73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Size

109KB
MD5

02f54ca9bf4078100d8aa5658f7e5e50
SHA1

c7b37aadccec1fbd36221995eaed733f3f0bbc4d
SHA256

73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74
SHA512

e9c1b2bd931e3c6154e3e0662cbf51b784bed1f83cd9d05a0a0d82ede0cc9502ef3366171ef8c3a65b44f7b61e52d140abcf977e7ef552448de108ff69146d66
SSDEEP

3072:m22T/V4KDvArbOtHSQafXegqilnP6nFdyE2HZ:m22T/mk8bYafXegeF0

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000500000000b2d2-58.dat	vmprotect
behavioral1/files/0x000500000000b2d2-62.dat	vmprotect
behavioral1/files/0x000500000000b2d2-61.dat	vmprotect
behavioral1/files/0x000500000000b2d2-60.dat	vmprotect
behavioral1/files/0x000500000000b2d2-59.dat	vmprotect
behavioral1/files/0x000500000000b2d2-65.dat	vmprotect

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe
1736	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Disker = "rundll32.exe C:\\Windows\\system32\\HIMYM.DLL,DW"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HIMYM.DLL	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
Token: SeDebugPrivilege	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1164	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	27
PID 1600 wrote to memory of 1736	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	28
PID 1600 wrote to memory of 1736	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	28
PID 1600 wrote to memory of 1736	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	28
PID 1600 wrote to memory of 1736	1600	73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe	28

C:\Users\Admin\AppData\Local\Temp\73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe
"C:\Users\Admin\AppData\Local\Temp\73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\73c815da50a5f1db2bc785a276ae8c4d2cd0ca350901f2149ab1bd5dfca9ac74.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HIMYM.DLL

Filesize
92KB

MD5
70e3a27d55e6378cdf6d1d07b9dd0c93

SHA1
90728f727beb553fef6956e364ffa5b26d876509

SHA256
a5f259b7b1868afc2e06c1912c6fbfb392c7888f2e73d643b438df3400e9f4fb

SHA512
2fcab78b190402ce2369f063e723fa1b627a5534c16e6945aadc32c54c5d9302c195c2e47b24b36bd5dfa8fe9c6e23e62c554e5e311fcacdfe55a37c235f609c

Download Submit
\Windows\SysWOW64\HIMYM.DLL

Filesize
92KB

MD5
70e3a27d55e6378cdf6d1d07b9dd0c93

SHA1
90728f727beb553fef6956e364ffa5b26d876509

SHA256
a5f259b7b1868afc2e06c1912c6fbfb392c7888f2e73d643b438df3400e9f4fb

SHA512
2fcab78b190402ce2369f063e723fa1b627a5534c16e6945aadc32c54c5d9302c195c2e47b24b36bd5dfa8fe9c6e23e62c554e5e311fcacdfe55a37c235f609c

Download Submit
\Windows\SysWOW64\HIMYM.DLL

Filesize
92KB

MD5
70e3a27d55e6378cdf6d1d07b9dd0c93

SHA1
90728f727beb553fef6956e364ffa5b26d876509

SHA256
a5f259b7b1868afc2e06c1912c6fbfb392c7888f2e73d643b438df3400e9f4fb

SHA512
2fcab78b190402ce2369f063e723fa1b627a5534c16e6945aadc32c54c5d9302c195c2e47b24b36bd5dfa8fe9c6e23e62c554e5e311fcacdfe55a37c235f609c

Download Submit
\Windows\SysWOW64\HIMYM.DLL

Filesize
92KB

MD5
70e3a27d55e6378cdf6d1d07b9dd0c93

SHA1
90728f727beb553fef6956e364ffa5b26d876509

SHA256
a5f259b7b1868afc2e06c1912c6fbfb392c7888f2e73d643b438df3400e9f4fb

SHA512
2fcab78b190402ce2369f063e723fa1b627a5534c16e6945aadc32c54c5d9302c195c2e47b24b36bd5dfa8fe9c6e23e62c554e5e311fcacdfe55a37c235f609c

Download Submit
\Windows\SysWOW64\HIMYM.DLL

Filesize
92KB

MD5
70e3a27d55e6378cdf6d1d07b9dd0c93

SHA1
90728f727beb553fef6956e364ffa5b26d876509

SHA256
a5f259b7b1868afc2e06c1912c6fbfb392c7888f2e73d643b438df3400e9f4fb

SHA512
2fcab78b190402ce2369f063e723fa1b627a5534c16e6945aadc32c54c5d9302c195c2e47b24b36bd5dfa8fe9c6e23e62c554e5e311fcacdfe55a37c235f609c

Download Submit
\Windows\SysWOW64\HIMYM.DLL

Filesize
92KB

MD5
70e3a27d55e6378cdf6d1d07b9dd0c93

SHA1
90728f727beb553fef6956e364ffa5b26d876509

SHA256
a5f259b7b1868afc2e06c1912c6fbfb392c7888f2e73d643b438df3400e9f4fb

SHA512
2fcab78b190402ce2369f063e723fa1b627a5534c16e6945aadc32c54c5d9302c195c2e47b24b36bd5dfa8fe9c6e23e62c554e5e311fcacdfe55a37c235f609c

Download Submit
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000400000-0x0000000000449200-memory.dmp

Filesize
292KB

Download
memory/1600-64-0x0000000000400000-0x0000000000449200-memory.dmp

Filesize
292KB

Download