vkeylogger | 1d4bf0958c9382e0ab0ee9dc4240fd01aa6c17b045f60a5fbe0a92663ccb875c

General

Target

c40967960f1817c1458a587cdab9e3a2.exe
Size

189KB
MD5

c40967960f1817c1458a587cdab9e3a2
SHA1

0f7fd80ae64aa53afae14571c7ee47a159a33bbc
SHA256

1d4bf0958c9382e0ab0ee9dc4240fd01aa6c17b045f60a5fbe0a92663ccb875c
SHA512

8ec11c41deccaa9ba05eee5ed3b3fc017035310347b47fae9ec44534ce83cca5df74d00c520d30b4357066284982753b11ecb527a5ce163896e4c78b6d706562

Score

10^/10

vkeylogger keylogger stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-61-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/1616-63-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/1616-65-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/1616-67-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/1548-68-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1012-84-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/360-100-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1000-115-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1664-130-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1684-145-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1476-161-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/2028-177-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/632-192-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1844-195-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/556-211-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger
behavioral1/memory/1684-227-0x0000000000A20000-0x0000000000A4F000-memory.dmp	family_vkeylogger

Suspicious use of SetThreadContext 11 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exe

description	pid	process	target process
PID 1548 set thread context of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 set thread context of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 set thread context of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 set thread context of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1664 set thread context of 1256	1664	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1684 set thread context of 1072	1684	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1476 set thread context of 108	1476	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2028 set thread context of 968	2028	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 632 set thread context of 1260	632	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 set thread context of 1628	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1684 set thread context of 1168	1684	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1572	1616	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
1988	1740	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
1228	540	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
868	1600	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
1512	1256	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
576	1072	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
848	108	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
1736	968	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
328	1260	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
1456	1628	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe
2044	1168	WerFault.exe	c40967960f1817c1458a587cdab9e3a2.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exe

pid	process
1548	c40967960f1817c1458a587cdab9e3a2.exe
1012	c40967960f1817c1458a587cdab9e3a2.exe
1012	c40967960f1817c1458a587cdab9e3a2.exe
360	c40967960f1817c1458a587cdab9e3a2.exe
360	c40967960f1817c1458a587cdab9e3a2.exe
1000	c40967960f1817c1458a587cdab9e3a2.exe
1000	c40967960f1817c1458a587cdab9e3a2.exe
1664	c40967960f1817c1458a587cdab9e3a2.exe
1664	c40967960f1817c1458a587cdab9e3a2.exe
1684	c40967960f1817c1458a587cdab9e3a2.exe
1684	c40967960f1817c1458a587cdab9e3a2.exe
1476	c40967960f1817c1458a587cdab9e3a2.exe
1476	c40967960f1817c1458a587cdab9e3a2.exe
2028	c40967960f1817c1458a587cdab9e3a2.exe
2028	c40967960f1817c1458a587cdab9e3a2.exe
632	c40967960f1817c1458a587cdab9e3a2.exe
632	c40967960f1817c1458a587cdab9e3a2.exe
556	c40967960f1817c1458a587cdab9e3a2.exe
556	c40967960f1817c1458a587cdab9e3a2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exe

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 36
3⤵
- Program crash
PID:1572

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 36
4⤵
- Program crash
PID:1988

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 36
5⤵
- Program crash
PID:1228

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
5⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 36
6⤵
- Program crash
PID:868

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
6⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 36
7⤵
- Program crash
PID:1512

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
7⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 36
8⤵
- Program crash
PID:576

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
8⤵
PID:108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 36
9⤵
- Program crash
PID:848

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
9⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 36
10⤵
- Program crash
PID:1736

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
10⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 36
11⤵
- Program crash
PID:328

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
10⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
12⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 36
13⤵
- Program crash
PID:1456

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
12⤵
- Suspicious use of SetThreadContext
PID:1684

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
13⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 36
14⤵
- Program crash
PID:2044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-100-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/556-212-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/556-211-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/632-193-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/632-192-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1000-115-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1012-84-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1012-85-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1476-162-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1476-161-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1548-68-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1548-69-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1616-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1616-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1664-130-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1684-146-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1684-145-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1684-227-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1684-228-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1844-195-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1844-196-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/2028-177-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download

description	pid	process	target process
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1616	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1616 wrote to memory of 1572	1616	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1616 wrote to memory of 1572	1616	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1616 wrote to memory of 1572	1616	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1616 wrote to memory of 1572	1616	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1548 wrote to memory of 1012	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1012	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1012	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1548 wrote to memory of 1012	1548	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 1740	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1740 wrote to memory of 1988	1740	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1740 wrote to memory of 1988	1740	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1740 wrote to memory of 1988	1740	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1740 wrote to memory of 1988	1740	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 1012 wrote to memory of 360	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 360	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 360	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1012 wrote to memory of 360	1012	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 540	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 540 wrote to memory of 1228	540	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 540 wrote to memory of 1228	540	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 540 wrote to memory of 1228	540	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 540 wrote to memory of 1228	540	c40967960f1817c1458a587cdab9e3a2.exe	WerFault.exe
PID 360 wrote to memory of 1000	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 1000	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 1000	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 360 wrote to memory of 1000	360	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1000 wrote to memory of 1600	1000	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads