1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
Size

2.7MB
MD5

a1a2fa75449ba08a3325a39c2f36df3c
SHA1

4604e8e7cb8ff0280eef36c7b788380b41cd202b
SHA256

1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861
SHA512

0924fd672325c596cd38a7938e3a8172778183a9ef17b25bd793610757aa8111e75e0e9b5afd5d973bc4db9aa1355afaa38ac82996303a067944899271f6bce1
SSDEEP

49152:J8+3w3057TuzSYMZPVy2NvHHTub2XE3cBmea7KMl0kEdgliyh23xj3USx:JH36272MFNNv22XOH7K40kEWcyk35USx

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000014c4a-80.dat	acprotect
behavioral1/files/0x0006000000014c4a-79.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1920	zipfreerun.exe
960	zipfreerun.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014c4a-80.dat	upx
behavioral1/files/0x0006000000014c4a-79.dat	upx
behavioral1/memory/960-81-0x0000000010000000-0x0000000010105000-memory.dmp	upx
behavioral1/memory/960-94-0x0000000010000000-0x000000001025B000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zipfreerun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	zipfreerun.exe

Loads dropped DLL 7 IoCs

pid	Process
1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
960	zipfreerun.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxgz = "\"C:\\Users\\Admin\\AppData\\Roaming\\zipfreerun\\zipfreerun.exe\" autostart "	zipfreerun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Control	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._DocSiteControlClass"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\MiscStatus\1\ = "131200"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocHandler32	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\14.0.0.0	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE, 5518"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version\ = "9.4"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocHandler32\ = "ole32.dll"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgId\ = "DOCSITE.DocSiteControl.1"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ToolboxBitmap32	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\RuntimeVersion = "v2.0.50727"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\MiscStatus	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgId	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ = "Microsoft Outlook Body Control"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Implemented Categories	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._DocSiteControlClass"	zipfreerun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\MiscStatus\ = "0"	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\MiscStatus\1	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\LocalServer32	zipfreerun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Typelib	zipfreerun.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8053909E76309C083B3F7B9F2536F1E0A39BF961\Blob = 0300000001000000140000008053909e76309c083b3f7b9f2536f1e0a39bf9612000000001000000130200003082020f3082017ca003020102021022dff2e8186a358d43d10ca144624646300906052b0e03021d05003018311630140603550403130d496e67656e536f667477617265301e170d3131303931333036333631305a170d3339313233313233353935395a3018311630140603550403130d496e67656e536f66747761726530819f300d06092a864886f70d010101050003818d0030818902818100c11b39ed14ea3a387e4722a4262ea76be7de240326e608672fd1d0ac5ec11eb9ca85588624ed2f8384d09c976862cddac1b6241797d1bd6431f23b937eda2eb257039cd882f906cd5bc1ce09d57e812b02d7bd6942b81a3ad713328f451ff49fc9b35b74ba89de62aea92d2282df178d33484db9ec90b208205bd2ec87e1fdd50203010001a362306030130603551d25040c300a06082b0601050507030330490603551d0104423040801011ab2c82526a44937031ac0b45d78412a11a3018311630140603550403130d496e67656e536f667477617265821022dff2e8186a358d43d10ca144624646300906052b0e03021d0500038181006217b88271e46d69f53d3df0e9915f899987923d1eaae5bf5e1b8d9a3a5f9025baa0710b5e67e6c52c25320c1d9dc016609a6ea5997ea65f98b72410172cfc55609516b4f11e3a2ecde112b6505b8edc458d0f4d2b4419d3062d7991d457a8806b2172b4a552bfd1bd27b799207bf90d911667c834ee0206e7e17c0dcc29d3ab	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8053909E76309C083B3F7B9F2536F1E0A39BF961	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:BF14D50A	zipfreerun.exe
File opened for modification	C:\ProgramData\TEMP:BF14D50A	zipfreerun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	960	zipfreerun.exe
Token: SeIncBasePriorityPrivilege	960	zipfreerun.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1920	1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe	27
PID 1928 wrote to memory of 1920	1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe	27
PID 1928 wrote to memory of 1920	1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe	27
PID 1928 wrote to memory of 1920	1928	1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe	27
PID 1920 wrote to memory of 960	1920	zipfreerun.exe	28
PID 1920 wrote to memory of 960	1920	zipfreerun.exe	28
PID 1920 wrote to memory of 960	1920	zipfreerun.exe	28
PID 1920 wrote to memory of 960	1920	zipfreerun.exe	28

C:\Users\Admin\AppData\Local\Temp\1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe
"C:\Users\Admin\AppData\Local\Temp\1e5803bb12d5780811ca954d4ca26ea5f5ea6320effea8e359868c2040171861.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe
  "C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe
    "C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\zipfreerun\MyriadWebPro-Condensed.ttf

Filesize
295KB

MD5
86642b7cdddbdb7a084ce0cd43d3facb

SHA1
92d3c9239747fe0ba20e519dbc618e9f0ab2de0d

SHA256
1cd1ed92dff6d44a889073bb685ed6fe1ef195a93d23366ff628ce09af87756c

SHA512
1cdd3c1907a3e2f7a75250f43ed85d7611d1fa8b40d028c5c2bbe3009a6ab426fc5767004728732f5ce1c38b77dacbb963bdbe3527a9f8e1aff5b60ae48b093b

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\a.htm

Filesize
13KB

MD5
26c93a953474bbcc84980c44c32485a5

SHA1
eac1255badaa457be11c2c63bf2ef519ea10397c

SHA256
93fd169e434238fe15080e4c5a52dec6521bdde148b00f8e1c882d7ca049b71b

SHA512
66010a254f419025d646456d45333e0a88e78960074e12500e82810f15dfe3c60c8c5ee95e2330c42256eac6dc933bc11e1639a0d5f3fd218f48c028a593e648

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\css.css

Filesize
6KB

MD5
7495d60277721b7b0ec8684f2653f66d

SHA1
7f9a6dc32d48b512294b5e85134bd5a7c9f120c3

SHA256
18c5762b938d526f8a1c8396f4c44448192589d308fc1429bd735aa633b15a0d

SHA512
d76764744cd8212a01505ec006b80d4cce577b8bf6395593b7b64636a1604ecf447f04fb77a9ab41497c820fed54056594e322dc5df90ba18028adb15c63c0c8

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\dir.png

Filesize
456B

MD5
68ba6211daa2d054918b026d798ffc88

SHA1
726d965043c16168c7f34f95f87ae912ad94e0a7

SHA256
e931973218fe42f3e43cf5018d190b37251c893ac37341c4ce4edcf125c96103

SHA512
7468869693e41fdc7a495830ddd00ebe15b24c66122e7165ea0a2bed2b9df7977dcb610b2b0f8982aa66c1c52a7f70735c4e12a68de80eea4f06b841ba1afb5e

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\dot.gif

Filesize
43B

MD5
325472601571f31e1bf00674c368d335

SHA1
2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a

SHA256
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b

SHA512
717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\foot.png

Filesize
25KB

MD5
141caf6656f143a062320621b2d8993e

SHA1
dba589ac9a7676b7687660bc636ac0a68f8a895c

SHA256
81eb7695f49a5e888340b25ed45e39f256679fbae10497314369ea92c47f015a

SHA512
0dd3861a96bfad1a40626ea04d352afc71032e203c84f04b83be0da026cc233a4b800b1a3c297bd543c80d10ce7e8091238562e506de77faa182df367646f15b

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\htmlayout.dll

Filesize
920KB

MD5
6ed2f0b1b13e068e0e9377298f2c550d

SHA1
8edcb7f3b6b4e578363d12a991a75164a4632521

SHA256
5a63558628f3bc939a393a46d1c201a0fb706ee36f39db5375d2cfa2c72c69b0

SHA512
4b50e8316d170722c7cd717ca8c700e2b1f790531ea750c7fd88864a5a2add4718aa658231d7ba9c8f25ea4478338474762456322c3dba944b34d791856245b4

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\logo.png

Filesize
95KB

MD5
64943706a4c5f038fd533bbac19c075f

SHA1
1807c1075e9df445399934c81265898c53b1c445

SHA256
90a31d523f63992f9881cf5d8072a556c667b1d2b350977795a35cae0421893d

SHA512
3fe1fbef492e3821836a4985be20aced0fc854869448445f545b3ea0239323e6a8193d08fda1de8a393e9e1b39e48098865a091907f1cbe24437b5b1db21df9b

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\logo2.png

Filesize
39KB

MD5
e7fba221516dcd56b53cc2fcb7ca0e60

SHA1
ace043a5eae8f42ceccd1f2836582be6ddbed053

SHA256
bd441bd9d5caac3bf0565daa8a954a03e1431819cb88428d6d3e7e2aecc0c4bd

SHA512
6b8388f740b4db6cfef97faea4c3ea924fb1182454b7c237d568052f5961f6d9dfa16173df119df6a0004265fe8964584c7139ac8639206c7cd5236b7792d67b

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\rules.css

Filesize
155KB

MD5
32e99a735beb8869ece7e0c5641344dc

SHA1
ad074990c3cfafdb836694b54cf54250828aea9b

SHA256
70165a04a6bd0bff2d2a60439bd34f65890a125ce0790ff975bc5a2acdd7e857

SHA512
e63435a9cd0430d956a8d4fe5f4fab230c67ceea2acac07da0d7e9b9d8f41474faea556adaba9a0b852d9ddc95ae37945933857d7119483b3718f721179f48f6

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\scroll.css

Filesize
2KB

MD5
ad3c5b6c9d740342ebf32b325ac350f2

SHA1
efde56a8148cdc9cba1964472395a076482acf74

SHA256
6c4ca5f8b10dfbe9cee55f3d268d28ee44c0c0b7e7ef2f8f3e431cafd2eba501

SHA512
6a58b1e54a36c262835afc6c2e9cf04dc0cf9fdbb65456f6acf627660600afbee7ed1b33f4f189ef20d6abbacbc6a338f97d1230a2df69ae7a548a28a5b7e00a

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe

Filesize
1.3MB

MD5
2e1bb6f44798bb721d7dee89456ab21a

SHA1
c8d1af832e595761149d0be7f70ded2ab1622983

SHA256
b32ecf45e3d99be2aa50f94d4362a2b6df3b51dd033c660a964eb026fa3f896e

SHA512
4d3a6a9d5cabfca0a1482d1b93b4c5c61a426da3c61db57e273fe1e647dab45addaba798e512269d6b12c544e5aea301de5d10ab9527e2eb7cab3ec53c731c6f

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe

Filesize
1.3MB

MD5
2e1bb6f44798bb721d7dee89456ab21a

SHA1
c8d1af832e595761149d0be7f70ded2ab1622983

SHA256
b32ecf45e3d99be2aa50f94d4362a2b6df3b51dd033c660a964eb026fa3f896e

SHA512
4d3a6a9d5cabfca0a1482d1b93b4c5c61a426da3c61db57e273fe1e647dab45addaba798e512269d6b12c544e5aea301de5d10ab9527e2eb7cab3ec53c731c6f

Download Submit
C:\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe

Filesize
1.3MB

MD5
2e1bb6f44798bb721d7dee89456ab21a

SHA1
c8d1af832e595761149d0be7f70ded2ab1622983

SHA256
b32ecf45e3d99be2aa50f94d4362a2b6df3b51dd033c660a964eb026fa3f896e

SHA512
4d3a6a9d5cabfca0a1482d1b93b4c5c61a426da3c61db57e273fe1e647dab45addaba798e512269d6b12c544e5aea301de5d10ab9527e2eb7cab3ec53c731c6f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5B5C.tmp\Release.dll

Filesize
7KB

MD5
a5f2a9b6dd85efa15d0a5058b6df53bb

SHA1
29dd5acb9ad9b9c6f9c7adaef0490325985f8783

SHA256
42cf5f265bd71ec63072909afcea3ea38f7e1c2b3bfcdf8de75607fb18765c0c

SHA512
8175ae9d1a7210f386cca22726a49dd26728c537d1562c4eb03949089d1023e05ad9c498cfb9cb125f29041ccd8f752b90bdfbb8b9a5f9b522f462d4e593bd02

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5B5C.tmp\Release.dll

Filesize
7KB

MD5
a5f2a9b6dd85efa15d0a5058b6df53bb

SHA1
29dd5acb9ad9b9c6f9c7adaef0490325985f8783

SHA256
42cf5f265bd71ec63072909afcea3ea38f7e1c2b3bfcdf8de75607fb18765c0c

SHA512
8175ae9d1a7210f386cca22726a49dd26728c537d1562c4eb03949089d1023e05ad9c498cfb9cb125f29041ccd8f752b90bdfbb8b9a5f9b522f462d4e593bd02

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5B5C.tmp\Release.dll

Filesize
7KB

MD5
a5f2a9b6dd85efa15d0a5058b6df53bb

SHA1
29dd5acb9ad9b9c6f9c7adaef0490325985f8783

SHA256
42cf5f265bd71ec63072909afcea3ea38f7e1c2b3bfcdf8de75607fb18765c0c

SHA512
8175ae9d1a7210f386cca22726a49dd26728c537d1562c4eb03949089d1023e05ad9c498cfb9cb125f29041ccd8f752b90bdfbb8b9a5f9b522f462d4e593bd02

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5B5C.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Roaming\zipfreerun\htmlayout.dll

Filesize
920KB

MD5
6ed2f0b1b13e068e0e9377298f2c550d

SHA1
8edcb7f3b6b4e578363d12a991a75164a4632521

SHA256
5a63558628f3bc939a393a46d1c201a0fb706ee36f39db5375d2cfa2c72c69b0

SHA512
4b50e8316d170722c7cd717ca8c700e2b1f790531ea750c7fd88864a5a2add4718aa658231d7ba9c8f25ea4478338474762456322c3dba944b34d791856245b4

Download Submit
\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe

Filesize
1.3MB

MD5
2e1bb6f44798bb721d7dee89456ab21a

SHA1
c8d1af832e595761149d0be7f70ded2ab1622983

SHA256
b32ecf45e3d99be2aa50f94d4362a2b6df3b51dd033c660a964eb026fa3f896e

SHA512
4d3a6a9d5cabfca0a1482d1b93b4c5c61a426da3c61db57e273fe1e647dab45addaba798e512269d6b12c544e5aea301de5d10ab9527e2eb7cab3ec53c731c6f

Download Submit
\Users\Admin\AppData\Roaming\zipfreerun\zipfreerun.exe

Filesize
1.3MB

MD5
2e1bb6f44798bb721d7dee89456ab21a

SHA1
c8d1af832e595761149d0be7f70ded2ab1622983

SHA256
b32ecf45e3d99be2aa50f94d4362a2b6df3b51dd033c660a964eb026fa3f896e

SHA512
4d3a6a9d5cabfca0a1482d1b93b4c5c61a426da3c61db57e273fe1e647dab45addaba798e512269d6b12c544e5aea301de5d10ab9527e2eb7cab3ec53c731c6f

Download Submit
memory/960-77-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/960-74-0x0000000002181000-0x0000000002243000-memory.dmp

Filesize
776KB

Download
memory/960-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/960-81-0x0000000010000000-0x0000000010105000-memory.dmp

Filesize
1.0MB

Download
memory/960-94-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/960-78-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/960-83-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/960-67-0x0000000002180000-0x0000000002285000-memory.dmp

Filesize
1.0MB

Download
memory/960-73-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1920-75-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1920-76-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1928-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads