000770000-0x000000000077A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4744-338-0x000000007499E000-0x000000007499F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-345-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-348-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-351-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-347-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-350-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-346-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-349-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-339-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-340-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4760-341-0x0000018137770000-0x0000018137771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4996-600-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4996-544-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

            Download