vjw0rm | 59bff7052850674f87fa90ad7a7547b563c5be7c2997e99bb53a8c98665568e1

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2024, 08:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

69fadecc5f413f178f6aa0a64a644184.exe
Size

21.0MB
MD5

69fadecc5f413f178f6aa0a64a644184
SHA1

a80b9e9673377b201a521e2cdb3381f6abf16805
SHA256

59bff7052850674f87fa90ad7a7547b563c5be7c2997e99bb53a8c98665568e1
SHA512

4341b404426d88732068e031576ed011db876d96072f2fbd957112053261564d573215a3b70c838beaa9d9d316a0fa280686292aa5b1d4b777a96b2d90961848
SSDEEP

393216:7T9NoEuU0tK0u9zTqEZmKrqv37mes9cjeDsezDoPPASurdxgaOw/AtZ5WGc:1Ku9zTJZmKr0W9oeDsIoHZurROUE5W

Score

10^/10

vjw0rm trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	69fadecc5f413f178f6aa0a64a644184.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Archive.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setupm.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.js.lnk	Archive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setupm.js	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1592	Setup.exe
4184	TeamViewer_.exe
692	Archive.exe

Loads dropped DLL 19 IoCs

pid	Process
1592	Setup.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe
4184	TeamViewer_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x00080000000231fd-4.dat	nsis_installer_1
behavioral2/files/0x00080000000231fd-4.dat	nsis_installer_2
behavioral2/files/0x0006000000023206-21.dat	nsis_installer_1
behavioral2/files/0x0006000000023206-21.dat	nsis_installer_2
behavioral2/files/0x0006000000023206-20.dat	nsis_installer_1
behavioral2/files/0x0006000000023206-20.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	Archive.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe
3220	69fadecc5f413f178f6aa0a64a644184.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1592	3220	69fadecc5f413f178f6aa0a64a644184.exe	93
PID 3220 wrote to memory of 1592	3220	69fadecc5f413f178f6aa0a64a644184.exe	93
PID 3220 wrote to memory of 1592	3220	69fadecc5f413f178f6aa0a64a644184.exe	93
PID 1592 wrote to memory of 4184	1592	Setup.exe	99
PID 1592 wrote to memory of 4184	1592	Setup.exe	99
PID 1592 wrote to memory of 4184	1592	Setup.exe	99
PID 3220 wrote to memory of 692	3220	69fadecc5f413f178f6aa0a64a644184.exe	108
PID 3220 wrote to memory of 692	3220	69fadecc5f413f178f6aa0a64a644184.exe	108
PID 3220 wrote to memory of 692	3220	69fadecc5f413f178f6aa0a64a644184.exe	108
PID 692 wrote to memory of 1900	692	Archive.exe	110
PID 692 wrote to memory of 1900	692	Archive.exe	110
PID 692 wrote to memory of 1900	692	Archive.exe	110
PID 692 wrote to memory of 1028	692	Archive.exe	109
PID 692 wrote to memory of 1028	692	Archive.exe	109
PID 692 wrote to memory of 1028	692	Archive.exe	109
PID 1900 wrote to memory of 2616	1900	WScript.exe	111
PID 1900 wrote to memory of 2616	1900	WScript.exe	111
PID 1900 wrote to memory of 2616	1900	WScript.exe	111

C:\Users\Admin\AppData\Local\Temp\69fadecc5f413f178f6aa0a64a644184.exe
"C:\Users\Admin\AppData\Local\Temp\69fadecc5f413f178f6aa0a64a644184.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4184
- C:\Users\Admin\AppData\Local\Temp\Archive.exe
  "C:\Users\Admin\AppData\Local\Temp\Archive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Update.js"
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\setupm.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Local\Temp\setupm.js
      4⤵
      Creates scheduled task(s)
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Archive.exe

Filesize
297KB

MD5
cad14be1e4a62a48562c9fa4b88f2b85

SHA1
90ca01a27af1bd86d6eb10b927255cd17cba180e

SHA256
c5ebffddcf33b7ba639cd6429ade542504665bbd2ab54ed2e53d63236a2c0f14

SHA512
93d59b0acd1b36a3e7b1cb6177de1952a341050058cf5020ea38dd73981bca5ee4d8938c24eb1247986459ded7478115ba7b4f76ea54368ca70ce70f298b1ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.2MB

MD5
309ca6264cd43918cae077fd3b706dd4

SHA1
e226f2fddf21b3a192dc59db50b99651a8797657

SHA256
4994b255ba195bf5c93f6e2ad289858a1a72eba9a29b052ba2befe7069188896

SHA512
e10f0944c972c13dc2fe82ff64764b2a76bee79ea8e8318aa78d9ffd1757ca5b9f3ea83ad86acb3750a7f89530ca0cc0345d4397a37e1f4988a50ad21953418f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.1MB

MD5
8106ee43b7638865a40e29ba5dc1d250

SHA1
15348a91e6899fae668f85ff72fad9399816b0dc

SHA256
4a1748aa063e9abb10fbf11f91162d26315585888e88d3c91b6a7e51c438fcf1

SHA512
7aa7723f7094d31ae1d65eb7ab024eeff789792d8c96e3959d6ff1f2ceb70efb69c0eb782b40033123d117ca5efb636c9e3702dc2ef8fe31922d930bdb91908a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
402KB

MD5
cbd2f7fcafe3f1513fbe9d7b881410f9

SHA1
a002e2dbb8a3608ef3a2157e9079366b8c72cb59

SHA256
44ae0b26f7f52d62129810cc030bd590c36f1e0d222ea5553b4745372472eb93

SHA512
491c6b8db2475e316165226827c51e69ac2b81c71930d0ab490f48528066bbc73ddc61ac8eaeeb114bdf43775500c849e6b762877836307237b61be36660ef7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
400KB

MD5
4499abb82e7fff0235cfb9cedef35b38

SHA1
0080fe923f0526981c81482c3777306b906bf162

SHA256
7547e37199c5fed9513fae213f719047b075586f8b6ef0e62ca730524284c755

SHA512
ff25fb1bc98e9bbd67e9a79b928aeb0196a19daf3df7667ef0841595ae08362fee4197fc9a0b94b2b30a768c491b2e3522e7c9badf096b7250fc3c5faabcf0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
35B

MD5
5183ad04fa855146dedfc2da3e2e0c1d

SHA1
6aafeeba574403f5a0473304e9a1b2e08827d771

SHA256
e4a7c461065ba593420c328a8b9e3ee02800c7d5c89de4c01ed88e3c90792579

SHA512
aa95a8a7f39d582ea91a5e1f1278b63da35ae4f2c698f94532ff59c5de6f565694498a87a701b52e3bd12c2c82aaa6431db6954d53ab5e6f188ae0617a8893c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.js

Filesize
22KB

MD5
ed831cd9ad274c33fdc51f90e526a672

SHA1
c6506b063070e16c2ab8c577417b9b42940af4fa

SHA256
0d22b6c2dd78a3eb76198b65aa75f7ea8e2a248a6600146397fcc49a055af2de

SHA512
b147b34b34215c549e6a47bfb6d9549f4f3e6bfa70fe9191fa58118c7e884625f56dd25cbc249177034a726f7d084f933832c4c18d682975a9c1d76e1b05d7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5525.tmp

Filesize
4.3MB

MD5
3a1cda520901d13e41b3338747cd4f32

SHA1
32f0067eaf37fb1a7fd88dbcd191f9070ac62246

SHA256
adf63120385a0d65ede225db03d8986a5df924da38387ca060ff34bcf46a1d67

SHA512
3800b035f3b3974d3953442151a4bdcd83b3f567775ee264bb4efa43551fdac3f773d5be91d32975d96c18349904736e1052c09c4f10d5d22a84c289d03cfbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\TvGetVersion.dll

Filesize
172KB

MD5
412348383583b14a6ce4dbb4b1697924

SHA1
75fd77d417ed9f23ff849856415d0ad6a55d6f6e

SHA256
27ba5be684ce8be575de9b35c30f383034320c3c5488f9e9a946e47f5059987c

SHA512
a403cae1ef2a1faf22d25d224b0e5d57f1eed282ebf1a22149278f271a7abab000793a3622ea747d7ebd2bd7a3d4aa46881e1ed8e728367cd331d9d723d215ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\TvGetVersion.dll

Filesize
177KB

MD5
efa24731c55b5c2c263302b750f3ce5a

SHA1
87f76c2a50661f4d50a2c815b407657e38c9db55

SHA256
4d80cd59668b04553dcf5966c911d56f9ec750e9433cd2e58b82c455b7593cd0

SHA512
d96eea2799c777f223e714f6f3b579430d694a1c91e96deb5b3cff5eb98f4ee47793b95be103ca931296b2b13b453dc2e503be3a0118dc45dec7be8d96a55387

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\TvGetVersion.dll

Filesize
176KB

MD5
bdebd543c16d3562f586d3ed6c208328

SHA1
7def05a6ce9e9a9412580514b4e1e17bd50c4f5b

SHA256
6ca2f9f35df6df8d8ac39d9eefffcfbadfc7343d72672007ac35de45d5da4242

SHA512
e7f1d2a29d030855148cc698a430d87894101d8e232240d736567b608f731ac695ab6653d4ca82ef82b148249a14f8fe75ffe7ebe51905442a74f8283bf162ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\TvGetVersion.dll

Filesize
210KB

MD5
05f51bc8ffb2c8f5a2825bf5680301cf

SHA1
30f7f77dce1fb3526142780e9f5bd5c11622d6b6

SHA256
c67cbd5e35e1ce0c7ba17c55d8e2bc33afd5e0a68774554a1fe7216d330c709e

SHA512
1e041aaa37dd00414ad955ebc8c0f708589014d2085a5a0b95a31f4d694bb1cc4994bb1324d4b983cbad0449fb0a05560d82c60fdbfc78be67ff61275e451233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\TvGetVersion.dll

Filesize
209KB

MD5
02a4882a510b6b164a9405fcefefc19f

SHA1
4cd278db145dccc49f3947ce467ea6cfb38d1cf0

SHA256
4fcc2a3275d391cb6c8b54a3e2d34f07bf2cf0c2fc538fca8f20f3aa701f911b

SHA512
8f3a58e0a10dedc0a88dc5f72156c2efacfb1db1da948a53e1d17a7b14939f862d3c203cc90fcd4f7c8637eb5b50af3c3ef4fdc6275f7e6cca79f56a94771d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\TvGetVersion.dll

Filesize
138KB

MD5
84db0aec16fe9be1b0179c00f7b17276

SHA1
920dc4ba30ace9ad1954e0a198859b440a3fba1f

SHA256
63e76ac8126d875a7d4b97b515061251158404ca40a6708003a8ee89beb0cd90

SHA512
6c6e2391a63d76a3456442b8c8179d8501678fea30d5a45fc8c46044df8a7b9244fd62343d38674a638734f174e712b5a4779d4fa0c82a354dd82026f4e70f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\UserInfo.dll

Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\advanced_unicode.ini

Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\start_unicode.ini

Filesize
2KB

MD5
2a8a139cdab38b5f4264ae82850cbd22

SHA1
816e8acb2adc36c7f138f963a9802622dfc9536a

SHA256
94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b

SHA512
d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60EE.tmp\start_unicode.ini

Filesize
2KB

MD5
842e0619d9e08154e01ee9a622a41ab4

SHA1
bdf8db0db0f5a261743867d77585c5ea9c240d77

SHA256
e45809ed8a2935ba7c3c4432af33509ace03144157262ac1c6595c5333be11a7

SHA512
df1b29d20f3acc0e6231bab4a90241b014e3495cc6f532a526318f90950f5602ecfccdfe476a783e326830873691e6c21c49a8477f3c8b4401cb85812595de7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A46.tmp\TvGetVersion.dll

Filesize
193KB

MD5
d2ac4ca57f4b624c444c17e8a353deaa

SHA1
d713b2b4ff0cec01b5c89bd26127012eed460a32

SHA256
a4db659c6265ba7efbbd4906257ef6cdb8f9b1fefba78f01425390729ab3d1f2

SHA512
db991671548d9f239acf7b77b47ccbf438c626e803026a68d7c67ec5b3923195c8745f6adbe730fe4c049237217849f8f9f47fc335cf94b1413a7debc9b8d9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setupm.js

Filesize
42KB

MD5
b3fc5e308e2b71e264c09f882f5a7093

SHA1
d8e5433ff1141b9d1757e4fe774dc58b7906339c

SHA256
1d960010a1f154542456123073df663f81c7f6e7a872233a5fe6ad55d4822385

SHA512
e5b64f4b3ecc27a58dad51e3de446d03817323f8dc337c452fd4e53429d329a1668a67d2268dcfb6ec9afa46db6c56d9693da1efc9dbf02a17162d545ac4c593

Download Submit
memory/4184-276-0x0000000006E10000-0x0000000006E1E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads