27ebd2d00726ee12b45299240442c82c1274241eaf7c99645e1538bec5da05ae

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778a328cc3859c1d26bf89253d76d9f2.exe
Size

10.8MB
MD5

778a328cc3859c1d26bf89253d76d9f2
SHA1

bba3eaecf83c96ab2de719ef1b84209f2d2afb20
SHA256

27ebd2d00726ee12b45299240442c82c1274241eaf7c99645e1538bec5da05ae
SHA512

c8d26a4f817c27eece6daa5e68579397d9c6e9f3ea2e5c16d2db6ebff810858cdb97f4d1c5c563fb3e2fdbefcceeed08d28b94b9c65fc11f8f64fc36993d7d03
SSDEEP

196608:p7G4BFifYizLQ8uGdbwRLTvICzcHWrUDZNEY20EK5pNDOIXKtThkn4L4aGaMeBNy:047ccGbAhcSKUi0t44BN8eGeq

Score

10^/10

evasion ransomware upx

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
1196	fsutil.exe

Clears Windows event logs 1 TTPs 4 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
3640	wevtutil.exe
3240	wevtutil.exe
1912	wevtutil.exe
2540	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1200	bcdedit.exe
2416	bcdedit.exe
2996	bcdedit.exe
556	bcdedit.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
2988	wininiti.exe
2156	Microsoft_SQL_SERVER.exe

Loads dropped DLL 7 IoCs

pid	Process
2156	Microsoft_SQL_SERVER.exe
2156	Microsoft_SQL_SERVER.exe
2156	Microsoft_SQL_SERVER.exe
2156	Microsoft_SQL_SERVER.exe
2156	Microsoft_SQL_SERVER.exe
2156	Microsoft_SQL_SERVER.exe
2156	Microsoft_SQL_SERVER.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1356-0-0x00007FF6D2850000-0x00007FF6D36AB000-memory.dmp	upx
behavioral2/files/0x0009000000023140-5.dat	upx
behavioral2/files/0x0009000000023140-6.dat	upx
behavioral2/memory/2988-7-0x00007FF7F5CC0000-0x00007FF7F6FDA000-memory.dmp	upx
behavioral2/memory/2988-10-0x00007FF7F5CC0000-0x00007FF7F6FDA000-memory.dmp	upx
behavioral2/memory/1356-13-0x00007FF6D2850000-0x00007FF6D36AB000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 1388	2988	wininiti.exe	94

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libssl-1_1-x64.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libssp-0.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libwinpthread-1.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libevent_core-2-1-7.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libevent_extra-2-1-7.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libevent-2-1-7.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\libgcc_s_seh-1.dll	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\PluggableTransports\obfs4proxy.exe	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\torrc-defaults	explorer.exe
File created	C:\Program Files\MICROSOFT_UPDATE\zlib1.dll	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3516	vssadmin.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell\open\command	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell\open	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell	778a328cc3859c1d26bf89253d76d9f2.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell\open\command	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell	778a328cc3859c1d26bf89253d76d9f2.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell\open	778a328cc3859c1d26bf89253d76d9f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\byeintegrity3\shell\open\command\ = "C:\\wininiti.exe"	778a328cc3859c1d26bf89253d76d9f2.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
220	PING.EXE
1468	PING.EXE
1892	PING.EXE
2728	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	3628	vssvc.exe
Token: SeRestorePrivilege	3628	vssvc.exe
Token: SeAuditPrivilege	3628	vssvc.exe
Token: SeSecurityPrivilege	3640	wevtutil.exe
Token: SeBackupPrivilege	3640	wevtutil.exe
Token: SeSecurityPrivilege	3240	wevtutil.exe
Token: SeBackupPrivilege	3240	wevtutil.exe
Token: SeSecurityPrivilege	1912	wevtutil.exe
Token: SeBackupPrivilege	1912	wevtutil.exe
Token: SeSecurityPrivilege	2540	wevtutil.exe
Token: SeBackupPrivilege	2540	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3664	1356	778a328cc3859c1d26bf89253d76d9f2.exe	87
PID 1356 wrote to memory of 3664	1356	778a328cc3859c1d26bf89253d76d9f2.exe	87
PID 3664 wrote to memory of 220	3664	cmd.exe	89
PID 3664 wrote to memory of 220	3664	cmd.exe	89
PID 2988 wrote to memory of 2124	2988	wininiti.exe	135
PID 2988 wrote to memory of 2124	2988	wininiti.exe	135
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 1388	2988	wininiti.exe	94
PID 2988 wrote to memory of 4788	2988	wininiti.exe	97
PID 2988 wrote to memory of 4788	2988	wininiti.exe	97
PID 1388 wrote to memory of 1588	1388	explorer.exe	99
PID 1388 wrote to memory of 1588	1388	explorer.exe	99
PID 2124 wrote to memory of 1468	2124	svchost.exe	101
PID 2124 wrote to memory of 1468	2124	svchost.exe	101
PID 4788 wrote to memory of 1892	4788	cmd.exe	103
PID 4788 wrote to memory of 1892	4788	cmd.exe	103
PID 1588 wrote to memory of 3516	1588	cmd.exe	102
PID 1588 wrote to memory of 3516	1588	cmd.exe	102
PID 1356 wrote to memory of 1504	1356	778a328cc3859c1d26bf89253d76d9f2.exe	105
PID 1356 wrote to memory of 1504	1356	778a328cc3859c1d26bf89253d76d9f2.exe	105
PID 1388 wrote to memory of 4612	1388	explorer.exe	117
PID 1388 wrote to memory of 4612	1388	explorer.exe	117
PID 1504 wrote to memory of 2728	1504	cmd.exe	110
PID 1504 wrote to memory of 2728	1504	cmd.exe	110
PID 4612 wrote to memory of 3640	4612	cmd.exe	108
PID 4612 wrote to memory of 3640	4612	cmd.exe	108
PID 4612 wrote to memory of 3240	4612	cmd.exe	109
PID 4612 wrote to memory of 3240	4612	cmd.exe	109
PID 4612 wrote to memory of 1912	4612	cmd.exe	112
PID 4612 wrote to memory of 1912	4612	cmd.exe	112
PID 4612 wrote to memory of 2540	4612	cmd.exe	113
PID 4612 wrote to memory of 2540	4612	cmd.exe	113
PID 4612 wrote to memory of 1196	4612	cmd.exe	114
PID 4612 wrote to memory of 1196	4612	cmd.exe	114
PID 1388 wrote to memory of 596	1388	explorer.exe	116
PID 1388 wrote to memory of 596	1388	explorer.exe	116
PID 596 wrote to memory of 1200	596	cmd.exe	118
PID 596 wrote to memory of 1200	596	cmd.exe	118
PID 1388 wrote to memory of 4900	1388	explorer.exe	121
PID 1388 wrote to memory of 4900	1388	explorer.exe	121
PID 4900 wrote to memory of 2416	4900	cmd.exe	120
PID 4900 wrote to memory of 2416	4900	cmd.exe	120
PID 1388 wrote to memory of 3492	1388	explorer.exe	122
PID 1388 wrote to memory of 3492	1388	explorer.exe	122
PID 3492 wrote to memory of 2996	3492	cmd.exe	124
PID 3492 wrote to memory of 2996	3492	cmd.exe	124
PID 1388 wrote to memory of 5004	1388	explorer.exe	126
PID 1388 wrote to memory of 5004	1388	explorer.exe	126
PID 5004 wrote to memory of 556	5004	cmd.exe	127
PID 5004 wrote to memory of 556	5004	cmd.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\778a328cc3859c1d26bf89253d76d9f2.exe
"C:\Users\Admin\AppData\Local\Temp\778a328cc3859c1d26bf89253d76d9f2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 127.0.0.1 -n 1 -w 500 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\778a328cc3859c1d26bf89253d76d9f2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 1 -w 500
    3⤵
    - Runs ping.exe
    PID:220
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C ping 127.0.0.1 -n 1 -w 500 > Nul & Del /f /q "򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝򇗝
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 1 -w 500
    3⤵
    - Runs ping.exe
    PID:2728

C:\wininiti.exe
"C:\wininiti.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3516
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set bootstatuspolicy ignoreallfailures"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1200
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set recoveryenabled No"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2996
- - C:\WINDOWS\system32\cmd.exe
    "C:\WINDOWS\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:556
- - C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe
    "C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2156
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 127.0.0.1 -n 1 -w 500 > Nul & Del /f /q "C:\wininiti.exe"
  2⤵
  PID:2124
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 1 -w 500
    3⤵
    - Runs ping.exe
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd.exe /C ping 127.0.0.1 -n 1 -w 500 > Nul & Del /f /q "C:\wininiti.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 1 -w 500
    3⤵
    - Runs ping.exe
    PID:1892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil cl Setup
1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\wevtutil.exe
wevtutil cl System
1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\wevtutil.exe
wevtutil cl Security
1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wevtutil.exe
wevtutil cl Application
1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D C:
1⤵
- Deletes NTFS Change Journal
PID:1196

C:\Windows\system32\bcdedit.exe
bcdedit /set recoveryenabled No
1⤵
- Modifies boot configuration data using bcdedit
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
380KB

MD5
7f622b419c947f875729892e65010124

SHA1
77da66e9ef037e26cf94691b517f9f178002b52e

SHA256
1c0b2ce2632a2b100626e46e57f21b417500f1b30ab2a24ae3b40d543d593806

SHA512
7ea091dbc2dbd963dacd0a5cd83927080e5987f84d47330e34b59046cd58aaef4eab9e512ce88b8cd52091cf81a55370c5a455bc82332e5cbbf3e9866cb31d7e

Download Submit
C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
773KB

MD5
42f536c1af9484330013f5b5c0644959

SHA1
6366df6c33b0aacb8b436493fb34e5b46ffe4a7e

SHA256
b304b2495d209e6cb3e5c15d03230bdc06b2245c3a5fd9233f098a8966763db6

SHA512
85ff254e08f831fcab6e67d98c9fc921c7442593ed10f1a6572a2d86573eef248c185a5621bc329387c591d3d9cbf5f0320e3c1f9680651eae8ca4afe4ed490e

Download Submit
C:\Program Files\MICROSOFT_UPDATE\Microsoft_SQL_SERVER.exe

Filesize
616KB

MD5
a1c619574ea578e696bb5b07c8fc2989

SHA1
d769b8e206be7c84bfd57048768436bf795ab97d

SHA256
4316a542a4c3d4e6460e3fc1cb886c3c42cd5c4329da0cea4a2cb6d3f5585b57

SHA512
f110f753964e4a3a3bdd553d83ece3e7c465f07b086f829d656a0c8f384bbb7233c4c21c80d63852277a23dbd2fb94682c776000a65375b56472df4ca79f6155

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll

Filesize
604KB

MD5
331eb746b19f8733c7aed3fc9f0d3bb3

SHA1
18bfe1005c4f93b83c548201725aa455c427e335

SHA256
809759dcc05904589dd0a6af7a8e57b747901147e397ad7e0921432cabe27223

SHA512
413196907b142b24bcfa0b53a7241dff09b701ea30bbc66bb4a3fb9a5b376059f82c1d93d9cd193793d34d257c68c9298e0393e500463580a3467844044c37ab

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll

Filesize
363KB

MD5
1feb49ad984341041581222a5ff79e65

SHA1
9d31c91666587c474c3c9b48c9a8d183eac4d359

SHA256
e8a8aa8877fc7eeae646a8024eaa828ca5a0318996f7f20d2fe8ad374a57d1e9

SHA512
8fe81ec8c89875342992df4d073f9bc181b2f33b7d3903f2244e725e086395d542f56d50097894a9332dde7a2c1094ae1c5dcdedff620e1e6ec9f8c329e9ecc7

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libcrypto-1_1-x64.dll

Filesize
332KB

MD5
430926a52ff18389ea2c87bb745ffe0f

SHA1
2804fd1aa187e939ad622e0ff0d97f2dbc199d98

SHA256
7bfa91a73b9c7872f738ac57251c2056bcb766548a5fe88b3281e9679a3f7b40

SHA512
03e807df415f943af98af20b32e38389719e84315267d1131ebcc82f943880d4f8f8d765932545bd0d7d941cb497ba9dfc5ed122558f863f8dd543531b9c57ca

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libevent-2-1-7.dll

Filesize
665KB

MD5
93e4bf71b771457b66c0925c0221dd86

SHA1
9ff8fe695eea8f44e9aeb1c954ce8533c4554055

SHA256
5ac5e78c5a1e01b917106120e484149968ea3dd26e0d3ba1ba538faa955325c2

SHA512
88e1cda4847207b15718927195b1bd8f17fceaf138f13052eae267e6c4594da7c557ca94924638a3e840e36b2c9c575c958484797927db5570adc3a8f86a4a27

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libevent-2-1-7.dll

Filesize
559KB

MD5
62e07e694a71e5c2b906bde91519d920

SHA1
4329aa4085464b0f2f55cc96b3e6c3fa7a44dd85

SHA256
8e875626d2a309f50460625612166f054f65ba9db0b24a6f4fae509cfe300f6e

SHA512
a81812766f516027447e66a5f83070f5f21ee4ef4b561fc8dacf333af11a19a581e98da3232d116eb56d30bf35fcdc415a18eba769eacbe959b9d41e214481e5

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libssl-1_1-x64.dll

Filesize
414KB

MD5
1791a4087b9c300d8a5bcf92108191cb

SHA1
6558c6d4887eaa85ab18d1250fbc8b4661b57a11

SHA256
d6a6bb03403338f7a5438d4becece674dadeeaf9c5b2ded6dc82d8ceb8f5202f

SHA512
6810c9958c3b56d1668119a59c07c5255bab37c92770f372f8fcaf43d1b280e3715ffff0f36c35771e0e5a0e019ca7c28bd698a34b645c9b5904985af5adcaf0

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libssl-1_1-x64.dll

Filesize
532KB

MD5
72c201bdfa84345134d929380bb6672c

SHA1
fcd5a95b238dde5dcf8543729a9fb724e2bdacf6

SHA256
28d629d7b4d6509c95139449aec724df828535e4bdac858c0cd807aa926adc9b

SHA512
c1c211f7bf18b4a7999aab3a595d630d4bf498749df07bf10615bf276b51b1f615042af1e7db22c179c39e47869157aa55c3495061fcb3a01421973b7ae845a2

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libssp-0.dll

Filesize
266KB

MD5
d1e3423b6b823042bd77c62eb49f3308

SHA1
6605e956265405dc74906d7ed7226feb51388f1c

SHA256
6b6034ba5a7578530c18946623a899aecd3bcd1c7f9b7f14aa213c22ba4a92a9

SHA512
31ff1d874e624f402d6e25278b0ccd22ebe71af6ea5e5917c9f92a8e272a55d90dd17b84b37875c7f12c1e65f7f3cbd8558cfd8a6e07bb08b6dfc26e10ae9041

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Program Files\MICROSOFT_UPDATE\libwinpthread-1.dll

Filesize
423KB

MD5
5e1909e2ac402786bc4537a58ea08dcb

SHA1
a84684bcda984c69a2d4fd6f89ad01aa95ad0a2d

SHA256
09f0cf8fd83f37fadea1af474785c6ed3e5345a11216a5bee2c61cddc0f54dbe

SHA512
4303840fa9aebe0eb4a831ef2190fc3cc3c91a4f886de8f895000b8d0827b7a194fde40aa8b81dcaf0d30500168466411367e5639421883ade93a48220acc1dc

Download Submit
C:\Program Files\MICROSOFT_UPDATE\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
92KB

MD5
485e7547e731cc9f83c44df2835282cd

SHA1
b8764b6d2c09862a3e9d22bedf28c2093eda2ac7

SHA256
3aa62e63652158097df7f57774b20430b09569012482ac7e1859ff002257f43a

SHA512
6ead61a48000463c9b3157674318f11b54c79e0799a63415c50d402757595ee65b99d904715d2aab6c63dbd74d34fe9646d59a61a454527d9b929e9332987327

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
675KB

MD5
4f83827f5f60849bebc435304a9b1076

SHA1
56efced6671fe52f2d4dc38ff19516443e6fee4d

SHA256
877bd21dad3b028b6803fd6105cd83fb7afc1c43a14560db806ed0e93b8124ed

SHA512
30eb07281af5bcf67c766a38901e4a0e8aced5fd3e5853559c3d0b0d4774b30f6033de5f7960f38ec2f9cf5f33fdcf720697599aa10d4fcf85b15dda22b13840

Download Submit
C:\wininiti.exe

Filesize
2.6MB

MD5
b5862597b06affa9e052dea48d415dd0

SHA1
11eec4939217599d8569bba7add8efbdf69e6a89

SHA256
88e4cb6fe30fecd01b01c72ba53d9dd7dbe64b7db3b0dd822c08e8ad883689a3

SHA512
2c86b8970e28b2fab253788f25ee1b1dabc842cc90bf017ae263cadd89f7f9cbc020a1505a4b7a09e7d0bc736a97128e87259144879c378b3529493b717a0caf

Download Submit
C:\wininiti.exe

Filesize
2.8MB

MD5
8277a17f5926075b79193a33b56e34b2

SHA1
94cc3878aee6c8b46c2658807adc0a2cfb4ff1d7

SHA256
a3ff770801660fd06bf52ff2bb8d0f07d76c869acc0944a4e26fa5b828ed10b3

SHA512
f85eb629bcce068d8bb91c662ffa036afdbd2b636c477286fcbd950812b530ffd252281df279bb7805530a7565e5199968d0ecf66a7869ad47bcc1537cfba005

Download Submit
memory/1356-13-0x00007FF6D2850000-0x00007FF6D36AB000-memory.dmp

Filesize
14.4MB

Download
memory/1356-0-0x00007FF6D2850000-0x00007FF6D36AB000-memory.dmp

Filesize
14.4MB

Download
memory/1388-117-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/1388-87-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/1388-8-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/1388-9-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/1388-11-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/1388-12-0x0000000140000000-0x0000000140FFE000-memory.dmp

Filesize
16.0MB

Download
memory/2156-68-0x00000000599C0000-0x00000000599E3000-memory.dmp

Filesize
140KB

Download
memory/2156-88-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-67-0x00000000599F0000-0x0000000059AC3000-memory.dmp

Filesize
844KB

Download
memory/2156-66-0x0000000059AD0000-0x0000000059B24000-memory.dmp

Filesize
336KB

Download
memory/2156-65-0x0000000059B30000-0x0000000059C13000-memory.dmp

Filesize
908KB

Download
memory/2156-64-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-70-0x0000000059630000-0x000000005991D000-memory.dmp

Filesize
2.9MB

Download
memory/2156-80-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-145-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-69-0x0000000059920000-0x00000000599B8000-memory.dmp

Filesize
608KB

Download
memory/2156-98-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-110-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-135-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-121-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2156-128-0x0000000000150000-0x00000000005A6000-memory.dmp

Filesize
4.3MB

Download
memory/2988-10-0x00007FF7F5CC0000-0x00007FF7F6FDA000-memory.dmp

Filesize
19.1MB

Download
memory/2988-7-0x00007FF7F5CC0000-0x00007FF7F6FDA000-memory.dmp

Filesize
19.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads