04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2

Analysis

max time kernel
156s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
Size

279KB
MD5

bc9df4c9daeba8f0e22fd279dcedf279
SHA1

985fbcb13f0cbc938d6340354ae643836e35511c
SHA256

04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2
SHA512

176592dfab69649da78ac70537ead27a0d5c59a1a46d1071fa405cfe99d10e7253000443381eef6b4599ce7021c1f2aa9c5162d9348076b28ca1c881f89b008c
SSDEEP

6144:PXhaVAhAD4U5lbVe/bZdkvFpO+2wFHO+v/5XXglx:PxaVAh64U5lEF2vFpO+2wFHO+5XXmx

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1864	CTF.exe
4900	del.exe
2244	ctf3.exe
2980	smss.exe
1852	autoctf.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023162-133.dat	upx
behavioral2/files/0x0006000000023162-134.dat	upx
behavioral2/memory/1864-135-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1864-137-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x000700000002315f-139.dat	upx
behavioral2/memory/4900-140-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x000700000002315f-142.dat	upx
behavioral2/memory/4900-152-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1864-158-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ctf3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	autoctf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	CTF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	del.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1 = "C:\\WINDOWS\\system32\\CTF\\CTF.exe"	regedit.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\CTF\ctfs.dll	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\Serial.key	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\Windows\SysWOW64\CTF\ctfmon.txt	smss.exe
File created	C:\WINDOWS\SysWOW64\CTF\ctf3.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\ctf3.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\ctfmon.txt	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\ResetSettings.bat	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240597906	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\CTF.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\ctfmon.txt	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\CTF.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\ctfmon.dll	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\ctfs.dll	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\ResetSettings.bat	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\del.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\del.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\autoctf.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\Serial.key	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\smss.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\smss.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File created	C:\WINDOWS\SysWOW64\CTF\autoctf.exe	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
File opened for modification	C:\WINDOWS\SysWOW64\CTF\ctfmon.dll	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4440	reg.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4932	regedit.exe
3816	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2304	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2980	smss.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1864	208	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe	82
PID 208 wrote to memory of 1864	208	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe	82
PID 208 wrote to memory of 1864	208	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe	82
PID 1864 wrote to memory of 4268	1864	CTF.exe	84
PID 1864 wrote to memory of 4268	1864	CTF.exe	84
PID 1864 wrote to memory of 4268	1864	CTF.exe	84
PID 208 wrote to memory of 4900	208	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe	86
PID 208 wrote to memory of 4900	208	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe	86
PID 208 wrote to memory of 4900	208	04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe	86
PID 4268 wrote to memory of 2244	4268	cmd.exe	88
PID 4268 wrote to memory of 2244	4268	cmd.exe	88
PID 4268 wrote to memory of 2244	4268	cmd.exe	88
PID 4268 wrote to memory of 2304	4268	cmd.exe	89
PID 4268 wrote to memory of 2304	4268	cmd.exe	89
PID 4268 wrote to memory of 2304	4268	cmd.exe	89
PID 4900 wrote to memory of 4020	4900	del.exe	90
PID 4900 wrote to memory of 4020	4900	del.exe	90
PID 4900 wrote to memory of 4020	4900	del.exe	90
PID 2244 wrote to memory of 4932	2244	ctf3.exe	93
PID 2244 wrote to memory of 4932	2244	ctf3.exe	93
PID 2244 wrote to memory of 4932	2244	ctf3.exe	93
PID 4020 wrote to memory of 4440	4020	cmd.exe	94
PID 4020 wrote to memory of 4440	4020	cmd.exe	94
PID 4020 wrote to memory of 4440	4020	cmd.exe	94
PID 4268 wrote to memory of 2980	4268	cmd.exe	95
PID 4268 wrote to memory of 2980	4268	cmd.exe	95
PID 4268 wrote to memory of 2980	4268	cmd.exe	95
PID 4268 wrote to memory of 1852	4268	cmd.exe	96
PID 4268 wrote to memory of 1852	4268	cmd.exe	96
PID 4268 wrote to memory of 1852	4268	cmd.exe	96
PID 1852 wrote to memory of 3816	1852	autoctf.exe	97
PID 1852 wrote to memory of 3816	1852	autoctf.exe	97
PID 1852 wrote to memory of 3816	1852	autoctf.exe	97

C:\Users\Admin\AppData\Local\Temp\04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe
"C:\Users\Admin\AppData\Local\Temp\04db19df5fae1fbfb6e5f67009afb9411f44ca41c4cfc1d830f94ea9970bfef2.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208
- C:\WINDOWS\SysWOW64\CTF\CTF.exe
  "C:\WINDOWS\system32\CTF\CTF.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7119.tmp\run.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\SysWOW64\CTF\ctf3.exe
      ctf3.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /S ctf3.reg
        5⤵
        Runs .reg file with regedit
        
        PID:4932
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 7 -w 1000 0.0.0.1
      4⤵
      Runs ping.exe
      PID:2304
  - - C:\Windows\SysWOW64\CTF\smss.exe
      smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2980
  - - C:\Windows\SysWOW64\CTF\autoctf.exe
      autoctf.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /S autoctf.reg
        5⤵
        Adds Run key to start application
        Runs .reg file with regedit
        
        PID:3816
- C:\Windows\SysWOW64\del.exe
  "C:\Windows\System32\del.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9078.tmp\New Text Document.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\WINDOWS\SysWOW64\reg.exe
      reg delete hkcu\Software\Microsoft\Windows\CurrentVersion\Run /v smss /f
      4⤵
      Modifies registry key
      PID:4440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7119.tmp\run.bat

Filesize
167B

MD5
23c742a0dd05d1c5c3cb491f011c47b2

SHA1
c90d489b2074c7481777c249f1e676f125ab858c

SHA256
be18c4bc39e9a5cb999dff957db57e5b73ae365ac476837c101cc619e4dca245

SHA512
277e0bb630b4432917a9615a77daeb20a04a03e7940aae3dbc5f90a57ef1903260f5f92014853f1906b12cadacb5635c25bd2fe0cd6e15aba8b3bcd29a60feae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9078.tmp\New Text Document.bat

Filesize
74B

MD5
f68f3e847b69c000f38ea47c43419891

SHA1
8a973ad57faf100fb033a16dc7f57058a20e4f03

SHA256
bb9602274888272b06af4ec816ec527c71995073a3a7b3c52a5f14d4ab9ab189

SHA512
8e08bf24c878d0956e3848f099a82cedbb5401a3040fa67186cba254090a1efa3400b781556c4374fcc4501f08fada9c9dc891f86165d97ec6e2eeab18db1182

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\autoctf.reg

Filesize
336B

MD5
a70626b5121b6b0ba1d9ac58c970e845

SHA1
15b63a3ce6e6f0b529e54b09c5550f5c669cdf9c

SHA256
fe20600459bd20ae94c26c3e38d8f355a1a09fa843b4bad0cfe6c4f43a8aea86

SHA512
7a4fd795e57df5a1803ff369cc71b721a78b337f2a358dfd4351906ae3345df54750d7fa5c8295988626b266cb55f16f0edcaf78686c663992f1b149842f160c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ctf3.reg

Filesize
454B

MD5
c6ccd8576e4a03c3e4668ace88fa7598

SHA1
5e8ec1ed1746c46b9ec1e8551c1242372b3b6109

SHA256
253230775274e02edd13e1d0910ee15ab03fc91039337e3d2fd02f2b4787a1af

SHA512
fb886be5eb90c018dbee3c391f200e1aededb3bf45df21213109d3808c5001ed07f68e930159dba44973ff6888773f7fdf2cb6cc378e70786083f9481ed9d1ff

Download Submit
C:\WINDOWS\SysWOW64\CTF\CTF.exe

Filesize
21KB

MD5
78bfaa89a13020d197a51b6078b1f22f

SHA1
2c03dc9059dc4e28192370756a9d11399f0e4126

SHA256
46973437a5176807b64f5f0af53dff77611dedaaf0ed17bdebd6c325588bb6e7

SHA512
049fd149bce99f6dd8e29b9ef0556de3aef7bc042056023972a2e4c3bf457ad408f89a833611180ab3a622b2c475a725c6a48696b4a0b21b6f4a5f5809ec60d1

Download Submit
C:\Windows\SysWOW64\CTF\CTF.exe

Filesize
21KB

MD5
78bfaa89a13020d197a51b6078b1f22f

SHA1
2c03dc9059dc4e28192370756a9d11399f0e4126

SHA256
46973437a5176807b64f5f0af53dff77611dedaaf0ed17bdebd6c325588bb6e7

SHA512
049fd149bce99f6dd8e29b9ef0556de3aef7bc042056023972a2e4c3bf457ad408f89a833611180ab3a622b2c475a725c6a48696b4a0b21b6f4a5f5809ec60d1

Download Submit
C:\Windows\SysWOW64\CTF\Serial.key

Filesize
17B

MD5
0d0a4883d419ba07220f710b05497467

SHA1
4d0e534fc0cd72afbaada71b8e96ddf14a016d28

SHA256
2350440b3774e267377f68a00bd11f973e04ff3d56ba3258542b8b5092110ece

SHA512
aeffa67b0cca2c828390bddeaa771d03f5383bd324175cf44288f17b5760ea6446e947c0d6cccfb9b3e01468c7e49aa7cbf8a8e931cdb9bcc4ba401f6d3ac144

Download Submit
C:\Windows\SysWOW64\CTF\autoctf.exe

Filesize
98KB

MD5
239de2a544dffd9e6d62daf5e2129535

SHA1
df4a56fc7ce7cb24cb73d2d083271259fa656b99

SHA256
52f9d58f969a4fc89aeaacdb624d712275831075893d93559dc706b5eb1a4586

SHA512
be9e01930ccd90435eee98b5e8aec07f2b568eb71e9237ebee75216333c250f17157fea23f67bf84aeef79e20addce3675e10cf25a883b7bec54206c0697f5f0

Download Submit
C:\Windows\SysWOW64\CTF\autoctf.exe

Filesize
98KB

MD5
239de2a544dffd9e6d62daf5e2129535

SHA1
df4a56fc7ce7cb24cb73d2d083271259fa656b99

SHA256
52f9d58f969a4fc89aeaacdb624d712275831075893d93559dc706b5eb1a4586

SHA512
be9e01930ccd90435eee98b5e8aec07f2b568eb71e9237ebee75216333c250f17157fea23f67bf84aeef79e20addce3675e10cf25a883b7bec54206c0697f5f0

Download Submit
C:\Windows\SysWOW64\CTF\ctf3.exe

Filesize
98KB

MD5
ceb3ba09779d12eaccb47e52944de121

SHA1
1750b12f2a01dfd0a7124a6c8b5f4c536d93d6da

SHA256
5a775494d5cf0d84ab503580620506f1adf4ef9fd5e6ef9579e73e528725578e

SHA512
6fc0f13aebfcef390d3d259fadc201ab3054bf7f15f4e725b02dc39ae400e8e12c38944c4972fc107e25c88ce64ad570f7b469ecb8c9161863de525a8dc09a43

Download Submit
C:\Windows\SysWOW64\CTF\ctf3.exe

Filesize
98KB

MD5
ceb3ba09779d12eaccb47e52944de121

SHA1
1750b12f2a01dfd0a7124a6c8b5f4c536d93d6da

SHA256
5a775494d5cf0d84ab503580620506f1adf4ef9fd5e6ef9579e73e528725578e

SHA512
6fc0f13aebfcef390d3d259fadc201ab3054bf7f15f4e725b02dc39ae400e8e12c38944c4972fc107e25c88ce64ad570f7b469ecb8c9161863de525a8dc09a43

Download Submit
C:\Windows\SysWOW64\CTF\ctfmon.dll

Filesize
5KB

MD5
2ed432224172dd0f669759948190b082

SHA1
6cafb92318b2ddbb296a6708c3ce92b2e4108e37

SHA256
0689a0101fbb797ac007928288d7f755504351d5a2c5154846ff382c68a6a809

SHA512
7e0fa9431372c186d49b5b6ebf83a7c1d4612e0c9e9db0b92d80d0d105a0f1dbbf81fed3d7726358dfab12bf66deed8840198a136aee41241827bc57887cfddf

Download Submit
C:\Windows\SysWOW64\CTF\ctfmon.dll

Filesize
5KB

MD5
2ed432224172dd0f669759948190b082

SHA1
6cafb92318b2ddbb296a6708c3ce92b2e4108e37

SHA256
0689a0101fbb797ac007928288d7f755504351d5a2c5154846ff382c68a6a809

SHA512
7e0fa9431372c186d49b5b6ebf83a7c1d4612e0c9e9db0b92d80d0d105a0f1dbbf81fed3d7726358dfab12bf66deed8840198a136aee41241827bc57887cfddf

Download Submit
C:\Windows\SysWOW64\CTF\ctfmon.txt

Filesize
251B

MD5
a05bb17fff5ba4c9a2aa8fa3fcea344c

SHA1
eb5b07e15fab2d72b3d2e4efc2dc9d410d7981d2

SHA256
793f591a86a526d21fc7af8ce3a3a58b9ad073afc121daf84d26b1de0108b050

SHA512
91b21e6ad5b44c7362b6ba4814914931d2cdf0c54194b28864536cfd2105f0cd37f10016e7684bce6816eb104fcd06a27058742dd47931726931eefde7f4dc77

Download Submit
C:\Windows\SysWOW64\CTF\smss.exe

Filesize
67KB

MD5
e7d77603d6b68ae69fcc7ed21404f9bf

SHA1
fc3efc486f9182491d55d0954f4821bb7692bc38

SHA256
1ca4caafb455ad24b308059e3859912ddda05814652b01082a94e4b6e586ea4d

SHA512
197ca4a9bb289f39fed72007f25da42d8c83c86e6218a261cb9ab393acc5c3072af60fd6a9aa5fbe64db802a5b1c276b37da06ac4f478a85de1b52d730334399

Download Submit
C:\Windows\SysWOW64\CTF\smss.exe

Filesize
67KB

MD5
e7d77603d6b68ae69fcc7ed21404f9bf

SHA1
fc3efc486f9182491d55d0954f4821bb7692bc38

SHA256
1ca4caafb455ad24b308059e3859912ddda05814652b01082a94e4b6e586ea4d

SHA512
197ca4a9bb289f39fed72007f25da42d8c83c86e6218a261cb9ab393acc5c3072af60fd6a9aa5fbe64db802a5b1c276b37da06ac4f478a85de1b52d730334399

Download Submit
C:\Windows\SysWOW64\del.exe

Filesize
21KB

MD5
75f1b930397aaa2711995d32c83c38b3

SHA1
08b455dc0ea0bdc7ee908db411ff80a2efd6c5f9

SHA256
cadf04fa34fa08bff01d5150b94dd912977769fa45c9db796ff2cad731805eac

SHA512
dea0fc9134fd9cc53c6365aece0d2960f0fe942286f11519aad6175c2b7b3c05c06227abb7d476140dfbf3fe02a4b818cc3fab2d861ce07420d4ee3e39f39dad

Download Submit
C:\Windows\SysWOW64\del.exe

Filesize
21KB

MD5
75f1b930397aaa2711995d32c83c38b3

SHA1
08b455dc0ea0bdc7ee908db411ff80a2efd6c5f9

SHA256
cadf04fa34fa08bff01d5150b94dd912977769fa45c9db796ff2cad731805eac

SHA512
dea0fc9134fd9cc53c6365aece0d2960f0fe942286f11519aad6175c2b7b3c05c06227abb7d476140dfbf3fe02a4b818cc3fab2d861ce07420d4ee3e39f39dad

Download Submit
memory/1852-156-0x0000000000000000-mapping.dmp

Download
memory/1864-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1864-158-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1864-132-0x0000000000000000-mapping.dmp

Download
memory/1864-135-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-143-0x0000000000000000-mapping.dmp

Download
memory/2304-146-0x0000000000000000-mapping.dmp

Download
memory/2980-153-0x0000000000000000-mapping.dmp

Download
memory/2980-155-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2980-167-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3816-165-0x0000000000000000-mapping.dmp

Download
memory/4020-147-0x0000000000000000-mapping.dmp

Download
memory/4268-136-0x0000000000000000-mapping.dmp

Download
memory/4440-151-0x0000000000000000-mapping.dmp

Download
memory/4900-138-0x0000000000000000-mapping.dmp

Download
memory/4900-140-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4900-152-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4932-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads