29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e

Analysis

max time kernel
67s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2023 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe
Size

1.5MB
MD5

f7dcb6add830463343b0c3b0f2d5f926
SHA1

822f430756a0d5b316d55249d61e6387860778e0
SHA256

29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e
SHA512

24a41e2eee9340523d88eba0d0c6a0257b9fff24c580ee1efb122ecd100443c61624f01d290ae04c4aeb83971c07f2b9ff251379474d0c3b9cebad0ee4415db5
SSDEEP

24576:Yutr5OUbtJmgZ/UjemilQ0OxbMu+FRhJVoAHtczZKE0XjH9TEtGJItv5M/Co:YuXvJmSK0OxbTYRZoANczw/T9tItv5G9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe

Executes dropped EXE 6 IoCs

pid	Process
4248	ConsExt.exe
4688	bschk.exe
1272	sc.exe
2868	bschk.exe
4260	be.exe
3840	ConsExt.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	sc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1272	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4756	reg.exe
4592	reg.exe
2328	reg.exe
2168	reg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1196	reg.exe
Token: SeRestorePrivilege	3924	reg.exe
Token: SeRestorePrivilege	4612	reg.exe
Token: SeRestorePrivilege	4576	reg.exe
Token: SeRestorePrivilege	4260	be.exe
Token: SeBackupPrivilege	4260	be.exe
Token: SeRestorePrivilege	4260	be.exe
Token: SeRestorePrivilege	4260	be.exe
Token: SeRestorePrivilege	4260	be.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 552	3324	29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe	83
PID 3324 wrote to memory of 552	3324	29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe	83
PID 3324 wrote to memory of 552	3324	29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe	83
PID 552 wrote to memory of 2900	552	cmd.exe	85
PID 552 wrote to memory of 2900	552	cmd.exe	85
PID 552 wrote to memory of 2900	552	cmd.exe	85
PID 552 wrote to memory of 1248	552	cmd.exe	87
PID 552 wrote to memory of 1248	552	cmd.exe	87
PID 552 wrote to memory of 1248	552	cmd.exe	87
PID 552 wrote to memory of 1720	552	cmd.exe	86
PID 552 wrote to memory of 1720	552	cmd.exe	86
PID 552 wrote to memory of 1720	552	cmd.exe	86
PID 552 wrote to memory of 4756	552	cmd.exe	88
PID 552 wrote to memory of 4756	552	cmd.exe	88
PID 552 wrote to memory of 4756	552	cmd.exe	88
PID 552 wrote to memory of 4592	552	cmd.exe	89
PID 552 wrote to memory of 4592	552	cmd.exe	89
PID 552 wrote to memory of 4592	552	cmd.exe	89
PID 552 wrote to memory of 2328	552	cmd.exe	90
PID 552 wrote to memory of 2328	552	cmd.exe	90
PID 552 wrote to memory of 2328	552	cmd.exe	90
PID 552 wrote to memory of 2168	552	cmd.exe	91
PID 552 wrote to memory of 2168	552	cmd.exe	91
PID 552 wrote to memory of 2168	552	cmd.exe	91
PID 552 wrote to memory of 3580	552	cmd.exe	92
PID 552 wrote to memory of 3580	552	cmd.exe	92
PID 552 wrote to memory of 3580	552	cmd.exe	92
PID 3580 wrote to memory of 2412	3580	cmd.exe	94
PID 3580 wrote to memory of 2412	3580	cmd.exe	94
PID 3580 wrote to memory of 4248	3580	cmd.exe	95
PID 3580 wrote to memory of 4248	3580	cmd.exe	95
PID 3580 wrote to memory of 4248	3580	cmd.exe	95
PID 3580 wrote to memory of 2796	3580	cmd.exe	96
PID 3580 wrote to memory of 2796	3580	cmd.exe	96
PID 3580 wrote to memory of 1396	3580	cmd.exe	97
PID 3580 wrote to memory of 1396	3580	cmd.exe	97
PID 3580 wrote to memory of 1196	3580	cmd.exe	100
PID 3580 wrote to memory of 1196	3580	cmd.exe	100
PID 3580 wrote to memory of 3924	3580	cmd.exe	101
PID 3580 wrote to memory of 3924	3580	cmd.exe	101
PID 3580 wrote to memory of 4612	3580	cmd.exe	102
PID 3580 wrote to memory of 4612	3580	cmd.exe	102
PID 3580 wrote to memory of 4576	3580	cmd.exe	103
PID 3580 wrote to memory of 4576	3580	cmd.exe	103
PID 3580 wrote to memory of 3116	3580	cmd.exe	104
PID 3580 wrote to memory of 3116	3580	cmd.exe	104
PID 3580 wrote to memory of 1628	3580	cmd.exe	105
PID 3580 wrote to memory of 1628	3580	cmd.exe	105
PID 3580 wrote to memory of 4688	3580	cmd.exe	107
PID 3580 wrote to memory of 4688	3580	cmd.exe	107
PID 3580 wrote to memory of 4688	3580	cmd.exe	107
PID 3580 wrote to memory of 4748	3580	cmd.exe	108
PID 3580 wrote to memory of 4748	3580	cmd.exe	108
PID 3580 wrote to memory of 4420	3580	cmd.exe	109
PID 3580 wrote to memory of 4420	3580	cmd.exe	109
PID 3580 wrote to memory of 1272	3580	cmd.exe	110
PID 3580 wrote to memory of 1272	3580	cmd.exe	110
PID 3580 wrote to memory of 1272	3580	cmd.exe	110
PID 3580 wrote to memory of 768	3580	cmd.exe	111
PID 3580 wrote to memory of 768	3580	cmd.exe	111
PID 3580 wrote to memory of 768	3580	cmd.exe	111
PID 3580 wrote to memory of 4708	3580	cmd.exe	112
PID 3580 wrote to memory of 4708	3580	cmd.exe	112
PID 3580 wrote to memory of 828	3580	cmd.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2556	attrib.exe

C:\Users\Admin\AppData\Local\Temp\29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe
"C:\Users\Admin\AppData\Local\Temp\29dfbb65abb856dd7082a892feb484f3f640e2159c1a21ab2393784244d3aa5e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\mode.com
    mode con cols=80 lines=25
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\find.exe
    find /i "NTaufix"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" dir ..\NTaufix/ad 2>nul"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\reg.exe
    reg query HKCU\Console\%SystemRoot%_system32_cmd.exe /v QuickEdit
    3⤵
    - Modifies registry key
    PID:4756
- - C:\Windows\SysWOW64\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:4592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Console\%SystemRoot%_system32_cmd.exe /f
    3⤵
    - Modifies registry key
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Console\%SystemRoot%_system32_cmd.exe /v QuickEdit /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c NTBOOTautofix.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\mode.com
      mode con cols=80 lines=25
      4⤵
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\NTaufix\ConsExt.exe
      ConsExt /crv 0
      4⤵
      Executes dropped EXE
      PID:4248
  - - C:\Windows\system32\chcp.com
      chcp 936
      4⤵
      PID:2796
  - - C:\Windows\system32\chcp.com
      chcp 950
      4⤵
      PID:1396
  - - C:\Windows\system32\reg.exe
      reg unload HKLM\BCD00000000
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Windows\system32\reg.exe
      reg unload HKLM\BCD00000001
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\Windows\system32\reg.exe
      reg unload HKLM\BCD00000002
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4612
  - - C:\Windows\system32\reg.exe
      reg unload HKLM\BCD00000003
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\system32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate
      4⤵
      PID:3116
  - - C:\Windows\system32\find.exe
      find /i "InstallDate"
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\NTaufix\bschk.exe
      bschk /nt60 sys
      4⤵
      Executes dropped EXE
      PID:4688
  - - C:\Windows\system32\find.exe
      find "\\" autofixx.tmp
      4⤵
      PID:4748
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\NTaufix\sc.exe
      sc
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Launches sc.exe
      PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ver"
      4⤵
      PID:768
  - - C:\Windows\system32\find.exe
      find "6."
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ver"
      4⤵
      PID:828
  - - C:\Windows\system32\find.exe
      find "5."
      4⤵
      PID:5016
  - - C:\Windows\system32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:676
  - - C:\Windows\system32\find.exe
      find /i "ProductName"
      4⤵
      PID:3752
  - - C:\Windows\system32\chcp.com
      chcp 936
      4⤵
      PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\NTaufix\bschk.exe
      bschk /nt60 sys
      4⤵
      Executes dropped EXE
      PID:2868
  - - C:\Windows\system32\find.exe
      find "\\"
      4⤵
      PID:2064
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\NTaufix\be.exe
      be /export E:\boot\BCD1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4260
  - - C:\Windows\system32\attrib.exe
      attrib -r -h -s E:\boot\BCD1.*
      4⤵
      Views/modifies file attributes
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\NTaufix\ConsExt.exe
      ConsExt /event
      4⤵
      Executes dropped EXE
      PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NTaufix\ConsExt.exe

Filesize
196KB

MD5
71ae72fb2cee3fdac2ece55a7290df07

SHA1
0cfff4ff2f87eec042243a5bfd0dcd39293c740d

SHA256
4a26dc01b9297a14cc193d8412dc26404272c4953749ebe4543eb4112cc37b67

SHA512
d0443639b2ed9ff854b01b5cab375763826394b8fc48eaed578884d93172f507c2e531c394776968f991dca94b00c4dda891fe8da9c27db659c621796712cefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\ConsExt.exe

Filesize
196KB

MD5
71ae72fb2cee3fdac2ece55a7290df07

SHA1
0cfff4ff2f87eec042243a5bfd0dcd39293c740d

SHA256
4a26dc01b9297a14cc193d8412dc26404272c4953749ebe4543eb4112cc37b67

SHA512
d0443639b2ed9ff854b01b5cab375763826394b8fc48eaed578884d93172f507c2e531c394776968f991dca94b00c4dda891fe8da9c27db659c621796712cefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\ConsExt.exe

Filesize
196KB

MD5
71ae72fb2cee3fdac2ece55a7290df07

SHA1
0cfff4ff2f87eec042243a5bfd0dcd39293c740d

SHA256
4a26dc01b9297a14cc193d8412dc26404272c4953749ebe4543eb4112cc37b67

SHA512
d0443639b2ed9ff854b01b5cab375763826394b8fc48eaed578884d93172f507c2e531c394776968f991dca94b00c4dda891fe8da9c27db659c621796712cefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\ConsExt.exe

Filesize
196KB

MD5
71ae72fb2cee3fdac2ece55a7290df07

SHA1
0cfff4ff2f87eec042243a5bfd0dcd39293c740d

SHA256
4a26dc01b9297a14cc193d8412dc26404272c4953749ebe4543eb4112cc37b67

SHA512
d0443639b2ed9ff854b01b5cab375763826394b8fc48eaed578884d93172f507c2e531c394776968f991dca94b00c4dda891fe8da9c27db659c621796712cefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\NTBOOTautofix.cmd

Filesize
70KB

MD5
dd3f9d8048b21af22f220b3a56f87a9a

SHA1
ba8d4c118b766f5f50011e600429e0330b2384f3

SHA256
c9b69667c80c8c48cdd1f61e2ec3ec1f3bff5fafde9604f3fe85c4b68bc11c97

SHA512
90ecfbe3a265d007d1743251ca20acaed9b9bb67cf03db83e3b99f489859c06313434390e17b46f99cc75a4c8d036e9f9ec059f0e52aaf73afe66ede745cb30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\NTLDR1

Filesize
268KB

MD5
2ef2b5825e20a76540662a0333e0d522

SHA1
fdb5e59854bd3a0dd02d495b2fa113c06359d7ff

SHA256
37dbf12d20bb52b9c46def368360be779047830e450a74275500946f0cc7fa36

SHA512
c118b3b103ff178964971ca3ef5a7325f6a68bdae7b31cdb6c379fa6b975cc22f8f7d645196a47fc6a2e216b36cd5bfe5fababb4395265278039d5628e431d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\NTLDRC

Filesize
8KB

MD5
a0412aa2ac70427ace8fef14fd8e9595

SHA1
b58d86977de48d40e797d47bfed8a8b72f234c21

SHA256
53dc8fccfd10b727a5f720e25dfa7af196a96bfb03030ad718627fd880d2ea7e

SHA512
da19aa322a8491570d69908446a81f2ce4c51f97c6cb7394296fd2a3bcacbb5c8d26ba95d2ef35a27767cf884a653f37acc120eef74e8fc2a8ce989fa946adcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\NTLDRE

Filesize
8KB

MD5
f91820cc1954eada9aa1cbec011ee543

SHA1
6bda900935390028a0328223b85eeaba09a7c090

SHA256
1f112c7b2034e51368472cecce95f97528ded6a8490cda74b7ba68025f619018

SHA512
c36534057d2678aae072077feef282d4b0516ba366d4dc0167ea6e0f6fc2c65abf47e57d9977f018f03881f73594eaa2922b328c30b48b047df6721612b1ae5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\autofixx.tmp

Filesize
241B

MD5
b2aa0ce2dfb041a29122a6161df368d0

SHA1
4573f4ff003b851f7c7e109f3b1f7f41ba374eb4

SHA256
b55ae6cc6d2c8b2f0c4fe13827565fd41a4417372aa6a111d1a8137b123e8756

SHA512
d5403cd9835e7a74463b72421f421f0b8f969815147930d220a75b841ca4aba57232ed5ffdacfc25da70876e455ee61cdb5048ab14f1f0a9269893526d97b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\be.exe

Filesize
320KB

MD5
54da4a3ebae0f043465b781d45eb7e50

SHA1
8ed915230b8ab3f24b76b064ab484bec43320095

SHA256
a6f3cbe17b2fa1622f6156b53490c1266c9bb6bca201de7be106eceae883a1e0

SHA512
a9d695806eb28b5987d9935a621a5ae81ed940327e00515de69f9034969c596d347a66b298db2cac7b1d0632c0304cb512510f8be55610bc31e58002e35cab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\be.exe

Filesize
320KB

MD5
54da4a3ebae0f043465b781d45eb7e50

SHA1
8ed915230b8ab3f24b76b064ab484bec43320095

SHA256
a6f3cbe17b2fa1622f6156b53490c1266c9bb6bca201de7be106eceae883a1e0

SHA512
a9d695806eb28b5987d9935a621a5ae81ed940327e00515de69f9034969c596d347a66b298db2cac7b1d0632c0304cb512510f8be55610bc31e58002e35cab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\be.exe

Filesize
320KB

MD5
54da4a3ebae0f043465b781d45eb7e50

SHA1
8ed915230b8ab3f24b76b064ab484bec43320095

SHA256
a6f3cbe17b2fa1622f6156b53490c1266c9bb6bca201de7be106eceae883a1e0

SHA512
a9d695806eb28b5987d9935a621a5ae81ed940327e00515de69f9034969c596d347a66b298db2cac7b1d0632c0304cb512510f8be55610bc31e58002e35cab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\bschk.exe

Filesize
95KB

MD5
366c14b6d2ec6882699e939db081316e

SHA1
c1818d1c62646a026a576142796cc7b4ef29486b

SHA256
5a33fd6b8471d94e01e29f6445eaf8b34ff24a5e5a1dea79aa810f3a6a291f9f

SHA512
2ecfc75a75130d6993a50825f630c1afb59cb719c009c60e3b2387dcd34e6be041d42d675a3f8b7e4030f1ddedaa2c3b5d243e5ea03542733d43db6509c26a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\bschk.exe

Filesize
95KB

MD5
366c14b6d2ec6882699e939db081316e

SHA1
c1818d1c62646a026a576142796cc7b4ef29486b

SHA256
5a33fd6b8471d94e01e29f6445eaf8b34ff24a5e5a1dea79aa810f3a6a291f9f

SHA512
2ecfc75a75130d6993a50825f630c1afb59cb719c009c60e3b2387dcd34e6be041d42d675a3f8b7e4030f1ddedaa2c3b5d243e5ea03542733d43db6509c26a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\bschk.exe

Filesize
95KB

MD5
366c14b6d2ec6882699e939db081316e

SHA1
c1818d1c62646a026a576142796cc7b4ef29486b

SHA256
5a33fd6b8471d94e01e29f6445eaf8b34ff24a5e5a1dea79aa810f3a6a291f9f

SHA512
2ecfc75a75130d6993a50825f630c1afb59cb719c009c60e3b2387dcd34e6be041d42d675a3f8b7e4030f1ddedaa2c3b5d243e5ea03542733d43db6509c26a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\bschk.exe

Filesize
95KB

MD5
366c14b6d2ec6882699e939db081316e

SHA1
c1818d1c62646a026a576142796cc7b4ef29486b

SHA256
5a33fd6b8471d94e01e29f6445eaf8b34ff24a5e5a1dea79aa810f3a6a291f9f

SHA512
2ecfc75a75130d6993a50825f630c1afb59cb719c009c60e3b2387dcd34e6be041d42d675a3f8b7e4030f1ddedaa2c3b5d243e5ea03542733d43db6509c26a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\main.cmd

Filesize
1KB

MD5
af0da4bef47bcd0ea9d81ece8487b1b5

SHA1
4e568f6bdb204e211e5be96e0fb94450c357df2e

SHA256
71c922089127799fb41124c9c9b7801511b65cb2865bee3c0c32bebc3748d788

SHA512
f30af1d7cbb2f314b1cdfa66e8f333b202486916b284c0b3cbcf627950e01307a131b7f9f17a428a6f064c8719ea62c775501a43f50f4dac1b21f47ce77127b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\ntldr

Filesize
277KB

MD5
87774a4506b78e74352de083688ec8d8

SHA1
3ddb9fb2c2d5a95adaac8a736b6c19b6fd95fbd4

SHA256
4fdc64b0b6ba825a337b1d3456c72d2bc7b91300555ea9db43739361cc043ea5

SHA512
da51f7b5e0410f339b5952d2b2c6ba890704f0f4f0c7471d9bab1847ec50c05c7ad97b6e95f878f3680b848533136e2b10b7a6f6aea9951ea3ce25fcfc0f8d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\sc.exe

Filesize
4KB

MD5
46829940f8992374e234d2ba4f96e0ed

SHA1
a6e7bfb1e838a2e3246e148fa2aeaaf0962e72eb

SHA256
36caa213a29a70270a220e5c5f9a1471b1b3498dd31293260b521a23e7df1f2b

SHA512
caaa2b6ae26a5cc1c6906e17a6e616ecfba2545aaab442ef6d2064240a238257561c82ed4ca98efc5e5f0fe430773c0a690f80f9fe48c7d834ddea9f374d8ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\sc.exe

Filesize
4KB

MD5
46829940f8992374e234d2ba4f96e0ed

SHA1
a6e7bfb1e838a2e3246e148fa2aeaaf0962e72eb

SHA256
36caa213a29a70270a220e5c5f9a1471b1b3498dd31293260b521a23e7df1f2b

SHA512
caaa2b6ae26a5cc1c6906e17a6e616ecfba2545aaab442ef6d2064240a238257561c82ed4ca98efc5e5f0fe430773c0a690f80f9fe48c7d834ddea9f374d8ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTaufix\sc.exe

Filesize
4KB

MD5
46829940f8992374e234d2ba4f96e0ed

SHA1
a6e7bfb1e838a2e3246e148fa2aeaaf0962e72eb

SHA256
36caa213a29a70270a220e5c5f9a1471b1b3498dd31293260b521a23e7df1f2b

SHA512
caaa2b6ae26a5cc1c6906e17a6e616ecfba2545aaab442ef6d2064240a238257561c82ed4ca98efc5e5f0fe430773c0a690f80f9fe48c7d834ddea9f374d8ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BOOTFONT.BIN

Filesize
315KB

MD5
99f68407c9470130eb0f3d7350ec109d

SHA1
704cb779a9a1dd939731b0c19e424ad5eb507b0e

SHA256
61a5098f3519807bcdfda735b375bfced0935f2cc8e11d81c4df6c910ebcd9af

SHA512
2f40cc34c169f7e9a97e7feeaaa32fbaebed34265c92d093966bc806232b19ecba7965259929618cc697bcc05cb23eb2ce359f6304c9f1f98d2f4cdff6687b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ConsExt.exe

Filesize
196KB

MD5
71ae72fb2cee3fdac2ece55a7290df07

SHA1
0cfff4ff2f87eec042243a5bfd0dcd39293c740d

SHA256
4a26dc01b9297a14cc193d8412dc26404272c4953749ebe4543eb4112cc37b67

SHA512
d0443639b2ed9ff854b01b5cab375763826394b8fc48eaed578884d93172f507c2e531c394776968f991dca94b00c4dda891fe8da9c27db659c621796712cefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NTBOOTautofix.cmd

Filesize
70KB

MD5
dd3f9d8048b21af22f220b3a56f87a9a

SHA1
ba8d4c118b766f5f50011e600429e0330b2384f3

SHA256
c9b69667c80c8c48cdd1f61e2ec3ec1f3bff5fafde9604f3fe85c4b68bc11c97

SHA512
90ecfbe3a265d007d1743251ca20acaed9b9bb67cf03db83e3b99f489859c06313434390e17b46f99cc75a4c8d036e9f9ec059f0e52aaf73afe66ede745cb30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NTDETECT.COM

Filesize
46KB

MD5
cdce1413695a6ace7304e77f35aa3a37

SHA1
2759c5a8707c6c6ec5c1326364bd43b31159e3a1

SHA256
17ed3744ff8cb847ef89d0e42111e6ba27bd688b160a594a3abef078e05c4868

SHA512
0562085ddf75c66687cf16b72be3751bd8032df1ebcd2640835ef84adb47e5471d9ddc32822d9c17e6674fd28c3d1966758f215d4423be12148553b29e6fba0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NTLDR1

Filesize
268KB

MD5
2ef2b5825e20a76540662a0333e0d522

SHA1
fdb5e59854bd3a0dd02d495b2fa113c06359d7ff

SHA256
37dbf12d20bb52b9c46def368360be779047830e450a74275500946f0cc7fa36

SHA512
c118b3b103ff178964971ca3ef5a7325f6a68bdae7b31cdb6c379fa6b975cc22f8f7d645196a47fc6a2e216b36cd5bfe5fababb4395265278039d5628e431d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NTLDRC

Filesize
8KB

MD5
a0412aa2ac70427ace8fef14fd8e9595

SHA1
b58d86977de48d40e797d47bfed8a8b72f234c21

SHA256
53dc8fccfd10b727a5f720e25dfa7af196a96bfb03030ad718627fd880d2ea7e

SHA512
da19aa322a8491570d69908446a81f2ce4c51f97c6cb7394296fd2a3bcacbb5c8d26ba95d2ef35a27767cf884a653f37acc120eef74e8fc2a8ce989fa946adcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NTLDRE

Filesize
8KB

MD5
f91820cc1954eada9aa1cbec011ee543

SHA1
6bda900935390028a0328223b85eeaba09a7c090

SHA256
1f112c7b2034e51368472cecce95f97528ded6a8490cda74b7ba68025f619018

SHA512
c36534057d2678aae072077feef282d4b0516ba366d4dc0167ea6e0f6fc2c65abf47e57d9977f018f03881f73594eaa2922b328c30b48b047df6721612b1ae5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\attrib5.exe

Filesize
12KB

MD5
118176e996fa8d6d25694d4f6e713ace

SHA1
3f6005729b26b4767ffab9b2d14d91d329acb806

SHA256
cba924415f9d08abe02724f07115a165698c55010540fb14f382949726aff68d

SHA512
bfbe69fd467f5b28e2f45724c8769def25b4f7267f0390f47c93a9eac434c3942b545e20f96d36d46b766e1c02e2bbc25af0cc6029740ad31657f4677d0a40c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bb.exe

Filesize
149KB

MD5
0e4c7b89452f3fb5a42137e7e43d7b50

SHA1
6612209e75ddab81a39de8f262eb209f9ad0575a

SHA256
3920037ff397459202c8a0c4ffa3e0ad91e860bfe4f6c0dff8e7965d4917ea2c

SHA512
b353bd1a67eaaa1d88ac88fd45322e2bf29d5d9449939cfbda4f0e035ebdf0b8b4e7a5b9820b96680ff400c114cc89d5ff15fd2008d9ece9fa8c30d2c9842662

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\be.exe

Filesize
320KB

MD5
54da4a3ebae0f043465b781d45eb7e50

SHA1
8ed915230b8ab3f24b76b064ab484bec43320095

SHA256
a6f3cbe17b2fa1622f6156b53490c1266c9bb6bca201de7be106eceae883a1e0

SHA512
a9d695806eb28b5987d9935a621a5ae81ed940327e00515de69f9034969c596d347a66b298db2cac7b1d0632c0304cb512510f8be55610bc31e58002e35cab02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bs.exe

Filesize
108KB

MD5
05a87372cf6f32f99794e8571b44fa2e

SHA1
9a042cd044915c196ef96eeff9efda566dc5709e

SHA256
c7fab12150d1810eedf5c19089465fe6910cddb1d9333fdbd87d32715f964a93

SHA512
a5749c3b2a1dcd94ce9e5b100aeed3000e11d7c36d007d34cfc0ee9db440df21ff55854d5210e194e80f00334e5f477a5a8a90a22f46abb60e858c49c13dc7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bschk.exe

Filesize
95KB

MD5
366c14b6d2ec6882699e939db081316e

SHA1
c1818d1c62646a026a576142796cc7b4ef29486b

SHA256
5a33fd6b8471d94e01e29f6445eaf8b34ff24a5e5a1dea79aa810f3a6a291f9f

SHA512
2ecfc75a75130d6993a50825f630c1afb59cb719c009c60e3b2387dcd34e6be041d42d675a3f8b7e4030f1ddedaa2c3b5d243e5ea03542733d43db6509c26a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bsmbr.exe

Filesize
95KB

MD5
ba33b1f798be1af468918cda0a7d80ef

SHA1
ce988f2e3e9f9994ae33de0242f94f3329de2655

SHA256
d298ed0554fdd176a839272637327e92395099cb962a12c5c48b586857d7893d

SHA512
0bf1cf37ef8a4504c48ecc1f6d61148e8535de7d774eaefdea09da630bac5ab5f5ca4393d6b6b3a3307653d1990682b72cb0089c8d70c6189b4784bd7b2cb514

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chcp5.com

Filesize
7KB

MD5
d56e5ad02728dd5aad682838097f9108

SHA1
063897c70b3bda03ea9bebf0a8cc7e83ba0fb4db

SHA256
23b5bc6d24b813f2c2f2720be6842dcefcc4edf8b170863bb4c6ea4df639fd94

SHA512
1f5365944f8748e9bc974c363855bad0251625f737d251983301681eb1eea5bcfedfcb28c5e57d3d996ef78d323f3cbda83294b0d0cc8383e006871de47b4fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chz_fix.bcd

Filesize
1KB

MD5
58c9f77d5d14ffaaead5d954dfd0a290

SHA1
44c084bcf954fd642fb9d5cd8bf0e65aeb325c67

SHA256
eeb8fb3583b58ed632886670fc8792f0209aed52d6aed9e6740073261fbc87c1

SHA512
bd7195e43dea724beca169565ccfdcbb1c6d3c314b1ac0f9d06b834a45b1b130dde5758a0cb6979ea3f7d42eb505163651a3235512a86b4cead74f847b64d2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chzdp.exe

Filesize
4KB

MD5
03bff0176873f2f014038692b4dbd438

SHA1
295ead1da24e40afca0a7b42ec1629ed6605800f

SHA256
4c53893202a51c14f040cdb70f86c522ecff3cf9718eed29576269e713581d4c

SHA512
fbea74e5a82532e0616aed2a203c8ca650e31d9f07f4430720db9a4a88d40d7eb088192c6d287b3a81c38344f72906cfaaf2ea839ecdbc8068f666e1ef5909ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\find5.exe

Filesize
9KB

MD5
0dc49311fc5e24a29662685efbe2f58c

SHA1
dfc643bff93f96ae7b8113bf5346e0cf9f7535a2

SHA256
22d52947622cd4212066447c5a26ce348ae1b8fc56ba24e53199e1c7bc02bed0

SHA512
788b8326f01c6c442d0d542189c7e0bc697518a0281a0e04f5e19cedb510a915bd26aae4a5474e4ad96b5ff883500cb6bb02e64a6479eb452b33d8d81f4aa877

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.cmd

Filesize
1KB

MD5
af0da4bef47bcd0ea9d81ece8487b1b5

SHA1
4e568f6bdb204e211e5be96e0fb94450c357df2e

SHA256
71c922089127799fb41124c9c9b7801511b65cb2865bee3c0c32bebc3748d788

SHA512
f30af1d7cbb2f314b1cdfa66e8f333b202486916b284c0b3cbcf627950e01307a131b7f9f17a428a6f064c8719ea62c775501a43f50f4dac1b21f47ce77127b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mv.exe

Filesize
9KB

MD5
de27405a9e67dc17ab8bd255dbcccc6c

SHA1
269295e750781c3547ee944440f307de94e53f93

SHA256
0c607c353799084f75da13477be884f9781ebd3e15a28d57e6bbdef0d6ab6bc6

SHA512
d631b7e0f300ff5a0556a5024fdfb8d2e9ec211aa1c0200a10021c362003f24f63dab26944801448bb4ee1b3941fe18c63f9de503c51da1f4fbdd80e197ef16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\reg5.exe

Filesize
63KB

MD5
322649497639c0836a304a57c5dfb781

SHA1
0783a95922874eb521d54a026e55b439fd6a9437

SHA256
37ce5e1b08362ba9be71fac7aafadf7d687f85c309b9bd17987da1f5ff4f9475

SHA512
93f7157e0367699e0191be88e9c4e9b9ecf6c52a7fc0df4f5ccafa10857f990a5b7c466e3a09c890e6c181b9b6e5c798de2809fbaeb29a66bf3efb219165b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sc.exe

Filesize
4KB

MD5
46829940f8992374e234d2ba4f96e0ed

SHA1
a6e7bfb1e838a2e3246e148fa2aeaaf0962e72eb

SHA256
36caa213a29a70270a220e5c5f9a1471b1b3498dd31293260b521a23e7df1f2b

SHA512
caaa2b6ae26a5cc1c6906e17a6e616ecfba2545aaab442ef6d2064240a238257561c82ed4ca98efc5e5f0fe430773c0a690f80f9fe48c7d834ddea9f374d8ed2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads