27ebd2d00726ee12b45299240442c82c1274241eaf7c99645e1538bec5da05ae

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778a328cc3859c1d26bf89253d76d9f2.exe
Size

10.8MB
MD5

778a328cc3859c1d26bf89253d76d9f2
SHA1

bba3eaecf83c96ab2de719ef1b84209f2d2afb20
SHA256

27ebd2d00726ee12b45299240442c82c1274241eaf7c99645e1538bec5da05ae
SHA512

c8d26a4f817c27eece6daa5e68579397d9c6e9f3ea2e5c16d2db6ebff810858cdb97f4d1c5c563fb3e2fdbefcceeed08d28b94b9c65fc11f8f64fc36993d7d03
SSDEEP

196608:p7G4BFifYizLQ8uGdbwRLTvICzcHWrUDZNEY20EK5pNDOIXKtThkn4L4aGaMeBNy:047ccGbAhcSKUi0t44BN8eGeq

Score

10^/10

evasion ransomware upx

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
1668	fsutil.exe

Clears Windows event logs 1 TTPs 4 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
1880	wevtutil.exe
960	wevtutil.exe
820	wevtutil.exe
1200	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1060	bcdedit.exe
2184	bcdedit.exe
2508	bcdedit.exe
2796	bcdedit.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
2248	wininiti.exe
2076	Microsoft_SQL_SERVER.exe

Loads dropped DLL 8 IoCs

pid	Process
3068	explorer.exe
3068	explorer.exe
2076	Microsoft_SQL_SERVER.exe
2076	Microsoft_SQL_SERVER.exe
2076	Microsoft_SQL_SERVER.exe
2076	Microsoft_SQL_SERVER.exe
2076	Microsoft_SQL_SERVER.exe
2076	Microsoft_SQL_SERVER.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2116-1-0x000000013F8F0000-0x000000014074B000-memory.dmp	upx
behavioral1/files/0x000a000000014602-5.dat	upx
behavioral1/memory/2248-7-0x000000013F2C0000-0x00000001405DA000-memory.dmp	upx
behavioral1/memory/2116-24-0x000000013F8F0000-0x000000014074B000-memory.dmp	upx
behavioral1/memory/2248-27-0x000000013F2C0000-0x00000001405DA000-memory.dmp	upx
behavioral1/files/0x000a000000014602-30.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 3068	2248	wininiti.exe	30

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\MICROSOFT_UPDATE\libwinpthread-1.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\PluggableTransports\obfs4proxy.exe	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\zlib1.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libevent-2-1-7.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libgcc_s_seh-1.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libssl-1_1-x64.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libssp-0.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\torrc-defaults	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libevent_core-2-1-7.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libevent_extra-2-1-7.dll	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2448	vssadmin.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell\open\command	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell\open	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell\open\command	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell\open	778a328cc3859c1d26bf89253d76d9f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\byeintegrity3\shell\open\command\ = "C:\\wininiti.exe"	778a328cc3859c1d26bf89253d76d9f2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2704	PING.EXE
2476	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	2480	vssvc.exe
Token: SeRestorePrivilege	2480	vssvc.exe
Token: SeAuditPrivilege	2480	vssvc.exe
Token: SeSecurityPrivilege	1880	wevtutil.exe
Token: SeBackupPrivilege	1880	wevtutil.exe
Token: SeSecurityPrivilege	960	wevtutil.exe
Token: SeBackupPrivilege	960	wevtutil.exe
Token: SeSecurityPrivilege	820	wevtutil.exe
Token: SeBackupPrivilege	820	wevtutil.exe
Token: SeSecurityPrivilege	1200	wevtutil.exe
Token: SeBackupPrivilege	1200	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2116 wrote to memory of 2600	2116	778a328cc3859c1d26bf89253d76d9f2.exe	41
PID 2116 wrote to memory of 2600	2116	778a328cc3859c1d26bf89253d76d9f2.exe	41
PID 2116 wrote to memory of 2600	2116	778a328cc3859c1d26bf89253d76d9f2.exe	41
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 3068	2248	wininiti.exe	30
PID 2248 wrote to memory of 2852	2248	wininiti.exe	40
PID 2248 wrote to memory of 2852	2248	wininiti.exe	40
PID 2248 wrote to memory of 2852	2248	wininiti.exe	40
PID 2600 wrote to memory of 2704	2600	cmd.exe	32
PID 2600 wrote to memory of 2704	2600	cmd.exe	32
PID 2600 wrote to memory of 2704	2600	cmd.exe	32
PID 2852 wrote to memory of 2476	2852	cmd.exe	39
PID 2852 wrote to memory of 2476	2852	cmd.exe	39
PID 2852 wrote to memory of 2476	2852	cmd.exe	39
PID 3068 wrote to memory of 2620	3068	explorer.exe	37
PID 3068 wrote to memory of 2620	3068	explorer.exe	37
PID 3068 wrote to memory of 2620	3068	explorer.exe	37
PID 2620 wrote to memory of 2448	2620	cmd.exe	35
PID 2620 wrote to memory of 2448	2620	cmd.exe	35
PID 2620 wrote to memory of 2448	2620	cmd.exe	35
PID 3068 wrote to memory of 2944	3068	explorer.exe	43
PID 3068 wrote to memory of 2944	3068	explorer.exe	43
PID 3068 wrote to memory of 2944	3068	explorer.exe	43
PID 2944 wrote to memory of 1880	2944	cmd.exe	44
PID 2944 wrote to memory of 1880	2944	cmd.exe	44
PID 2944 wrote to memory of 1880	2944	cmd.exe	44
PID 2944 wrote to memory of 960	2944	cmd.exe	45
PID 2944 wrote to memory of 960	2944	cmd.exe	45
PID 2944 wrote to memory of 960	2944	cmd.exe	45
PID 2944 wrote to memory of 820	2944	cmd.exe	46
PID 2944 wrote to memory of 820	2944	cmd.exe	46
PID 2944 wrote to memory of 820	2944	cmd.exe	46
PID 3068 wrote to memory of 2516	3068	explorer.exe	51
PID 3068 wrote to memory of 2516	3068	explorer.exe	51
PID 3068 wrote to memory of 2516	3068	explorer.exe	51
PID 2944 wrote to memory of 1200	2944	cmd.exe	49
PID 2944 wrote to memory of 1200	2944	cmd.exe	49
PID 2944 wrote to memory of 1200	2944	cmd.exe	49
PID 2516 wrote to memory of 1060	2516	cmd.exe	48
PID 2516 wrote to memory of 1060	2516	cmd.exe	48
PID 2516 wrote to memory of 1060	2516	cmd.exe	48
PID 2944 wrote to memory of 1668	2944	cmd.exe	47
PID 2944 wrote to memory of 1668	2944	cmd.exe	47
PID 2944 wrote to memory of 1668	2944	cmd.exe	47
PID 3068 wrote to memory of 2340	3068	explorer.exe	52
PID 3068 wrote to memory of 2340	3068	explorer.exe	52
PID 3068 wrote to memory of 2340	3068	explorer.exe	52
PID 2340 wrote to memory of 2184	2340	cmd.exe	56
PID 2340 wrote to memory of 2184	2340	cmd.exe	56
PID 2340 wrote to memory of 2184	2340	cmd.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\778a328cc3859c1d26bf89253d76d9f2.exe
"C:\Users\Admin\AppData\Local\Temp\778a328cc3859c1d26bf89253d76d9f2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 127.0.0.1 -n 1 -w 500 > Nul & Del /f /q "򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600

C:\wininiti.exe
"C:\wininiti.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl Setup
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl System
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl Security
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:820
  - - C:\Windows\system32\fsutil.exe
      fsutil usn deletejournal /D C:
      4⤵
      Deletes NTFS Change Journal
      PID:1668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil cl Application
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1200
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set bootstatuspolicy ignoreallfailures"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set recoveryenabled No"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2184
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
    3⤵
    PID:1768
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2508
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
    3⤵
    PID:2808
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2796
- - C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe
    "C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2076
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3068 -s 396
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 127.0.0.1 -n 1 -w 500 > Nul & Del /f /q "C:\wininiti.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
1⤵
- Runs ping.exe
PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2448

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
1⤵
- Runs ping.exe
PID:2476

C:\Windows\system32\bcdedit.exe
bcdedit /set bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
50KB

MD5
0fca3301ddc6e5a3973dbba53ae2b0f8

SHA1
f1aac2b2ab9e51cf13d291cb09d9ff17c49b5cbf

SHA256
599251d420080ce2d53bf2c49a8784ef478c1601546075c62fb982caba18cbe0

SHA512
2aa43c1fdd6b2ab97c035b74d9697e0f46482256d0b7a23ffc5d1357263ab720c968bb367c31f0c009a023989351d50670c6847798b3bc40b1f22cc71b336df3

Download Submit
C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
110KB

MD5
0fc4632aef8d38ee73163ce23a090427

SHA1
fa33c57c45810351cb41a461fe7c0f2d4a8b8a24

SHA256
723b94bb2cc0d37fcfcce23326c5d2c41c47862dfb2091bc74af54d3f4f32ec5

SHA512
03de2b9a1558d7d706d60f6a04b8ef1c9ed748f25ac9e6cc1c1e92759bb6b24071c2588394d42798484254c0bf5cb119e02e668d845476f258d00223008b6f04

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll

Filesize
133KB

MD5
a81de43f4a1e1562e1853d68aad2288b

SHA1
0d49201fe291c7261feb0cf01541f8347fa236be

SHA256
df29ac0ca234c6774a5ea7a63925a3b33d82c2cd2a2f329e90b05f51030168c0

SHA512
f1002871e87e429a5d5681541a32e9e77884558498a43ffb6b817c56f84f32369d9a58beda1a65ecb9d2a0c78a79406dc983738c35c2f646db2f7ce3a41673d2

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libevent-2-1-7.dll

Filesize
95KB

MD5
ea831b14ed059f0ab0a45a81c4924356

SHA1
80441c70d1a2d5fac16406d7ca3005dc910ad850

SHA256
5b78d71781cd6f9c7b7cf1cb8a0234ca9715e61883bc8c38dff81ac14c9498cf

SHA512
54c1c0baaa20144f3a52675fcb3ea96de4809cfcd5677b52896ac96a16bad1fa3ed5c0d120f98a5af10fcae70e8eb26dcdc94961166935720ec9e06b3942b3eb

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libssl-1_1-x64.dll

Filesize
64KB

MD5
82a231fb2642b9cec8f443de457e9237

SHA1
64ddf3736fe854634230718a5bff645965f6611c

SHA256
e56bba17d0f8ed318bdf56d07ac7797d2ada5ef454eb764cd1055fa299be87db

SHA512
d5438c0086882fbbbe7daa4e1410c2ff225103e3c47d951307bd7107fccccd9ed64451061f68aafe107751b065079cb30b7a566969dc82aa220c808160d83dd6

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libssp-0.dll

Filesize
46KB

MD5
a54cef7ee35c0f258e45e410ebed95d7

SHA1
64a54de785bf785535c3c94010d0848055afe71f

SHA256
b8b809d615e49fc8b3303506f10ca87789ce33acc3da1b8b683bf50c301f5a66

SHA512
143fba2a3c8c716e93d27a3adedef619d306b9e7028ea5b828af9c54673d261720a4e75fa81bcf996b44ccf5c2c83237cc1e3936521114f19e3c2a51bf589520

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libwinpthread-1.dll

Filesize
238KB

MD5
aaca2f9ea289a415b89c74066814352a

SHA1
845a38b354504720b1e36f61747768146e279222

SHA256
18f31affef60b92330a8861d5d4d39b064333e1c9207bff615a0ef96c8c22467

SHA512
3be99fc6de1af6c034dd48c3ee9f16045e68f52703d46ee01645c0a06920abeb74192d2076ad5c3b14a9912358aceb49a23accc59763938bd04e1812ac199e9d

Download Submit
C:\Program Files\MICROSOFT_UPDATE\zlib1.dll

Filesize
106KB

MD5
e77100e1b6a41bbd7c4bed66953a14a0

SHA1
6a1697c1861f490ae3636dd31cda75e9f76daaf3

SHA256
ec987ba5a34e873e1b9289ce2b994839c439c6155185f4a7c9c2f0e7422f571c

SHA512
1e34ee8ba5be38af089b3c171b7aaf31bf7ea4c434b6c4992c86c58fe7e17cd1b752fa33858a728ce8cad67cb8e0fa9e7df193660df22cfdb8c7cc70e35a5cc3

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
256KB

MD5
280aee721ff6ddeccc0ce2b32437e35d

SHA1
933f0a254a79a48629cb3f7cbdea639905228774

SHA256
dcaa9ee01946d4d9e115e9c72c335fd7b78edcbd07e3f6646f2db307dff86552

SHA512
d556b7c37902ce3fbd2c5b749c5f2921a1854d146f2dc4310953bddd4b1e8a2554ce4d3266b01e322d230b64d76ac7d8427f9c89b4f6584e15c79c20a4b02440

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
320KB

MD5
36c00e95f7bad741d3a44111b6dbd8a0

SHA1
f3108fceefefa9dab5bb1fa9db40f38313ff2702

SHA256
e28da13143c98b04c4e0a9e3294466a53fa234b92607cf93cf242a6bc01d9aa9

SHA512
a1dbb99cd5e7dfcc86ef54bc7265b461616269517fefd45378abb62c4b6879adfff1c3f55706e31fd72398d1ae9eeb2b4828cb335c651f2c07d11dbd97d17635

Download Submit
C:\wininiti.exe

Filesize
303KB

MD5
ec6326730be7de618dd565ed2e2cf6e5

SHA1
f4c658f52d7623660fd70cfc88b57e5439869db3

SHA256
40c78d81bbade1072b04bb17197d496bdb2bd72f227ca71cdaf43886031d952b

SHA512
e0f9968d55d7d4e9c8f82b9e6695a1c60fd2266365d0f3c00600570f7dccd57286846a195ad8323d8e3ecfba7f2667ba1b8e6d692e410a048f1963eb087470ef

Download Submit
C:\wininiti.exe

Filesize
668KB

MD5
885ca61e9a92c4e97a553eb647220dc1

SHA1
5dfb716ec29dd5dda9b5ab997e7ff8635d755d21

SHA256
2bc696d47694e6769092a09d18b296295be1a5c88fa944353f657e715b5de21d

SHA512
0966d6281afc80203a6ed4c7c4bfd8f265a08b24740c049be602889fda877e46883897172f01b196088eb52fa2380a8657a9776ccbba52b87f9f0ab749a12397

Download Submit
\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
183KB

MD5
58992e6cb10f644347d7fd99dfcc8c0e

SHA1
6151da39ae261251a2258dc53ad78481a7119e3b

SHA256
73f6f389f62a50b1b68b9713bac09f316011243764e99a8fdf58734d65b36397

SHA512
ead7ebde7be2032b31433a1749571364854ad1d68fb0582d3d2b20eebd59c2392ec71225115b0249d8d50a365304133d24e6cffb71ee310feaf1ba6ea592d617

Download Submit
\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
148KB

MD5
7d366bfeb27b40dece6d5cc3ae593066

SHA1
8e9502e9420d3ac0a544c548504446b60f7fe14d

SHA256
a174412e29d013bea314a61e82db6ee505b8e83e3f812bd5776ccfdc89e0563a

SHA512
ea7bf7e8603376094628d6c48810b44e36beb7ae1e7f39d4caa0d5aab498b084f499c6371ff3f5a223ba1e511d6657b1d849f0568efe6c6c74c5921e64ce67f0

Download Submit
\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll

Filesize
106KB

MD5
1a445a8d314f36110989d07900da2e8d

SHA1
ef93e063252b88d7f68bab34e3a760ed5ada4192

SHA256
352b6da68a41c475e83df707be2c1b581abcd53e2937d13f71765c1e00ed6dbc

SHA512
4306eb3ae3e4ce9419f817ab2efa5e4cf2a0a02b8197db4fe62f8fb35730222ab03b54a3f4440a6102389f2aca67c00b40a30615ba195f1f3809644602cec413

Download Submit
\Program Files\MICROSOFT_UPDATE\libevent-2-1-7.dll

Filesize
96KB

MD5
a97d5a62b98c0c80787c48509ef048cf

SHA1
5e3e21fed7b60969b46d1be0a469025cbbb060d5

SHA256
2369f16d42618889de42352d1ebfd0f3f48b4cc86dbc2c6f4763d8f3b6b32509

SHA512
cd41f9722263e15ddc43d4b752f4d67df7f5c30ee663280fc7a2a2ef58dbcd50248ffad8cd1bdc4e7c039a10ac1b9ab9d539d6c01806a4763c526be50d8b1e6d

Download Submit
\Program Files\MICROSOFT_UPDATE\libssl-1_1-x64.dll

Filesize
100KB

MD5
c48ca64727805061744b1cfb0d11da81

SHA1
862ee644ab0aba0ef6b0753cd32b794aaa546bc4

SHA256
cb075d4dda84729e6fbf0dc6219e18d93e259fbd5291fbfc033852bad2493abe

SHA512
a1bc4e4d2f828d1afa6a6c888b6011e5504afb78f922be123014ab332de6f1f9597b5296563cc950ec5d71628ed7f33dcde42886516388e7cce76bee22ddf328

Download Submit
\Program Files\MICROSOFT_UPDATE\libssp-0.dll

Filesize
156KB

MD5
09417c4fd974833017d8eaea8a3401d1

SHA1
1e29d7810fec5134a82dbbd708d936c449327aba

SHA256
ae89f4f70d89f5b5c206f3c9495fa9030a61425ad867451e964c9b38bc308916

SHA512
c6994e57589d35d2843eb488bc935b75008fbb1e24970c6bd8121123dbe4fd39b7f9b8e81c4e847585d644984ebb005f885f8a5c0aee1024af9d2dc830d8b15a

Download Submit
\Program Files\MICROSOFT_UPDATE\libwinpthread-1.dll

Filesize
156KB

MD5
390d7678ff347133fe54074c224ada41

SHA1
291a66d9e211f524beec0cec4248d3da516a59a8

SHA256
a3c2267ca7013747c608a2d654ede7388306e84228ecb2f77576b6a0ed158307

SHA512
ac80abb1c3555c42c8611ca559f5934702583e878bb016761d07863561e6adf35c7f5cb9ec7f1151a323c230e55e88486cb71959c048aeec06e85194f8387b95

Download Submit
\Program Files\MICROSOFT_UPDATE\zlib1.dll

Filesize
105KB

MD5
79e4e2499099a075ebb66e3eb391c1a3

SHA1
4d4238480c9aa4451f31686ed81773a2cc6fdaa3

SHA256
bbc52b5d67385d05c57b4950d7a87c82ecd019b6789f3b9451d639e17a657f9f

SHA512
f20efff4048fab00cd0d6e88fa555293253d9c3cf3b0ea57a5d309f39dd1158dbe32856564540b7dd5713f8cf964ef66a6c99d11db4fd75e2aeabf5a42722501

Download Submit
memory/2076-100-0x0000000074960000-0x0000000074A33000-memory.dmp

Filesize
844KB

Download
memory/2076-113-0x00000000010F0000-0x0000000001546000-memory.dmp

Filesize
4.3MB

Download
memory/2076-138-0x00000000010F0000-0x0000000001546000-memory.dmp

Filesize
4.3MB

Download
memory/2076-101-0x0000000074930000-0x0000000074953000-memory.dmp

Filesize
140KB

Download
memory/2076-127-0x00000000010F0000-0x0000000001546000-memory.dmp

Filesize
4.3MB

Download
memory/2076-120-0x00000000010F0000-0x0000000001546000-memory.dmp

Filesize
4.3MB

Download
memory/2076-99-0x0000000074A40000-0x0000000074D2D000-memory.dmp

Filesize
2.9MB

Download
memory/2076-98-0x0000000074D30000-0x0000000074DC8000-memory.dmp

Filesize
608KB

Download
memory/2076-102-0x00000000010F0000-0x0000000001546000-memory.dmp

Filesize
4.3MB

Download
memory/2076-95-0x00000000010F0000-0x0000000001546000-memory.dmp

Filesize
4.3MB

Download
memory/2076-96-0x0000000074E30000-0x0000000074F13000-memory.dmp

Filesize
908KB

Download
memory/2076-97-0x0000000074DD0000-0x0000000074E24000-memory.dmp

Filesize
336KB

Download
memory/2116-24-0x000000013F8F0000-0x000000014074B000-memory.dmp

Filesize
14.4MB

Download
memory/2116-1-0x000000013F8F0000-0x000000014074B000-memory.dmp

Filesize
14.4MB

Download
memory/2248-7-0x000000013F2C0000-0x00000001405DA000-memory.dmp

Filesize
19.1MB

Download
memory/2248-27-0x000000013F2C0000-0x00000001405DA000-memory.dmp

Filesize
19.1MB

Download
memory/3068-21-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-18-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-9-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-13-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-15-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-16-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-17-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-6-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-19-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-20-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-31-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-109-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-22-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-23-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/3068-25-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/3068-29-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads