b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b

Analysis

max time kernel
73s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2014-12-22 #32/439dce6b40c39157a046563bcb5e3a6a.exe
Size

664KB
MD5

439dce6b40c39157a046563bcb5e3a6a
SHA1

bd05604e465336df74df40bef6b6fbc3b360573a
SHA256

d72393d84be2be8fd53c5172a88327f47dee3c5276ca2a193b403ccc90308236
SHA512

f37e5e5c535284537b1f819da586c3166bd0e2e85c962b361f8e8c96f05958092cd1c093899683ad8d18121727e30d60ddbfab302e281f8cf90e1d068bfceb3a
SSDEEP

12288:ZK2mhAMJ/cPl+zyeuW/xcznRZ6Ko1JL7ffM2HRmQmxx/w:Y2O/Gl+GVW5clMJL7ffdH0Q0/w

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

Whatsapp spy tool.exewhatsapp.exewhatsapp.exewinlog.exewinlog.exe

pid process

1176 Whatsapp spy tool.exe
1376 whatsapp.exe
572 whatsapp.exe
1628 winlog.exe
1012 winlog.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

928 netsh.exe

pid	process
1176	Whatsapp spy tool.exe
1376	whatsapp.exe
572	whatsapp.exe
1628	winlog.exe
1012	winlog.exe

pid	process
928	netsh.exe

Drops startup file 2 IoCs

Processes:

winlog.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3d7ad373951cd040fb05f6d6f5bf314.exe	winlog.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3d7ad373951cd040fb05f6d6f5bf314.exe	winlog.exe

Loads dropped DLL 13 IoCs

Processes:

439dce6b40c39157a046563bcb5e3a6a.exewhatsapp.exewhatsapp.exewinlog.exe

pid	process
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1180	439dce6b40c39157a046563bcb5e3a6a.exe
1376	whatsapp.exe
572	whatsapp.exe
572	whatsapp.exe
1628	winlog.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlog.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\b3d7ad373951cd040fb05f6d6f5bf314 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winlog.exe\" .."	winlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b3d7ad373951cd040fb05f6d6f5bf314 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winlog.exe\" .."	winlog.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

whatsapp.exewinlog.exe

description	pid	process	target process
PID 1376 set thread context of 572	1376	whatsapp.exe	whatsapp.exe
PID 1628 set thread context of 1012	1628	winlog.exe	winlog.exe

Drops file in Program Files directory 5 IoCs

Processes:

439dce6b40c39157a046563bcb5e3a6a.exe

description	ioc	process
File created	C:\Program Files\__tmp_rar_sfx_access_check_7119776	439dce6b40c39157a046563bcb5e3a6a.exe
File created	C:\Program Files\whatsapp.exe	439dce6b40c39157a046563bcb5e3a6a.exe
File opened for modification	C:\Program Files\whatsapp.exe	439dce6b40c39157a046563bcb5e3a6a.exe
File created	C:\Program Files\Whatsapp spy tool.exe	439dce6b40c39157a046563bcb5e3a6a.exe
File opened for modification	C:\Program Files\Whatsapp spy tool.exe	439dce6b40c39157a046563bcb5e3a6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

winlog.exe

pid process

1012 winlog.exe
1012 winlog.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

whatsapp.exewinlog.exewinlog.exe

description pid process

Token: SeDebugPrivilege 1376 whatsapp.exe
Token: SeDebugPrivilege 1628 winlog.exe
Token: SeDebugPrivilege 1012 winlog.exe

pid	process
1012	winlog.exe
1012	winlog.exe

description	pid	process
Token: SeDebugPrivilege	1376	whatsapp.exe
Token: SeDebugPrivilege	1628	winlog.exe
Token: SeDebugPrivilege	1012	winlog.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

439dce6b40c39157a046563bcb5e3a6a.exewhatsapp.exewhatsapp.exewinlog.exewinlog.exe

description	pid	process	target process
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1176	1180	439dce6b40c39157a046563bcb5e3a6a.exe	Whatsapp spy tool.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1180 wrote to memory of 1376	1180	439dce6b40c39157a046563bcb5e3a6a.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 1376 wrote to memory of 572	1376	whatsapp.exe	whatsapp.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 572 wrote to memory of 1628	572	whatsapp.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1628 wrote to memory of 1012	1628	winlog.exe	winlog.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe
PID 1012 wrote to memory of 928	1012	winlog.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\439dce6b40c39157a046563bcb5e3a6a.exe
"C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\439dce6b40c39157a046563bcb5e3a6a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files\Whatsapp spy tool.exe
"C:\Program Files\Whatsapp spy tool.exe"
2⤵
- Executes dropped EXE
PID:1176

C:\Program Files\whatsapp.exe
"C:\Program Files\whatsapp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Program Files\whatsapp.exe
"C:\Program Files\whatsapp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\winlog.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\winlog.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\winlog.exe" "winlog.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:928

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Whatsapp spy tool.exe
Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
C:\Program Files\Whatsapp spy tool.exe
Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
C:\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlog.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlog.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlog.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Program Files\Whatsapp spy tool.exe
Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
\Program Files\Whatsapp spy tool.exe
Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
\Program Files\Whatsapp spy tool.exe
Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
\Program Files\Whatsapp spy tool.exe
Filesize
398KB

MD5
84a8780b1647ca009326ebdfe99d464d

SHA1
1d1ecafd29e82d917967e910acca2e59c9a06e91

SHA256
84d248a74552ee81d5895b4de05ac6801b46eca6eaedbb46d3c41f2484cd2741

SHA512
4a7bf6ad1ab3ae9bcc1ecc6594c003e34f29c3e499d425c7ccd9ec531b5c8ffb87127d5d193d0a339fd62fff9903e40f3eea06f5bbc6368655620adfdc4dff1e

Download Submit
\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Program Files\whatsapp.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Users\Admin\AppData\Local\Temp\winlog.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Users\Admin\AppData\Local\Temp\winlog.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
\Users\Admin\AppData\Local\Temp\winlog.exe
Filesize
1.1MB

MD5
4872b17a552e2a010f61d67655f789e6

SHA1
7ca0247a1ad4d0916c98ecd83bd6c8ab7d900651

SHA256
7bcad7494ffef5dcc2d5ee786e25dbda8fb386c5cf812ddfe4fc02c1eb170929

SHA512
a44cc6e5865b2cc8f3bf39e5b9bf57b4f0d8476f408512c874c52967e5862c40bc08f1296ea70be23837cb3ca07a12e8f69027521fd80f8a29d7d69baedc5d64

Download Submit
memory/572-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-81-0x000000000042470E-mapping.dmp

Download
memory/572-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-87-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/572-95-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download
memory/572-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/928-112-0x0000000000000000-mapping.dmp

Download
memory/1012-104-0x000000000042470E-mapping.dmp

Download
memory/1012-114-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-115-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-73-0x0000000000EB0000-0x0000000000F1A000-memory.dmp

Filesize
424KB

Download
memory/1176-59-0x0000000000000000-mapping.dmp

Download
memory/1176-116-0x0000000004D25000-0x0000000004D36000-memory.dmp

Filesize
68KB

Download
memory/1180-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1376-84-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-67-0x0000000000000000-mapping.dmp

Download
memory/1628-91-0x0000000000000000-mapping.dmp

Download
memory/1628-107-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads