29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
Size

918KB
MD5

72233abb3b0ab88ffcb01d0c5840d890
SHA1

361c6f8569a5e2d16c1bc9d92fd6702de6af124c
SHA256

29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5
SHA512

56860c804740567412679ad11abd6714337da710a245873dc753c5db06c68bd7be1e61a08765fb545fe2f6a4f43ecec292d43d66ed2f9ab94e920e470a023882
SSDEEP

24576:VBmTZE9bUix084d2mVWcaW2nrwqbqzcClwcbcI:qkoPwxWvJNwiT

Score

8^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2264	shandian.exe
1852	shandian.exe
4172	shandian.exe
2732	shandian.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe

Loads dropped DLL 6 IoCs

pid	Process
4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shandian = "C:\\Program Files (x86)\\shandian\\shandian.exe"	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shandian.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shandian.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	\??\PhysicalDrive0	shandian.exe
File opened for modification	\??\PhysicalDrive0	shandian.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\shandian\ico\anquan.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe
File created	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File opened for modification	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.exe	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\ico\360.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	C:\Program Files (x86)\shandian\bin\shandian.ini	shandian.exe
File opened for modification	C:\Program Files (x86)\shandian\config.ini	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\uninst.exe	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini.tmp	shandian.exe
File opened for modification	C:\PROGRA~2\shandian\bin\twcache.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\bin\shandian.ini.tmp	shandian.exe
File created	C:\Program Files (x86)\shandian\ico\ie.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\ico\taobao.ico	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe
File created	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe
File opened for modification	C:\Program Files (x86)\shandian\bin\shandian.ini	shandian.exe
File created	C:\Program Files (x86)\shandian\home.bat	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File created	C:\Program Files (x86)\shandian\shandian.exe	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
File opened for modification	C:\PROGRA~2\shandian\bin\theworld.ac	shandian.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\shandian.exe = "0"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\shandian.exe = "1"	shandian.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	shandian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\shandian.exe = "1"	shandian.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com/?tn 3"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jlbnh.com"	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4172	shandian.exe
4172	shandian.exe
2732	shandian.exe
2732	shandian.exe
4172	shandian.exe
4172	shandian.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4172	shandian.exe
2732	shandian.exe
4172	shandian.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1852	shandian.exe
2264	shandian.exe
2732	shandian.exe
2732	shandian.exe
4172	shandian.exe
4172	shandian.exe
2732	shandian.exe
2732	shandian.exe
4172	shandian.exe
4172	shandian.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2264	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	90
PID 4924 wrote to memory of 2264	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	90
PID 4924 wrote to memory of 2264	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	90
PID 4924 wrote to memory of 1852	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	91
PID 4924 wrote to memory of 1852	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	91
PID 4924 wrote to memory of 1852	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	91
PID 4924 wrote to memory of 4316	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	92
PID 4924 wrote to memory of 4316	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	92
PID 4924 wrote to memory of 4316	4924	29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe	92
PID 4316 wrote to memory of 1512	4316	cmd.exe	94
PID 4316 wrote to memory of 1512	4316	cmd.exe	94
PID 4316 wrote to memory of 1512	4316	cmd.exe	94
PID 4316 wrote to memory of 3792	4316	cmd.exe	95
PID 4316 wrote to memory of 3792	4316	cmd.exe	95
PID 4316 wrote to memory of 3792	4316	cmd.exe	95
PID 4316 wrote to memory of 748	4316	cmd.exe	96
PID 4316 wrote to memory of 748	4316	cmd.exe	96
PID 4316 wrote to memory of 748	4316	cmd.exe	96
PID 1852 wrote to memory of 4172	1852	shandian.exe	98
PID 1852 wrote to memory of 4172	1852	shandian.exe	98
PID 1852 wrote to memory of 4172	1852	shandian.exe	98
PID 2264 wrote to memory of 2732	2264	shandian.exe	97
PID 2264 wrote to memory of 2732	2264	shandian.exe	97
PID 2264 wrote to memory of 2732	2264	shandian.exe	97

C:\Users\Admin\AppData\Local\Temp\29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe
"C:\Users\Admin\AppData\Local\Temp\29cf677f3259c567880791f3c08c048f9e97726c59b46b7b9f9361ac13de08a5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\shandian\shandian.exe
  "C:\Program Files (x86)\shandian\shandian.exe" SW_SHOWNORMAL
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files (x86)\shandian\bin\shandian.exe
    "C:\Program Files (x86)\shandian\bin\shandian.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2732
- C:\Program Files (x86)\shandian\shandian.exe
  "C:\Program Files (x86)\shandian\shandian.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Program Files (x86)\shandian\bin\shandian.exe
    "C:\Program Files (x86)\shandian\bin\shandian.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\shandian\home.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_expand_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.jlbnh.com/?tn 3" /f
    3⤵
    - Modifies registry class
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 3" /f
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 3" /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\shandian\bin\theworld.ac

Filesize
1KB

MD5
538b29f2742c7c6df28b02017997a217

SHA1
20d9117933923a133a7c14b877aacb614eca39d0

SHA256
47abed58731a192a711f66e4e24b64d859f35e8a0408a2ba73352b924ec4f4a2

SHA512
f98a14c94754f1cc3e15ad9cb6803778e18dfe8876998014f79aac2917111274761301a6fdfcc1cdd284494ef2029508b01c11e68c1dd5e0912dfd0656b0969d

Download Submit
C:\PROGRA~2\shandian\bin\twcache.ini

Filesize
696B

MD5
1a170d9355476a0e07b13fa40237651c

SHA1
f1d4c8f94a2e97ee6232465ba7d32711d4a5b81d

SHA256
75639e7cd0a9a007cf577982f400927d009b5fd0575734938a024435c7f4b87a

SHA512
b0dbfbde38cc31a5436bd2fb2889add30cf413603d1c0e67b536fadda737ac9154db09f0ff6bc6e91eb93c9b2bffdd745eb7c1d2de9e341081a6ec067425bc2e

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.exe

Filesize
1.4MB

MD5
0b8c8dd921f439cdba4e2bbb63fafa6e

SHA1
c00954b5413f7773db7800ab83644eef9af1a6d1

SHA256
77ee2e0a6d9b3be61a86f187487d856bc0ea35b935247bc88036b5e350fc56ef

SHA512
5f2aeabf0de4a56dcb1b68111805f1f4db2f319ad4b313701e7c9f41a6c5095acb3c5ac7553d2cd120a9fdea463cf9f61b4c66f17be8c4719b7dc01f5cb018c8

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.ini

Filesize
122B

MD5
3f5b03bdd9951f83d335c29d74376d14

SHA1
ff88c439563144e3765dcf9e33b174f9c3a40435

SHA256
e8f2a0ed1a28329664e7583b5eff8b354d18eaf9bf218506185d2eddcf7a3d29

SHA512
4e1df33a2155d70105605174976070be6b681c711179c7e18ca9fb5eac867b9dd30c71a05f70fbcf05c221279dfd1c08e09558c0df7256baf8c77da1a21ca444

Download Submit
C:\Program Files (x86)\shandian\bin\shandian.ini

Filesize
74B

MD5
9d36846620a1b56a9d5ace29337db49f

SHA1
93ed1fa019a7b263b38403811af5042688b2100a

SHA256
4b2d9733336aa571d89b34849416e1254d3361cca692ebf97a85c7ca122d2284

SHA512
5b84f8323fd4fed102d9c28c687524560fb051f51ed6c57d71e355357342d93b87362c012695454df56d64dcca012f0df023109e66296d3f079002ac089da88e

Download Submit
C:\Program Files (x86)\shandian\config.ini

Filesize
145B

MD5
f1e1a72a5f406802efd8ec72a4de9f62

SHA1
e40132e4a250147d2d66e85f2210f0a4c7bff0c5

SHA256
d738c4127031be64fcd15fdc586477edde69cc5eebccb3d83c8fd7b69c5d322c

SHA512
7fc14c769ec6b19555c86e16c6c300f15557b48ce62962ba7e6b5ac8acbe87c3a8d5e5c72fc6ef47e0af0c3a358a36d77d47fc94ea1dad184aa70baf2213e647

Download Submit
C:\Program Files (x86)\shandian\home.bat

Filesize
703B

MD5
32ae016db9efcbe0b1ec1a94c2d6e2eb

SHA1
376cf1143cce54a01132e24bce677aa7210dc045

SHA256
8b3b6b6e773017a797ce6b9575d36fdef7b959522bc399df8315c8bbb9af7c72

SHA512
08e3f77fc072881ad9b4942051a5c12032d6e42eed3cd29dc90d1e31d452f8bd682ab9ccfb40720a2d2d67151c5076d6b049d1e4e6c6010e1f235866006ad3b7

Download Submit
C:\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
C:\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
C:\Program Files (x86)\shandian\shandian.exe

Filesize
96KB

MD5
b442fa57a35ce2505b4ece4a18d0239b

SHA1
28f6045d76bc77c76738c8f6128b7d6ec65b1865

SHA256
0063f24996e1b897ee94d51fc53593fda3a1c293ecde20f1b921e5e8ee56b4cc

SHA512
420d12e775a793be3230116464deb6c8e1fb442f33600237fa798ebd1e46a66ca4eada265f8eab6644573c098662538af9aae9cfbaea946efbc310923348fe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDFD6.tmp\Md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDFD6.tmp\Md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDFD6.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDFD6.tmp\bind.dll

Filesize
56KB

MD5
b2181e501ce4b03aa5b01d63dbec0b6e

SHA1
3bdf5e76795d87fd005080ccc84596b16c407364

SHA256
40a9e5e0e902a55218361f6965e909c900866eb1ebe6d7b193a077805fb89394

SHA512
ca48994bc13c3c1a4fa50a969a4add2c2caead38fd64d705f83ed372039d9461cc45f898fd7012f2e399f1da62f51a799a9ad9f1fb5b8cf40ae4070e774ddc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDFD6.tmp\xID.dll

Filesize
9KB

MD5
3a5ed71aa9c6846d95d57235c4c443d7

SHA1
08156d29bed654f8f8d7f46ddbce84d22d4710cf

SHA256
5e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4

SHA512
5cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjDFD6.tmp\xID.dll

Filesize
9KB

MD5
3a5ed71aa9c6846d95d57235c4c443d7

SHA1
08156d29bed654f8f8d7f46ddbce84d22d4710cf

SHA256
5e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4

SHA512
5cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1

Download Submit
memory/2732-164-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2732-166-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2732-168-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4172-159-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4172-161-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads