220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318

General

Target

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Size

663KB
MD5

63ac37f23344ad69ab9afbf47b2aa5c0
SHA1

ae22db3f182f5a83e10a51d53818c793eac5321f
SHA256

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318
SHA512

07a52a91b7a64445135bafe3233ad19134f9682acd0394b7ce0397e3bd8cd035b04e8e4a759604282aca04f73996627d0cce854fab222e48183ee2a50911cb64
SSDEEP

12288:3dceDjsrqQW9kh9Kq1mfuN/eMldtAd1D9A3uqse4wLESEoZBI:3dce+9KqYfm/eqd6D9MuqmIEXo4

Score

9^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wwuqfh6y.dll	acprotect

Drops file in Drivers directory 1 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\0fc55e2e.sys 220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

824 takeown.exe
728 icacls.exe
956 takeown.exe
1936 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\0fc55e2e.sys	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
824	takeown.exe
728	icacls.exe
956	takeown.exe
1936	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\0fc55e2e\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0fc55e2e.sys"	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wwuqfh6y.dll	upx
behavioral1/memory/1348-70-0x0000000010000000-0x00000000105EB000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe

pid	process
1652	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1936 icacls.exe
824 takeown.exe
728 icacls.exe
956 takeown.exe

pid	process
1936	icacls.exe
824	takeown.exe
728	icacls.exe
956	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Drops file in System32 directory 5 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fAefiHU9.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File opened for modification	C:\Windows\SysWOW64\wshtcpip.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File created	C:\Windows\SysWOW64\midimap.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File created	C:\Windows\SysWOW64\wwuqfh6y.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Modifies registry class 4 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe"	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "sy8.dll"	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid process

460
1348 220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
460
1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

takeown.exetakeown.exe220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	824	takeown.exe
Token: SeTakeOwnershipPrivilege	956	takeown.exe
Token: SeDebugPrivilege	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.execmd.execmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 1560	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1560	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1560	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1560	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1560 wrote to memory of 824	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 824	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 824	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 824	1560	cmd.exe	takeown.exe
PID 1560 wrote to memory of 728	1560	cmd.exe	icacls.exe
PID 1560 wrote to memory of 728	1560	cmd.exe	icacls.exe
PID 1560 wrote to memory of 728	1560	cmd.exe	icacls.exe
PID 1560 wrote to memory of 728	1560	cmd.exe	icacls.exe
PID 1348 wrote to memory of 1944	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1944	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1944	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1944	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	takeown.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	takeown.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	takeown.exe
PID 1944 wrote to memory of 956	1944	cmd.exe	takeown.exe
PID 1944 wrote to memory of 1936	1944	cmd.exe	icacls.exe
PID 1944 wrote to memory of 1936	1944	cmd.exe	icacls.exe
PID 1944 wrote to memory of 1936	1944	cmd.exe	icacls.exe
PID 1944 wrote to memory of 1936	1944	cmd.exe	icacls.exe
PID 1348 wrote to memory of 1652	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1652	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1652	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1348 wrote to memory of 1652	1348	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
"C:\Users\Admin\AppData\Local\Temp\220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
- Deletes itself
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
bc980698d2b295eda9ea0e99e05f4603

SHA1
f95514ec59d7fa1c1319f208c98d8c59ad834acd

SHA256
e6f3a5bf2ed9139d959f6f522c1abce56011b2fc6117b1a52cc498316e412821

SHA512
8ab18ba612fb655c388186cace3d6468d74b12cf4693154f4966512d823bc8a478a74bae8eaf26b00ba9c3ceb511cb59292bb279e305794abac26ba4e76b0e70

Download Submit
\Users\Admin\AppData\Local\Temp\wwuqfh6y.dll
Filesize
5.9MB

MD5
e0adcf998e2256732cdcde04535917dc

SHA1
da8ac88a680daff54fc24d29412a66a7a824b18b

SHA256
4f4d803ae66d122765bf84d166803aeb01dc278a8557684e7ae1558764bb2a82

SHA512
86862f1795f947419f7db6b98a053bfebeebea07a4a187e3d4f702015d69361156d0be4ee973d50945e403e58be644fd44e904faab9d0277b68030f9e033c89a

Download Submit
\Windows\SysWOW64\wshtcpip.dll
Filesize
19KB

MD5
1e636ce86ec19dfb557544828dfcf83b

SHA1
5a19166ffc2443d38e37b9852da5bbc7f61704e0

SHA256
2d07bf9a5420e726d44206f5c9b4e138fb2f0442a81d449cee98e890c01db5d6

SHA512
a6d4c298803674fd479200a40b18ee45144bc11344dea2a94d83e3b8fbdbe694158e283a959136cca56889a40ef1fef27967eb5f17602da4c937fb7a5bd3be8d

Download Submit
memory/728-59-0x0000000000000000-mapping.dmp

Download
memory/824-58-0x0000000000000000-mapping.dmp

Download
memory/956-61-0x0000000000000000-mapping.dmp

Download
memory/1348-70-0x0000000010000000-0x00000000105EB000-memory.dmp

Filesize
5.9MB

Download
memory/1348-57-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1348-69-0x0000000001000000-0x0000000001779000-memory.dmp

Filesize
7.5MB

Download
memory/1348-64-0x00000000719C1000-0x00000000719C5000-memory.dmp

Filesize
16KB

Download
memory/1348-56-0x0000000001000000-0x0000000001779000-memory.dmp

Filesize
7.5MB

Download
memory/1348-65-0x0000000001000000-0x0000000001779000-memory.dmp

Filesize
7.5MB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1560-55-0x0000000000000000-mapping.dmp

Download
memory/1652-66-0x0000000000000000-mapping.dmp

Download
memory/1936-62-0x0000000000000000-mapping.dmp

Download
memory/1944-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads