c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
Size

116KB
MD5

5d5267d68e5210c35cd6fd82cba6ab22
SHA1

b27b5b222bd9dcb471ecfdde387b995de1e1fb5b
SHA256

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8
SHA512

468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34
SSDEEP

3072:2HejYMZvf/wfPv4B3JNVlLeqEDdHKgVx:psawf34BrrenDdqgVx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 11 IoCs

Processes:

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exeiptables.exeiptables.exeiptablex.exeiptablex.exeiptables.exeiptables.exeiptablex.exeiptables.exeiptablex.exeiptablex.exe

pid	process
1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
1248	iptables.exe
1896	iptables.exe
1716	iptablex.exe
1736	iptablex.exe
624	iptables.exe
2044	iptables.exe
1548	iptablex.exe
976	iptables.exe
1412	iptablex.exe
2032	iptablex.exe

Deletes itself 1 IoCs

Processes:

iptables.exe

pid process

976 iptables.exe

pid	process
976	iptables.exe

Loads dropped DLL 28 IoCs

Processes:

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeiptables.exeiptablex.exeiptables.exeiptablex.exec22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe

pid	process
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1248	iptables.exe
1248	iptables.exe
1248	iptables.exe
1248	iptables.exe
1716	iptablex.exe
1716	iptablex.exe
1716	iptablex.exe
1716	iptablex.exe
624	iptables.exe
624	iptables.exe
624	iptables.exe
624	iptables.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1548	iptablex.exe
1548	iptablex.exe
1548	iptablex.exe
1548	iptablex.exe
1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe

Drops file in System32 directory 8 IoCs

Processes:

iptables.exeiptablex.exec22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exec22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exeiptables.exeiptablex.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\iptables.exe	iptables.exe
File created	\??\c:\windows\SysWOW64\iptablex.exe	iptablex.exe
File created	\??\c:\windows\SysWOW64\iptables.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
File opened for modification	\??\c:\windows\SysWOW64\iptables.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
File created	\??\c:\windows\SysWOW64\iptablex.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
File opened for modification	\??\c:\windows\SysWOW64\iptablex.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
File created	\??\c:\windows\SysWOW64\iptables.exe	iptables.exe
File created	\??\c:\windows\SysWOW64\iptablex.exe	iptablex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 12 IoCs

Processes:

iptablex.exeiptables.exeiptablex.exeiptables.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iptablex.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iptablex.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptables.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iptables.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iptablex.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iptables.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iptables.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exec22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exeiptables.exeiptables.exeiptablex.exeiptablex.exeiptables.exeiptables.exeiptables.exeiptablex.exeiptablex.exeiptablex.exe

pid	process
1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
1248	iptables.exe
1896	iptables.exe
1716	iptablex.exe
1736	iptablex.exe
624	iptables.exe
2044	iptables.exe
976	iptables.exe
1548	iptablex.exe
1412	iptablex.exe
2032	iptablex.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeiptables.exeiptablex.exeiptables.exeiptablex.exec22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe

description	pid	process	target process
PID 1376 wrote to memory of 1372	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
PID 1376 wrote to memory of 1372	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
PID 1376 wrote to memory of 1372	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
PID 1376 wrote to memory of 1372	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
PID 1248 wrote to memory of 1896	1248	iptables.exe	iptables.exe
PID 1248 wrote to memory of 1896	1248	iptables.exe	iptables.exe
PID 1248 wrote to memory of 1896	1248	iptables.exe	iptables.exe
PID 1248 wrote to memory of 1896	1248	iptables.exe	iptables.exe
PID 1716 wrote to memory of 1736	1716	iptablex.exe	iptablex.exe
PID 1716 wrote to memory of 1736	1716	iptablex.exe	iptablex.exe
PID 1716 wrote to memory of 1736	1716	iptablex.exe	iptablex.exe
PID 1716 wrote to memory of 1736	1716	iptablex.exe	iptablex.exe
PID 624 wrote to memory of 2044	624	iptables.exe	iptables.exe
PID 624 wrote to memory of 2044	624	iptables.exe	iptables.exe
PID 624 wrote to memory of 2044	624	iptables.exe	iptables.exe
PID 624 wrote to memory of 2044	624	iptables.exe	iptables.exe
PID 1376 wrote to memory of 976	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	iptables.exe
PID 1376 wrote to memory of 976	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	iptables.exe
PID 1376 wrote to memory of 976	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	iptables.exe
PID 1376 wrote to memory of 976	1376	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe	iptables.exe
PID 1548 wrote to memory of 1412	1548	iptablex.exe	iptablex.exe
PID 1548 wrote to memory of 1412	1548	iptablex.exe	iptablex.exe
PID 1548 wrote to memory of 1412	1548	iptablex.exe	iptablex.exe
PID 1548 wrote to memory of 1412	1548	iptablex.exe	iptablex.exe
PID 1372 wrote to memory of 2032	1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	iptablex.exe
PID 1372 wrote to memory of 2032	1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	iptablex.exe
PID 1372 wrote to memory of 2032	1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	iptablex.exe
PID 1372 wrote to memory of 2032	1372	c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe	iptablex.exe

C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
"C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
"C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372

C:\windows\SysWOW64\iptablex.exe
"C:\windows\system32\iptablex.exe" rcdelc:\users\admin\appdata\local\temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exebcfwred.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\windows\SysWOW64\iptables.exe
"C:\windows\system32\iptables.exe" rcdelc:\users\admin\appdata\local\temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\SysWOW64\iptables.exe
C:\Windows\SysWOW64\iptables.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248

C:\windows\SysWOW64\iptables.exe
"C:\windows\system32\iptables.exe" rcdelc:\windows\syswow64\iptables.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\SysWOW64\iptablex.exe
C:\Windows\SysWOW64\iptablex.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\windows\SysWOW64\iptablex.exe
"C:\windows\system32\iptablex.exe" rcdelc:\windows\syswow64\iptablex.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\SysWOW64\iptables.exe
C:\Windows\SysWOW64\iptables.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\windows\SysWOW64\iptables.exe
"C:\windows\system32\iptables.exe" rcdelc:\windows\syswow64\iptables.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\SysWOW64\iptablex.exe
C:\Windows\SysWOW64\iptablex.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\windows\SysWOW64\iptablex.exe
"C:\windows\system32\iptablex.exe" rcdelc:\windows\syswow64\iptablex.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1412

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
C:\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
C:\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\??\c:\users\admin\appdata\local\temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exebcfwred.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\??\c:\windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\??\c:\windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Users\Admin\AppData\Local\Temp\c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8.exeBCfWrED.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptables.exe
Filesize
116KB

MD5
5d5267d68e5210c35cd6fd82cba6ab22

SHA1
b27b5b222bd9dcb471ecfdde387b995de1e1fb5b

SHA256
c22a9814d1dfe7bd2cf75c3e15c3c8c555ed94a2db99966a39f9701301a34cb8

SHA512
468be95b63fb1bbe8725a63fc0380aa54dfc6f7e56c9e30b809547f61dafba7dad035eff4e1d31ee95b3500fcecfe327fc7ffe4204036604cbaf64d944cbaa34

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
\Windows\SysWOW64\iptablex.exe
Filesize
72KB

MD5
0e8df52f72d37da560281baba82a727c

SHA1
2e99381d6458c75aaf0cf2ae64fcdcc55614be49

SHA256
8df33db58ea2c9ac0dcb255b582bd293782cdf908f86f3084f108cff545b4331

SHA512
449f722f39a461330c05babbca8670ff553e782af9ec52ee92d23336c23d495b40306f8ba16492f564868ee2be5114456b2bf19a978b9209c481f87f9974a801

Download Submit
memory/976-98-0x0000000000000000-mapping.dmp

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1412-105-0x0000000000000000-mapping.dmp

Download
memory/1736-80-0x0000000000000000-mapping.dmp

Download
memory/1896-70-0x0000000000000000-mapping.dmp

Download
memory/2032-112-0x0000000000000000-mapping.dmp

Download
memory/2044-89-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads