c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8

Analysis

max time kernel
648s
max time network
681s
platform
windows7_x64
resource
win7v20210410
submitted
07-07-2021 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mrugqy.exe
Size

3.3MB
MD5

92a11f0dcb973d1a58d45c995993d854
SHA1

872fc1d91e078f0a274ca604785117beb261b870
SHA256

c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8
SHA512

5e609e4a129407daf2e5ba10d56563633d1d6eb0cb4c8b8dbf337af35474fa83410878e8ed1cf8a02bcf993748acf5c74cf1c876bcdbde436ea64ea2af4ee8dc

Score

9^/10

pyinstaller upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 32 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI12082\python27.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12082\python27.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12082\MSVCR90.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12082\msvcr90.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_ctypes.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12~1\_ctypes.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_hashlib.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12~1\_hashlib.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_socket.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12~1\_socket.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_ssl.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12~1\_ssl.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\win32api.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12~1\win32api.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\pywintypes27.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI12~1\pywintypes27.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10162\python27.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10162\python27.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10162\MSVCR90.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10162\msvcr90.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_hashlib.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10~1\_hashlib.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10~1\_socket.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_socket.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ssl.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10~1\_ssl.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\win32api.pyd	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10~1\pywintypes27.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\pywintypes27.dll	acprotect
\Users\Admin\AppData\Local\Temp\_MEI10~1\win32api.pyd	acprotect

Executes dropped EXE 2 IoCs

Processes:

mrugqy.exemrugqy.exe

pid process

1016 mrugqy.exe
1896 mrugqy.exe

pid	process
1016	mrugqy.exe
1896	mrugqy.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI12082\python27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12082\python27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12082\MSVCR90.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12082\msvcr90.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI12~1\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_hashlib.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI12~1\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_socket.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI12~1\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_ssl.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI12~1\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\win32api.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI12~1\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\pywintypes27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12~1\pywintypes27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10162\python27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI10162\python27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10162\MSVCR90.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI10162\msvcr90.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_hashlib.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI10~1\_hashlib.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI10~1\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ssl.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI10~1\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\win32api.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI10~1\pywintypes27.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\pywintypes27.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI10~1\win32api.pyd	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1852 cmd.exe

pid	process
1852	cmd.exe

Loads dropped DLL 18 IoCs

Processes:

mrugqy.execmd.exemrugqy.exe

pid	process
1184	mrugqy.exe
1184	mrugqy.exe
1184	mrugqy.exe
1184	mrugqy.exe
1184	mrugqy.exe
1184	mrugqy.exe
1184	mrugqy.exe
1184	mrugqy.exe
1852	cmd.exe
1852	cmd.exe
1896	mrugqy.exe
1896	mrugqy.exe
1896	mrugqy.exe
1896	mrugqy.exe
1896	mrugqy.exe
1896	mrugqy.exe
1896	mrugqy.exe
1896	mrugqy.exe

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\mrugqy.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\mrugqy.exe	pyinstaller
\Users\Admin\AppData\Roaming\mrugqy.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\mrugqy.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\mrugqy.exe	pyinstaller

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1720 timeout.exe

pid	process
1720	timeout.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

mrugqy.exemrugqy.execmd.exemrugqy.exe

description	pid	process	target process
PID 1208 wrote to memory of 1184	1208	mrugqy.exe	mrugqy.exe
PID 1208 wrote to memory of 1184	1208	mrugqy.exe	mrugqy.exe
PID 1208 wrote to memory of 1184	1208	mrugqy.exe	mrugqy.exe
PID 1208 wrote to memory of 1184	1208	mrugqy.exe	mrugqy.exe
PID 1184 wrote to memory of 1852	1184	mrugqy.exe	cmd.exe
PID 1184 wrote to memory of 1852	1184	mrugqy.exe	cmd.exe
PID 1184 wrote to memory of 1852	1184	mrugqy.exe	cmd.exe
PID 1184 wrote to memory of 1852	1184	mrugqy.exe	cmd.exe
PID 1852 wrote to memory of 1720	1852	cmd.exe	timeout.exe
PID 1852 wrote to memory of 1720	1852	cmd.exe	timeout.exe
PID 1852 wrote to memory of 1720	1852	cmd.exe	timeout.exe
PID 1852 wrote to memory of 1720	1852	cmd.exe	timeout.exe
PID 1852 wrote to memory of 1016	1852	cmd.exe	mrugqy.exe
PID 1852 wrote to memory of 1016	1852	cmd.exe	mrugqy.exe
PID 1852 wrote to memory of 1016	1852	cmd.exe	mrugqy.exe
PID 1852 wrote to memory of 1016	1852	cmd.exe	mrugqy.exe
PID 1016 wrote to memory of 1896	1016	mrugqy.exe	mrugqy.exe
PID 1016 wrote to memory of 1896	1016	mrugqy.exe	mrugqy.exe
PID 1016 wrote to memory of 1896	1016	mrugqy.exe	mrugqy.exe
PID 1016 wrote to memory of 1896	1016	mrugqy.exe	mrugqy.exe

C:\Users\Admin\AppData\Local\Temp\mrugqy.exe
"C:\Users\Admin\AppData\Local\Temp\mrugqy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\mrugqy.exe
"C:\Users\Admin\AppData\Local\Temp\mrugqy.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd /c FOR /l %i in (1,1,10) DO IF NOT EXIST "C:\Users\Admin\AppData\Local\Temp\mrugqy.exe" (start "" "C:\Users\Admin\AppData\Roaming\mrugqy.exe" & exit ) ELSE ((DEL /F /Q "C:\Users\Admin\AppData\Local\Temp\mrugqy.exe") & timeout /t 1)
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
4⤵
- Delays execution with timeout.exe
PID:1720

C:\Users\Admin\AppData\Roaming\mrugqy.exe
"C:\Users\Admin\AppData\Roaming\mrugqy.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\mrugqy.exe
"C:\Users\Admin\AppData\Roaming\mrugqy.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10162\Guard.exe.manifest
MD5
891d9e50cb2407c1f62dafc08b0c9586

SHA1
91b1f8225f35f03f7d7e245dff09ae3151c48e14

SHA256
0ba6fc4a87bf8a62aed95a1f91a5065a8d33b13d201751c1c84406085c38c121

SHA512
a7aa49e05196a662a853f501e0e8fa0547426469afe8a21f77a7f14861437f9f10f487414974e13f0f53795e0eb96a5302ba1b69942cf70c92bf5c4d820237a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\MSVCR90.dll
MD5
f1fca7377e61cf72db84052b400852fc

SHA1
cef08cb1f21cf4d1a7fd25a505320601906c6a7a

SHA256
f6087e65017515d7b2e18b686345457bec5810c2c6ca76e524384b452b2d24f6

SHA512
8d6c6fff95114e504f2b6196ccaacb88bc6d3a35ef1c90372330681f230d3135e8e61ee52fbf9cf83d84c4ae4b0fd9ed7571d25c5731de908998a332b14020d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\python27.dll
MD5
4cb17df4695ad697fb36c4e7304b964b

SHA1
c4c535da39a28d5024bfa84c839b95e1517c34e9

SHA256
5dcb26a6521a5c51e95601d6ec93871574d433bcd4b1722ad80ebed4bf8274bb

SHA512
50e8bc5ff2d4f01c8fd1fc21b7e7a18a63031d211036bd8df6c0f26c1e9740f8430af2676ddb9c88a5e516055bcf6875b3352b0bbd82c89a7a92fccb61a8f51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd
MD5
211584a83dd96c646a9b90ab182664dd

SHA1
44fc7eba4ce5297f2323648e6b661dff53477f13

SHA256
2756303b43d7058abfe2d8a467076d88bf1fa99de9f06a37e7dd71332aecc369

SHA512
b979772edb0b91f044ecdceeb97d9e265e0f6ddd63ad0af6bad4c6b2b359fe65bac03226d398ce59765c5f19b96cb69881ce4b60f73847d7f12d83ee0a0d6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_hashlib.pyd
MD5
63d85c30e564ee47a8147b491fd2756e

SHA1
4ee42cd17d2d3ef6a79fc022445b138ac98905f9

SHA256
e21bee783970781ed8445abfe55c83e5641c5c747b5d28d02c674766d5f91dc6

SHA512
ff4f4d9e18383343d16ff5ca395d24f989cb5fd971578dd204a62fb43c3533046e570294b0a0ff325da7d603712aa508836b9e0293efb69c788b691a68b3057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_socket.pyd
MD5
48131c2940dde2525512adad49d539f7

SHA1
b2dd0cc7dfad14ac6efdce099f619f37441f7d83

SHA256
c5f0fb022de30ffc23e6cf6736d9d45033a7c88c4a22ab4beb19774ad3843e9a

SHA512
dab6ac5c909e03ba6e6b2c32ade41df8f5f2c699e4b28726698575a1d6057fae62aa71532298aa123fab28d0174188ea656aba269cfd027433935600d72e6777

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\_ssl.pyd
MD5
49173b78b87f699196b22205f227d5e1

SHA1
023be864bf73ce521cf03afae19204d8d2ffe4b0

SHA256
80cd76672ddcbe1e6c0a2904fb052fa1467dede52876645b9f29ef73430ea5d3

SHA512
2425b026fe63f21332718d4c30a9b327391dc0b171e6e74faabe0208f27454826b463c87aad66a420bc89fed1ea8e06d318e428b3e704fee216bf4d9d0d659f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\pywintypes27.dll
MD5
0a47fddaa87356e01720d5dde70d3e38

SHA1
54ee668e7271bd5f82ec6f0dda0382961e408d07

SHA256
6dc7f9ba6ddcab4f37b661cb8a8be5bd775cf90f963538bcc7e085046216b505

SHA512
b62d2fc2b89d48cb5f991af18d6fb0531188a20c6797e45abf00da6957e653e767cc1aacda41cb15f07592ced9e403d94cfcfeb232648d634bbdf962c2a19b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10~1\win32api.pyd
MD5
aa4c7bb822a4bf80e876b2a9a0195ee5

SHA1
df2f2e6b29d75572caa0c60d15cb98db6fb51ee6

SHA256
7221ef6322c120c117c407f9891686fef5e28eb3f1bc55ebc5de3ccc593c6139

SHA512
153c204f878a76354ed5d24da6a6251efef10b23972a45d26b3c5295c9ec0b1df730c8cc5a19a453676a55c439d3fef295c86613800189c69c0e28a3cfbad203

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\Guard.exe.manifest
MD5
891d9e50cb2407c1f62dafc08b0c9586

SHA1
91b1f8225f35f03f7d7e245dff09ae3151c48e14

SHA256
0ba6fc4a87bf8a62aed95a1f91a5065a8d33b13d201751c1c84406085c38c121

SHA512
a7aa49e05196a662a853f501e0e8fa0547426469afe8a21f77a7f14861437f9f10f487414974e13f0f53795e0eb96a5302ba1b69942cf70c92bf5c4d820237a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\MSVCR90.dll
MD5
f1fca7377e61cf72db84052b400852fc

SHA1
cef08cb1f21cf4d1a7fd25a505320601906c6a7a

SHA256
f6087e65017515d7b2e18b686345457bec5810c2c6ca76e524384b452b2d24f6

SHA512
8d6c6fff95114e504f2b6196ccaacb88bc6d3a35ef1c90372330681f230d3135e8e61ee52fbf9cf83d84c4ae4b0fd9ed7571d25c5731de908998a332b14020d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\python27.dll
MD5
4cb17df4695ad697fb36c4e7304b964b

SHA1
c4c535da39a28d5024bfa84c839b95e1517c34e9

SHA256
5dcb26a6521a5c51e95601d6ec93871574d433bcd4b1722ad80ebed4bf8274bb

SHA512
50e8bc5ff2d4f01c8fd1fc21b7e7a18a63031d211036bd8df6c0f26c1e9740f8430af2676ddb9c88a5e516055bcf6875b3352b0bbd82c89a7a92fccb61a8f51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_ctypes.pyd
MD5
211584a83dd96c646a9b90ab182664dd

SHA1
44fc7eba4ce5297f2323648e6b661dff53477f13

SHA256
2756303b43d7058abfe2d8a467076d88bf1fa99de9f06a37e7dd71332aecc369

SHA512
b979772edb0b91f044ecdceeb97d9e265e0f6ddd63ad0af6bad4c6b2b359fe65bac03226d398ce59765c5f19b96cb69881ce4b60f73847d7f12d83ee0a0d6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_hashlib.pyd
MD5
63d85c30e564ee47a8147b491fd2756e

SHA1
4ee42cd17d2d3ef6a79fc022445b138ac98905f9

SHA256
e21bee783970781ed8445abfe55c83e5641c5c747b5d28d02c674766d5f91dc6

SHA512
ff4f4d9e18383343d16ff5ca395d24f989cb5fd971578dd204a62fb43c3533046e570294b0a0ff325da7d603712aa508836b9e0293efb69c788b691a68b3057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_socket.pyd
MD5
48131c2940dde2525512adad49d539f7

SHA1
b2dd0cc7dfad14ac6efdce099f619f37441f7d83

SHA256
c5f0fb022de30ffc23e6cf6736d9d45033a7c88c4a22ab4beb19774ad3843e9a

SHA512
dab6ac5c909e03ba6e6b2c32ade41df8f5f2c699e4b28726698575a1d6057fae62aa71532298aa123fab28d0174188ea656aba269cfd027433935600d72e6777

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\_ssl.pyd
MD5
49173b78b87f699196b22205f227d5e1

SHA1
023be864bf73ce521cf03afae19204d8d2ffe4b0

SHA256
80cd76672ddcbe1e6c0a2904fb052fa1467dede52876645b9f29ef73430ea5d3

SHA512
2425b026fe63f21332718d4c30a9b327391dc0b171e6e74faabe0208f27454826b463c87aad66a420bc89fed1ea8e06d318e428b3e704fee216bf4d9d0d659f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\pywintypes27.dll
MD5
0a47fddaa87356e01720d5dde70d3e38

SHA1
54ee668e7271bd5f82ec6f0dda0382961e408d07

SHA256
6dc7f9ba6ddcab4f37b661cb8a8be5bd775cf90f963538bcc7e085046216b505

SHA512
b62d2fc2b89d48cb5f991af18d6fb0531188a20c6797e45abf00da6957e653e767cc1aacda41cb15f07592ced9e403d94cfcfeb232648d634bbdf962c2a19b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12~1\win32api.pyd
MD5
aa4c7bb822a4bf80e876b2a9a0195ee5

SHA1
df2f2e6b29d75572caa0c60d15cb98db6fb51ee6

SHA256
7221ef6322c120c117c407f9891686fef5e28eb3f1bc55ebc5de3ccc593c6139

SHA512
153c204f878a76354ed5d24da6a6251efef10b23972a45d26b3c5295c9ec0b1df730c8cc5a19a453676a55c439d3fef295c86613800189c69c0e28a3cfbad203

Download Submit
C:\Users\Admin\AppData\Local\Temp\glocked.tmp
MD5
66b78ba50b216e45bc2a4fbcc8e4fc35

SHA1
1a3a8c3c97de75ac10b04110ef97c8baffbab962

SHA256
ccc4b3477732d862dfd4bb032ad56f964fb6f000bdd02c0976bffa95f31c141a

SHA512
b931412bd33cda0efeaf2343d22a8a43c4c33853a5d21c053b1060a65e0619c39cd7a4630178c6e2d4d38ee89fc924626271c29f2d40171612df5cbc2712256a

Download Submit
C:\Users\Admin\AppData\Roaming\mrugqy.exe
MD5
92a11f0dcb973d1a58d45c995993d854

SHA1
872fc1d91e078f0a274ca604785117beb261b870

SHA256
c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8

SHA512
5e609e4a129407daf2e5ba10d56563633d1d6eb0cb4c8b8dbf337af35474fa83410878e8ed1cf8a02bcf993748acf5c74cf1c876bcdbde436ea64ea2af4ee8dc

Download Submit
C:\Users\Admin\AppData\Roaming\mrugqy.exe
MD5
92a11f0dcb973d1a58d45c995993d854

SHA1
872fc1d91e078f0a274ca604785117beb261b870

SHA256
c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8

SHA512
5e609e4a129407daf2e5ba10d56563633d1d6eb0cb4c8b8dbf337af35474fa83410878e8ed1cf8a02bcf993748acf5c74cf1c876bcdbde436ea64ea2af4ee8dc

Download Submit
C:\Users\Admin\AppData\Roaming\mrugqy.exe
MD5
92a11f0dcb973d1a58d45c995993d854

SHA1
872fc1d91e078f0a274ca604785117beb261b870

SHA256
c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8

SHA512
5e609e4a129407daf2e5ba10d56563633d1d6eb0cb4c8b8dbf337af35474fa83410878e8ed1cf8a02bcf993748acf5c74cf1c876bcdbde436ea64ea2af4ee8dc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\msvcr90.dll
MD5
f1fca7377e61cf72db84052b400852fc

SHA1
cef08cb1f21cf4d1a7fd25a505320601906c6a7a

SHA256
f6087e65017515d7b2e18b686345457bec5810c2c6ca76e524384b452b2d24f6

SHA512
8d6c6fff95114e504f2b6196ccaacb88bc6d3a35ef1c90372330681f230d3135e8e61ee52fbf9cf83d84c4ae4b0fd9ed7571d25c5731de908998a332b14020d5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10162\python27.dll
MD5
4cb17df4695ad697fb36c4e7304b964b

SHA1
c4c535da39a28d5024bfa84c839b95e1517c34e9

SHA256
5dcb26a6521a5c51e95601d6ec93871574d433bcd4b1722ad80ebed4bf8274bb

SHA512
50e8bc5ff2d4f01c8fd1fc21b7e7a18a63031d211036bd8df6c0f26c1e9740f8430af2676ddb9c88a5e516055bcf6875b3352b0bbd82c89a7a92fccb61a8f51e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10~1\_ctypes.pyd
MD5
211584a83dd96c646a9b90ab182664dd

SHA1
44fc7eba4ce5297f2323648e6b661dff53477f13

SHA256
2756303b43d7058abfe2d8a467076d88bf1fa99de9f06a37e7dd71332aecc369

SHA512
b979772edb0b91f044ecdceeb97d9e265e0f6ddd63ad0af6bad4c6b2b359fe65bac03226d398ce59765c5f19b96cb69881ce4b60f73847d7f12d83ee0a0d6e37

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10~1\_hashlib.pyd
MD5
63d85c30e564ee47a8147b491fd2756e

SHA1
4ee42cd17d2d3ef6a79fc022445b138ac98905f9

SHA256
e21bee783970781ed8445abfe55c83e5641c5c747b5d28d02c674766d5f91dc6

SHA512
ff4f4d9e18383343d16ff5ca395d24f989cb5fd971578dd204a62fb43c3533046e570294b0a0ff325da7d603712aa508836b9e0293efb69c788b691a68b3057b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10~1\_socket.pyd
MD5
48131c2940dde2525512adad49d539f7

SHA1
b2dd0cc7dfad14ac6efdce099f619f37441f7d83

SHA256
c5f0fb022de30ffc23e6cf6736d9d45033a7c88c4a22ab4beb19774ad3843e9a

SHA512
dab6ac5c909e03ba6e6b2c32ade41df8f5f2c699e4b28726698575a1d6057fae62aa71532298aa123fab28d0174188ea656aba269cfd027433935600d72e6777

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10~1\_ssl.pyd
MD5
49173b78b87f699196b22205f227d5e1

SHA1
023be864bf73ce521cf03afae19204d8d2ffe4b0

SHA256
80cd76672ddcbe1e6c0a2904fb052fa1467dede52876645b9f29ef73430ea5d3

SHA512
2425b026fe63f21332718d4c30a9b327391dc0b171e6e74faabe0208f27454826b463c87aad66a420bc89fed1ea8e06d318e428b3e704fee216bf4d9d0d659f7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10~1\pywintypes27.dll
MD5
0a47fddaa87356e01720d5dde70d3e38

SHA1
54ee668e7271bd5f82ec6f0dda0382961e408d07

SHA256
6dc7f9ba6ddcab4f37b661cb8a8be5bd775cf90f963538bcc7e085046216b505

SHA512
b62d2fc2b89d48cb5f991af18d6fb0531188a20c6797e45abf00da6957e653e767cc1aacda41cb15f07592ced9e403d94cfcfeb232648d634bbdf962c2a19b0f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI10~1\win32api.pyd
MD5
aa4c7bb822a4bf80e876b2a9a0195ee5

SHA1
df2f2e6b29d75572caa0c60d15cb98db6fb51ee6

SHA256
7221ef6322c120c117c407f9891686fef5e28eb3f1bc55ebc5de3ccc593c6139

SHA512
153c204f878a76354ed5d24da6a6251efef10b23972a45d26b3c5295c9ec0b1df730c8cc5a19a453676a55c439d3fef295c86613800189c69c0e28a3cfbad203

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12082\msvcr90.dll
MD5
f1fca7377e61cf72db84052b400852fc

SHA1
cef08cb1f21cf4d1a7fd25a505320601906c6a7a

SHA256
f6087e65017515d7b2e18b686345457bec5810c2c6ca76e524384b452b2d24f6

SHA512
8d6c6fff95114e504f2b6196ccaacb88bc6d3a35ef1c90372330681f230d3135e8e61ee52fbf9cf83d84c4ae4b0fd9ed7571d25c5731de908998a332b14020d5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12082\python27.dll
MD5
4cb17df4695ad697fb36c4e7304b964b

SHA1
c4c535da39a28d5024bfa84c839b95e1517c34e9

SHA256
5dcb26a6521a5c51e95601d6ec93871574d433bcd4b1722ad80ebed4bf8274bb

SHA512
50e8bc5ff2d4f01c8fd1fc21b7e7a18a63031d211036bd8df6c0f26c1e9740f8430af2676ddb9c88a5e516055bcf6875b3352b0bbd82c89a7a92fccb61a8f51e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12~1\_ctypes.pyd
MD5
211584a83dd96c646a9b90ab182664dd

SHA1
44fc7eba4ce5297f2323648e6b661dff53477f13

SHA256
2756303b43d7058abfe2d8a467076d88bf1fa99de9f06a37e7dd71332aecc369

SHA512
b979772edb0b91f044ecdceeb97d9e265e0f6ddd63ad0af6bad4c6b2b359fe65bac03226d398ce59765c5f19b96cb69881ce4b60f73847d7f12d83ee0a0d6e37

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12~1\_hashlib.pyd
MD5
63d85c30e564ee47a8147b491fd2756e

SHA1
4ee42cd17d2d3ef6a79fc022445b138ac98905f9

SHA256
e21bee783970781ed8445abfe55c83e5641c5c747b5d28d02c674766d5f91dc6

SHA512
ff4f4d9e18383343d16ff5ca395d24f989cb5fd971578dd204a62fb43c3533046e570294b0a0ff325da7d603712aa508836b9e0293efb69c788b691a68b3057b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12~1\_socket.pyd
MD5
48131c2940dde2525512adad49d539f7

SHA1
b2dd0cc7dfad14ac6efdce099f619f37441f7d83

SHA256
c5f0fb022de30ffc23e6cf6736d9d45033a7c88c4a22ab4beb19774ad3843e9a

SHA512
dab6ac5c909e03ba6e6b2c32ade41df8f5f2c699e4b28726698575a1d6057fae62aa71532298aa123fab28d0174188ea656aba269cfd027433935600d72e6777

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12~1\_ssl.pyd
MD5
49173b78b87f699196b22205f227d5e1

SHA1
023be864bf73ce521cf03afae19204d8d2ffe4b0

SHA256
80cd76672ddcbe1e6c0a2904fb052fa1467dede52876645b9f29ef73430ea5d3

SHA512
2425b026fe63f21332718d4c30a9b327391dc0b171e6e74faabe0208f27454826b463c87aad66a420bc89fed1ea8e06d318e428b3e704fee216bf4d9d0d659f7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12~1\pywintypes27.dll
MD5
0a47fddaa87356e01720d5dde70d3e38

SHA1
54ee668e7271bd5f82ec6f0dda0382961e408d07

SHA256
6dc7f9ba6ddcab4f37b661cb8a8be5bd775cf90f963538bcc7e085046216b505

SHA512
b62d2fc2b89d48cb5f991af18d6fb0531188a20c6797e45abf00da6957e653e767cc1aacda41cb15f07592ced9e403d94cfcfeb232648d634bbdf962c2a19b0f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12~1\win32api.pyd
MD5
aa4c7bb822a4bf80e876b2a9a0195ee5

SHA1
df2f2e6b29d75572caa0c60d15cb98db6fb51ee6

SHA256
7221ef6322c120c117c407f9891686fef5e28eb3f1bc55ebc5de3ccc593c6139

SHA512
153c204f878a76354ed5d24da6a6251efef10b23972a45d26b3c5295c9ec0b1df730c8cc5a19a453676a55c439d3fef295c86613800189c69c0e28a3cfbad203

Download Submit
\Users\Admin\AppData\Roaming\mrugqy.exe
MD5
92a11f0dcb973d1a58d45c995993d854

SHA1
872fc1d91e078f0a274ca604785117beb261b870

SHA256
c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8

SHA512
5e609e4a129407daf2e5ba10d56563633d1d6eb0cb4c8b8dbf337af35474fa83410878e8ed1cf8a02bcf993748acf5c74cf1c876bcdbde436ea64ea2af4ee8dc

Download Submit
\Users\Admin\AppData\Roaming\mrugqy.exe
MD5
92a11f0dcb973d1a58d45c995993d854

SHA1
872fc1d91e078f0a274ca604785117beb261b870

SHA256
c13203272b03669a69689fe3e5e1432d2734da3b277f17af20d59bd9ca7d01b8

SHA512
5e609e4a129407daf2e5ba10d56563633d1d6eb0cb4c8b8dbf337af35474fa83410878e8ed1cf8a02bcf993748acf5c74cf1c876bcdbde436ea64ea2af4ee8dc

Download Submit
memory/1016-83-0x0000000000000000-mapping.dmp

Download
memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1184-65-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1720-79-0x0000000000000000-mapping.dmp

Download
memory/1852-78-0x0000000000000000-mapping.dmp

Download
memory/1896-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads