da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

Analysis

max time kernel
150s
max time network
105s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Size

104KB
MD5

79f302aa124239e2e3b91952a199d0a2
SHA1

6eac448a6f91937f22455ca5aef1eb4a1bf254cd
SHA256

da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a
SHA512

f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f
SSDEEP

1536:xTYd5QJc/vaSybs4eBReHbaxjg46o6qBH:V1c/2b5keuNg4HDH

Score

9^/10

spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 1 IoCs

pid	Process
952	wmimgmt.exe

Loads dropped DLL 2 IoCs

pid	Process
1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Discovers systems in the same network 1 TTPs 4 IoCs

discovery

Remote System Discovery

T1018

pid	Process
280	net.exe
756	net.exe
468	net.exe
1508	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
280	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1596	ipconfig.exe
1680	NETSTAT.EXE
560	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1308	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1096	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeBackupPrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeBackupPrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeRestorePrivilege	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
Token: SeDebugPrivilege	280	tasklist.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeRestorePrivilege	952	wmimgmt.exe
Token: SeDebugPrivilege	1680	NETSTAT.EXE
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe
Token: SeBackupPrivilege	952	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 952	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	28
PID 1104 wrote to memory of 952	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	28
PID 1104 wrote to memory of 952	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	28
PID 1104 wrote to memory of 952	1104	da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe	28
PID 952 wrote to memory of 556	952	wmimgmt.exe	29
PID 952 wrote to memory of 556	952	wmimgmt.exe	29
PID 952 wrote to memory of 556	952	wmimgmt.exe	29
PID 952 wrote to memory of 556	952	wmimgmt.exe	29
PID 556 wrote to memory of 468	556	cmd.exe	31
PID 556 wrote to memory of 468	556	cmd.exe	31
PID 556 wrote to memory of 468	556	cmd.exe	31
PID 556 wrote to memory of 468	556	cmd.exe	31
PID 556 wrote to memory of 576	556	cmd.exe	32
PID 556 wrote to memory of 576	556	cmd.exe	32
PID 556 wrote to memory of 576	556	cmd.exe	32
PID 556 wrote to memory of 576	556	cmd.exe	32
PID 556 wrote to memory of 1920	556	cmd.exe	33
PID 556 wrote to memory of 1920	556	cmd.exe	33
PID 556 wrote to memory of 1920	556	cmd.exe	33
PID 556 wrote to memory of 1920	556	cmd.exe	33
PID 1920 wrote to memory of 1924	1920	net.exe	34
PID 1920 wrote to memory of 1924	1920	net.exe	34
PID 1920 wrote to memory of 1924	1920	net.exe	34
PID 1920 wrote to memory of 1924	1920	net.exe	34
PID 556 wrote to memory of 1028	556	cmd.exe	35
PID 556 wrote to memory of 1028	556	cmd.exe	35
PID 556 wrote to memory of 1028	556	cmd.exe	35
PID 556 wrote to memory of 1028	556	cmd.exe	35
PID 1028 wrote to memory of 824	1028	net.exe	36
PID 1028 wrote to memory of 824	1028	net.exe	36
PID 1028 wrote to memory of 824	1028	net.exe	36
PID 1028 wrote to memory of 824	1028	net.exe	36
PID 556 wrote to memory of 280	556	cmd.exe	37
PID 556 wrote to memory of 280	556	cmd.exe	37
PID 556 wrote to memory of 280	556	cmd.exe	37
PID 556 wrote to memory of 280	556	cmd.exe	37
PID 556 wrote to memory of 1308	556	cmd.exe	39
PID 556 wrote to memory of 1308	556	cmd.exe	39
PID 556 wrote to memory of 1308	556	cmd.exe	39
PID 556 wrote to memory of 1308	556	cmd.exe	39
PID 556 wrote to memory of 1712	556	cmd.exe	41
PID 556 wrote to memory of 1712	556	cmd.exe	41
PID 556 wrote to memory of 1712	556	cmd.exe	41
PID 556 wrote to memory of 1712	556	cmd.exe	41
PID 556 wrote to memory of 1872	556	cmd.exe	42
PID 556 wrote to memory of 1872	556	cmd.exe	42
PID 556 wrote to memory of 1872	556	cmd.exe	42
PID 556 wrote to memory of 1872	556	cmd.exe	42
PID 556 wrote to memory of 1664	556	cmd.exe	43
PID 556 wrote to memory of 1664	556	cmd.exe	43
PID 556 wrote to memory of 1664	556	cmd.exe	43
PID 556 wrote to memory of 1664	556	cmd.exe	43
PID 556 wrote to memory of 696	556	cmd.exe	44
PID 556 wrote to memory of 696	556	cmd.exe	44
PID 556 wrote to memory of 696	556	cmd.exe	44
PID 556 wrote to memory of 696	556	cmd.exe	44
PID 556 wrote to memory of 1960	556	cmd.exe	45
PID 556 wrote to memory of 1960	556	cmd.exe	45
PID 556 wrote to memory of 1960	556	cmd.exe	45
PID 556 wrote to memory of 1960	556	cmd.exe	45
PID 556 wrote to memory of 1996	556	cmd.exe	46
PID 556 wrote to memory of 1996	556	cmd.exe	46
PID 556 wrote to memory of 1996	556	cmd.exe	46
PID 556 wrote to memory of 1996	556	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe
"C:\Users\Admin\AppData\Local\Temp\da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\ProgramData\Application Data\wmimgmt.exe
  "C:\ProgramData\Application Data\wmimgmt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
      4⤵
      PID:468
  - - C:\Windows\SysWOW64\chcp.com
      chcp
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1924
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:824
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:280
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1308
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\find.exe
      find "REG_"
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
      4⤵
      PID:696
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1596
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -r
      4⤵
      Gathers network information
      PID:560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        5⤵
        
        PID:1508
      - C:\Windows\SysWOW64\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        6⤵
        
        PID:764
  - - C:\Windows\SysWOW64\net.exe
      net start
      4⤵
      PID:1096
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo n"
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\net.exe
      net share
      4⤵
      PID:1028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\net.exe
      net view /domain
      4⤵
      Discovers systems in the same network
      PID:280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "------"
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "domain"
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "¬A╛╣"
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "░⌡ªµª¿"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "├ⁿ┴ε"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\find.exe
      find /i /v "completed successfully"
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\net.exe
      net view /domain:"WORKGROUP"
      4⤵
      Discovers systems in the same network
      PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\find.exe
      find "\\"
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\net.exe
      net view \\SABDUHNY
      4⤵
      Discovers systems in the same network
      PID:468
  - - C:\Windows\SysWOW64\net.exe
      net view \\SABDUHNY
      4⤵
      Discovers systems in the same network
      PID:1508
  - - C:\Windows\SysWOW64\find.exe
      find "Disk"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 SABDUHNY
      4⤵
      Runs ping.exe
      PID:1096
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "Pinging Reply Request Unknown"
      4⤵
      PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wmimgmt.exe

Filesize
104KB

MD5
79f302aa124239e2e3b91952a199d0a2

SHA1
6eac448a6f91937f22455ca5aef1eb4a1bf254cd

SHA256
da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

SHA512
f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f

Download Submit
C:\ProgramData\wmimgmt.exe

Filesize
104KB

MD5
79f302aa124239e2e3b91952a199d0a2

SHA1
6eac448a6f91937f22455ca5aef1eb4a1bf254cd

SHA256
da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

SHA512
f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT

Filesize
43B

MD5
c7c7a6e8647fed3bc4209695839c6d9b

SHA1
bc2a68f658be6e11e049ab5b2db49efc69984d15

SHA256
bfe8b2d1237db35c8f2b6e54d75b0de85de9fedd1c8547c46bc01708ad513663

SHA512
0f118a4397d5be8292145f040061ae38117f91eac7bf0c1d462e3838ae52518bd2c9fe8b610e84e8f3208fd88d1f26597fef809258b2eed2b6845dc3f72cbe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p

Filesize
10B

MD5
3594ed70083b6e10efbfbcd4142b6454

SHA1
59b91832fc3778d2dba62642935c61fb768c760c

SHA256
c1aead592e2eb892263a7b1a7ca36484c73013be81dda18ccbe6a35138799823

SHA512
418466d5b10ba557bdb229cfcf7e190e7cedd9fd52a72e2591f78fc1c5c983b04c60c9307e8919c3d7e366d71c54a325d4f20e4ad4850677b115ca9c562d0586

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat

Filesize
3KB

MD5
b98e8fcde49a1caee295a6bd3d264e56

SHA1
71c82391a8617212ad48c8d79755e71be2e20be9

SHA256
e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

SHA512
fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log

Filesize
153B

MD5
b256c8a481b065860c2812e742f50250

SHA1
51ddf02764fb12d88822450e8a27f9deac85fe54

SHA256
b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

SHA512
f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.log

Filesize
72B

MD5
59f2768506355d8bc50979f6d64ded26

SHA1
b2d315b3857bec8335c526a08d08d6a1b5f5c151

SHA256
7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

SHA512
e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.log

Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

Filesize
234B

MD5
30af496d743e1944930b175405282e75

SHA1
839cfa05617b480d3d68ad56902284057decf46d

SHA256
99b2e34eda68e19f7b508d78402c1567f630fa933fc8c5d575912a51571afd6d

SHA512
68a9cd0ab48cb16e7bfc2e51d4eb2b0793aefccb9a78bd1c9f8e2e869a7e63d328570e9d989230a7f9433d0bfb693e5c7ae950d7423a5c334ce3b2e375e08e27

Download Submit
\ProgramData\wmimgmt.exe

Filesize
104KB

MD5
79f302aa124239e2e3b91952a199d0a2

SHA1
6eac448a6f91937f22455ca5aef1eb4a1bf254cd

SHA256
da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

SHA512
f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f

Download Submit
\ProgramData\wmimgmt.exe

Filesize
104KB

MD5
79f302aa124239e2e3b91952a199d0a2

SHA1
6eac448a6f91937f22455ca5aef1eb4a1bf254cd

SHA256
da694821b804ce2b67f11616d232021309963a9a7d5cb21a0f92c9729ea02c3a

SHA512
f48cb8275a7f73699ea7ea9f26cf7f4fb080de6c0370fb68c0effe35214448da672ed2a0c378bb2aa2a8a78f4f80ce27c3caa7c6dbc8f1df5cefe989dea9cf0f

Download Submit
memory/952-63-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1104-55-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1104-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1104-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads