dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

General

Target

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Size

1.1MB
MD5

63262d885b2d4bfd0418721df73dbb30
SHA1

55025d3677a63e50000e3ffbb98bfabf8c73b4ba
SHA256

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7
SHA512

2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293
SSDEEP

24576:ujmzp9dKb9R3n9Owg+3P5WV3CVZ9glt6Uqk5Dyw+m4eFAUWss0l:ujmVTSy+3PcV3K9qt6NkWJeFA3sh

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

wwtask.exewwtask.exe

pid process

1428 wwtask.exe
3592 wwtask.exe

pid	process
1428	wwtask.exe
3592	wwtask.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetworkAgent\ImagePath = "C:\\Windows\\SysWOW64\\wwtask.exe -service"	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wwtask.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wwtask.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wwtask.exe

Drops file in System32 directory 5 IoCs

Processes:

wwtask.exedd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\actt0.dep	wwtask.exe
File opened for modification	C:\Windows\SysWOW64\actt0.dep	wwtask.exe
File created	C:\Windows\SysWOW64\wwtask.exe	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
File opened for modification	C:\Windows\SysWOW64\wwtask.exe	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
File opened for modification	C:\Windows\SysWOW64\wwtask.exe	wwtask.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

pid process

1576 dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1428 wwtask.exe
3592 wwtask.exe

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wwtask.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	wwtask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wwtask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	wwtask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Control	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	wwtask.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	wwtask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	wwtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Control	wwtask.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wwtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wwtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wwtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wwtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

pid	process
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1428	wwtask.exe
1428	wwtask.exe
1428	wwtask.exe
1428	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wwtask.exe

pid process

3592 wwtask.exe

pid	process
3592	wwtask.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

description	pid	process
Token: SeTcbPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeDebugPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeCreateTokenPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeAssignPrimaryTokenPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeLockMemoryPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeIncreaseQuotaPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeMachineAccountPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSecurityPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeTakeOwnershipPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeLoadDriverPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSystemProfilePrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSystemtimePrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeProfSingleProcessPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeIncBasePriorityPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeCreatePagefilePrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeCreatePermanentPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeBackupPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeRestorePrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeShutdownPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeAuditPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSystemEnvironmentPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeChangeNotifyPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeRemoteShutdownPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeUndockPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeSyncAgentPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeEnableDelegationPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: 33	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeIncBasePriorityPrivilege	1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
Token: SeTcbPrivilege	1428	wwtask.exe
Token: SeDebugPrivilege	1428	wwtask.exe
Token: SeCreateTokenPrivilege	1428	wwtask.exe
Token: SeAssignPrimaryTokenPrivilege	1428	wwtask.exe
Token: SeLockMemoryPrivilege	1428	wwtask.exe
Token: SeIncreaseQuotaPrivilege	1428	wwtask.exe
Token: SeMachineAccountPrivilege	1428	wwtask.exe
Token: SeSecurityPrivilege	1428	wwtask.exe
Token: SeTakeOwnershipPrivilege	1428	wwtask.exe
Token: SeLoadDriverPrivilege	1428	wwtask.exe
Token: SeSystemProfilePrivilege	1428	wwtask.exe
Token: SeSystemtimePrivilege	1428	wwtask.exe
Token: SeProfSingleProcessPrivilege	1428	wwtask.exe
Token: SeIncBasePriorityPrivilege	1428	wwtask.exe
Token: SeCreatePagefilePrivilege	1428	wwtask.exe
Token: SeCreatePermanentPrivilege	1428	wwtask.exe
Token: SeBackupPrivilege	1428	wwtask.exe
Token: SeRestorePrivilege	1428	wwtask.exe
Token: SeShutdownPrivilege	1428	wwtask.exe
Token: SeAuditPrivilege	1428	wwtask.exe
Token: SeSystemEnvironmentPrivilege	1428	wwtask.exe
Token: SeChangeNotifyPrivilege	1428	wwtask.exe
Token: SeRemoteShutdownPrivilege	1428	wwtask.exe
Token: SeUndockPrivilege	1428	wwtask.exe
Token: SeSyncAgentPrivilege	1428	wwtask.exe
Token: SeEnableDelegationPrivilege	1428	wwtask.exe
Token: 33	1428	wwtask.exe
Token: SeIncBasePriorityPrivilege	1428	wwtask.exe
Token: SeDebugPrivilege	1428	wwtask.exe
Token: SeTcbPrivilege	3592	wwtask.exe
Token: SeDebugPrivilege	3592	wwtask.exe
Token: SeCreateTokenPrivilege	3592	wwtask.exe
Token: SeAssignPrimaryTokenPrivilege	3592	wwtask.exe
Token: SeLockMemoryPrivilege	3592	wwtask.exe
Token: SeIncreaseQuotaPrivilege	3592	wwtask.exe
Token: SeMachineAccountPrivilege	3592	wwtask.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exewwtask.exe

pid	process
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1428	wwtask.exe
1428	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exewwtask.exe

pid	process
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
1576	dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe
3592	wwtask.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wwtask.exe

description	pid	process	target process
PID 1428 wrote to memory of 3592	1428	wwtask.exe	wwtask.exe
PID 1428 wrote to memory of 3592	1428	wwtask.exe	wwtask.exe
PID 1428 wrote to memory of 3592	1428	wwtask.exe	wwtask.exe

C:\Users\Admin\AppData\Local\Temp\dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe
"C:\Users\Admin\AppData\Local\Temp\dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576

C:\Windows\SysWOW64\wwtask.exe
C:\Windows\SysWOW64\wwtask.exe -service
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\wwtask.exe
C:\Windows\SysWOW64\wwtask.exe nn
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wwtask.exe
Filesize
1.1MB

MD5
63262d885b2d4bfd0418721df73dbb30

SHA1
55025d3677a63e50000e3ffbb98bfabf8c73b4ba

SHA256
dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

SHA512
2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293

Download Submit
C:\Windows\SysWOW64\wwtask.exe
Filesize
1.1MB

MD5
63262d885b2d4bfd0418721df73dbb30

SHA1
55025d3677a63e50000e3ffbb98bfabf8c73b4ba

SHA256
dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

SHA512
2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293

Download Submit
C:\Windows\SysWOW64\wwtask.exe
Filesize
1.1MB

MD5
63262d885b2d4bfd0418721df73dbb30

SHA1
55025d3677a63e50000e3ffbb98bfabf8c73b4ba

SHA256
dd63745d035a31e8ff92c9879560cd131f5eb809ff8bcaf4d52342d5ad7168b7

SHA512
2d43c3bb56102ebd07563d14b6c41f9101585e7519b190fe5ef50e9c7571fc56f7e3e43d77958ad944eb976976976406f71df6abf4165a039117c4db0e0c9293

Download Submit
memory/1428-142-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1428-137-0x0000000000820000-0x0000000000823000-memory.dmp

Filesize
12KB

Download
memory/1428-136-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1576-139-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1576-132-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1576-133-0x0000000000860000-0x0000000000863000-memory.dmp

Filesize
12KB

Download
memory/3592-138-0x0000000000000000-mapping.dmp

Download
memory/3592-141-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3592-143-0x0000000000930000-0x0000000000933000-memory.dmp

Filesize
12KB

Download
memory/3592-144-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/3592-145-0x0000000000930000-0x0000000000933000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads