759d3e20098353e73c0c417ecf755a3ab24cdf7ead10df8c5a4aab549d7423f2

General

Target

9dbcf183762872d8917b8a19535a0c65.exe
Size

2.1MB
MD5

9dbcf183762872d8917b8a19535a0c65
SHA1

94d27127f8ffbebec6ad803599ed3c0477a15e3c
SHA256

759d3e20098353e73c0c417ecf755a3ab24cdf7ead10df8c5a4aab549d7423f2
SHA512

cd3fb751c0360df6865633d72633403c0802153727fe75951e842227b4237970df999229c73d1e94d9e0f0b0442ec58ec59024836ebef3f7605254bc6a4f82b6

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2436-128-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/2436-129-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url	wscript.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

9dbcf183762872d8917b8a19535a0c65.exe9dbcf183762872d8917b8a19535a0c65.exe

description	pid	process	target process
PID 3008 set thread context of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3988 set thread context of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 212	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 2260	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 3992	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 2428	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 3324	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 1172	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 set thread context of 2164	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3560	2436	WerFault.exe	notepad.exe
2832	1124	WerFault.exe	notepad.exe
2096	3132	WerFault.exe	notepad.exe
1564	1524	WerFault.exe	notepad.exe
4084	1512	WerFault.exe	notepad.exe
2944	212	WerFault.exe	notepad.exe
1860	2260	WerFault.exe	notepad.exe
364	3992	WerFault.exe	notepad.exe
3456	2428	WerFault.exe	notepad.exe
3004	3324	WerFault.exe	notepad.exe
2832	2436	WerFault.exe	notepad.exe
2140	1172	WerFault.exe	notepad.exe
1044	2164	WerFault.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9dbcf183762872d8917b8a19535a0c65.exe9dbcf183762872d8917b8a19535a0c65.exe

pid	process
3008	9dbcf183762872d8917b8a19535a0c65.exe
3008	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe
3988	9dbcf183762872d8917b8a19535a0c65.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

9dbcf183762872d8917b8a19535a0c65.exe9dbcf183762872d8917b8a19535a0c65.exe

description	pid	process
Token: SeDebugPrivilege	3008	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe
Token: SeDebugPrivilege	3988	9dbcf183762872d8917b8a19535a0c65.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9dbcf183762872d8917b8a19535a0c65.exe9dbcf183762872d8917b8a19535a0c65.execmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3008 wrote to memory of 3988	3008	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3988 wrote to memory of 3008	3988	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3988 wrote to memory of 3008	3988	9dbcf183762872d8917b8a19535a0c65.exe	9dbcf183762872d8917b8a19535a0c65.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2436	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1124	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 2688	3988	9dbcf183762872d8917b8a19535a0c65.exe	cmd.exe
PID 3988 wrote to memory of 2688	3988	9dbcf183762872d8917b8a19535a0c65.exe	cmd.exe
PID 3988 wrote to memory of 2688	3988	9dbcf183762872d8917b8a19535a0c65.exe	cmd.exe
PID 2688 wrote to memory of 1324	2688	cmd.exe	wscript.exe
PID 2688 wrote to memory of 1324	2688	cmd.exe	wscript.exe
PID 2688 wrote to memory of 1324	2688	cmd.exe	wscript.exe
PID 3988 wrote to memory of 2688	3988	9dbcf183762872d8917b8a19535a0c65.exe	cmd.exe
PID 3988 wrote to memory of 2688	3988	9dbcf183762872d8917b8a19535a0c65.exe	cmd.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 3132	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1524	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 1512	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 212	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 212	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 212	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 212	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe
PID 3988 wrote to memory of 212	3988	9dbcf183762872d8917b8a19535a0c65.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\9dbcf183762872d8917b8a19535a0c65.exe
"C:\Users\Admin\AppData\Local\Temp\9dbcf183762872d8917b8a19535a0c65.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\9dbcf183762872d8917b8a19535a0c65.exe
C:\Users\Admin\AppData\Local\Temp\9dbcf183762872d8917b8a19535a0c65.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2436 -s 180
4⤵
- Program crash
PID:3560

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:1124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1124 -s 180
4⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
4⤵
- Drops startup file
PID:1324

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:3132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3132 -s 180
4⤵
- Program crash
PID:2096

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:1524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1524 -s 180
4⤵
- Program crash
PID:1564

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1512 -s 180
4⤵
- Program crash
PID:4084

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 212 -s 180
4⤵
- Program crash
PID:2944

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2260 -s 180
4⤵
- Program crash
PID:1860

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:3992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3992 -s 180
4⤵
- Program crash
PID:364

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2428 -s 180
4⤵
- Program crash
PID:3456

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3324 -s 180
4⤵
- Program crash
PID:3004

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2436 -s 180
4⤵
- Program crash
PID:2832

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:1172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1172 -s 180
4⤵
- Program crash
PID:2140

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
3⤵
PID:2164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2164 -s 180
4⤵
- Program crash
PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LKBNMTFJgl\r.vbs
MD5
19b2d791962e01151e4b6a40a90e8cd8

SHA1
a1ee500267dd1d457b3f840f8a00ba808bb46eb3

SHA256
67824e30ec5d2b61ffb266e8a37e9b929e82d507d09d21961b8293c99816c664

SHA512
4d39fd8f11e86490041190f1419273c702ccd85dcc603e5d7acc9d55cc60031ef1f7cc901a2c09b46d6bdc560a4c81d464c8495e7f9e8707ec7cd999f49c49fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
MD5
e03e6937ba1878ace3d849b233adecfe

SHA1
affbb4f8b53af6cf35660b775a0a8f70fb95f8b5

SHA256
9846a8975f8e2dbc96cd18d5015c03b4d8226fddf69bcb99a0610c855b0a9e6d

SHA512
99ea03b8635d89409c6e65dc1dd1e995eac8c02e373f3b01faa7d715f347722075cc0d5d629914399505a2ca8ffb80bfa8cafa9d99a2e702d1fcd94fb0baeca9

Download Submit
memory/212-160-0x0000000000A14AA0-mapping.dmp

Download
memory/1124-135-0x0000000000A14AA0-mapping.dmp

Download
memory/1172-190-0x0000000000A14AA0-mapping.dmp

Download
memory/1324-139-0x0000000000000000-mapping.dmp

Download
memory/1512-155-0x0000000000A14AA0-mapping.dmp

Download
memory/1524-150-0x0000000000A14AA0-mapping.dmp

Download
memory/2164-195-0x0000000000A14AA0-mapping.dmp

Download
memory/2260-165-0x0000000000A14AA0-mapping.dmp

Download
memory/2428-175-0x0000000000A14AA0-mapping.dmp

Download
memory/2436-185-0x0000000000A14AA0-mapping.dmp

Download
memory/2436-183-0x0000000000400000-0x0000000000400138-memory.dmp

Filesize
312B

Download
memory/2436-128-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2436-130-0x0000000000A14AA0-mapping.dmp

Download
memory/2436-129-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2688-141-0x0000000000D00000-0x0000000000ED4000-memory.dmp

Filesize
1.8MB

Download
memory/2688-138-0x0000000000000000-mapping.dmp

Download
memory/3008-119-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3008-124-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/3008-120-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/3008-118-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/3008-122-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3008-121-0x0000000007540000-0x000000000773E000-memory.dmp

Filesize
2.0MB

Download
memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3008-117-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3008-123-0x0000000006470000-0x00000000064CC000-memory.dmp

Filesize
368KB

Download
memory/3008-116-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3132-145-0x0000000000A14AA0-mapping.dmp

Download
memory/3324-180-0x0000000000A14AA0-mapping.dmp

Download
memory/3988-125-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3988-126-0x0000000000404470-mapping.dmp

Download
memory/3988-127-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3992-170-0x0000000000A14AA0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads