04dc453eef135fdf917b2cfd671246cc9d4273f7c9c770fad407ef714bed02dc

General

Target

zloader_1.15.0.0.vir.exe
Size

224KB
MD5

126dc987935804de8ceb101ae29c4922
SHA1

3a43fcba90ce677ddcf5d134e810d1954671b29d
SHA256

04dc453eef135fdf917b2cfd671246cc9d4273f7c9c770fad407ef714bed02dc
SHA512

4ee2e69aed98892717d36240255fc4dfb6cd6326f82fda9124b59251ab963d7384cdc48ffce8a51ac81e578f34e7d49133b243aac4fa35ee7e50ad447b4a3af3

Score

8^/10

upx

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1084 1020 WerFault.exe iexplore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1084 WerFault.exe
Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

zloader_1.15.0.0.vir.exe

pid process

2068 zloader_1.15.0.0.vir.exe
2068 zloader_1.15.0.0.vir.exe

pid	pid_target	process	target process
1084	1020	WerFault.exe	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1084	WerFault.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

pid	process
2068	zloader_1.15.0.0.vir.exe
2068	zloader_1.15.0.0.vir.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1020-1-0x0000000000400000-0x00000000009DC000-memory.dmp	upx
behavioral1/memory/1020-3-0x0000000000400000-0x00000000009DC000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

zloader_1.15.0.0.vir.exe

pid process

1512 zloader_1.15.0.0.vir.exe
1512 zloader_1.15.0.0.vir.exe

pid	process
1512	zloader_1.15.0.0.vir.exe
1512	zloader_1.15.0.0.vir.exe

Suspicious use of WriteProcessMemory 361 IoCs

Processes:

zloader_1.15.0.0.vir.exeiexplore.exe

description	pid	process	target process
PID 1512 wrote to memory of 476	1512	zloader_1.15.0.0.vir.exe	cmd.exe
PID 1512 wrote to memory of 476	1512	zloader_1.15.0.0.vir.exe	cmd.exe
PID 1512 wrote to memory of 476	1512	zloader_1.15.0.0.vir.exe	cmd.exe
PID 1512 wrote to memory of 476	1512	zloader_1.15.0.0.vir.exe	cmd.exe
PID 1512 wrote to memory of 528	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 528	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 528	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 528	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 784	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 784	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 784	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 784	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 wrote to memory of 1100	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1100	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1100	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1100	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1644	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1644	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1644	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1644	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1068	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1068	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1068	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1068	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1020 wrote to memory of 1084	1020	iexplore.exe	WerFault.exe
PID 1020 wrote to memory of 1084	1020	iexplore.exe	WerFault.exe
PID 1020 wrote to memory of 1084	1020	iexplore.exe	WerFault.exe
PID 1020 wrote to memory of 1084	1020	iexplore.exe	WerFault.exe
PID 1512 wrote to memory of 1568	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1568	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1568	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1568	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1536	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1536	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1536	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1536	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1672	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1672	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1672	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1672	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1696	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1696	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1696	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1696	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1352	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1352	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1352	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1352	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1360	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1360	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1360	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1360	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe
PID 1512 wrote to memory of 1216	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

zloader_1.15.0.0.vir.exeWerFault.exe

pid process

1512 zloader_1.15.0.0.vir.exe
1084 WerFault.exe
1084 WerFault.exe
1084 WerFault.exe
1084 WerFault.exe

pid	process
1512	zloader_1.15.0.0.vir.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe
1084	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

zloader_1.15.0.0.vir.exe

description	pid	process	target process
PID 1512 set thread context of 1020	1512	zloader_1.15.0.0.vir.exe	iexplore.exe
PID 1512 set thread context of 2068	1512	zloader_1.15.0.0.vir.exe	zloader_1.15.0.0.vir.exe

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:476

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:528

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:784

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 176
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\zloader_1.15.0.0.vir.exe"
2⤵
- Suspicious behavior: MapViewOfSection
PID:2068

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:2088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/476-0-0x0000000000000000-mapping.dmp

Download
memory/1020-1-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/1020-2-0x000000000040D770-mapping.dmp

Download
memory/1020-3-0x0000000000400000-0x00000000009DC000-memory.dmp

Filesize
5.9MB

Download
memory/1020-9-0x000000000040D770-mapping.dmp

Download
memory/1084-7-0x0000000001DC0000-0x0000000001DD1000-memory.dmp

Filesize
68KB

Download
memory/1084-6-0x0000000001DC0000-0x0000000001DD1000-memory.dmp

Filesize
68KB

Download
memory/1084-5-0x0000000000000000-mapping.dmp

Download
memory/1084-10-0x0000000002480000-0x0000000002491000-memory.dmp

Filesize
68KB

Download
memory/2068-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2068-13-0x0000000000402193-mapping.dmp

Download
memory/2068-14-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2088-15-0x0000000000000000-mapping.dmp

Download
memory/2088-16-0x0000000000CC0000-0x0000000000F41000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads