77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882

Analysis

max time kernel
174s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882.exe
Size

249KB
MD5

47b02c3ad6695d3d4d1bca1bf0fe1386
SHA1

c5a8f8c74b9c32bc7902ca9579ebd64607ed7440
SHA256

77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882
SHA512

bd3ffd1f52648d37960e2bd36f866a69969ff94676dd1a02748fb87ce8736d4a1b36e2191d99c3a274b1e1b6d15d5dce6814cf11b9f0a960be4d24d126dc09c0
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5DUbzLl7NSIF9ZPV3+Aab8:h1OgLdaOIzGIVJ+AZ

Score

9^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e59-143.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3984	50d83ddde440f.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e59-143.dat	upx
behavioral2/memory/3984-144-0x0000000074D30000-0x0000000074D3A000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
3984	50d83ddde440f.exe
3984	50d83ddde440f.exe
3984	50d83ddde440f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\ = "Zoomex"	50d83ddde440f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\NoExplorer = "1"	50d83ddde440f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e46-133.dat	nsis_installer_1
behavioral2/files/0x0006000000022e46-133.dat	nsis_installer_2
behavioral2/files/0x0006000000022e46-134.dat	nsis_installer_1
behavioral2/files/0x0006000000022e46-134.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50d83ddde4448.dll"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\ProgID	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\InProcServer32	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50d83ddde4448.tlb"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\ = "Zoomex"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\ProgID\ = "Zoomex.1"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6}\InProcServer32\ThreadingModel = "Apartment"	50d83ddde440f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50d83ddde440f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3984	4936	77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882.exe	84
PID 4936 wrote to memory of 3984	4936	77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882.exe	84
PID 4936 wrote to memory of 3984	4936	77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50d83ddde440f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0EEF62E8-AB3B-D8C9-7D41-1742F959A5A6} = "1"	50d83ddde440f.exe

C:\Users\Admin\AppData\Local\Temp\77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882.exe
"C:\Users\Admin\AppData\Local\Temp\77962761f45479d3f928286d49d764835061dcca2ba53b2fc075c6b5d50b6882.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\50d83ddde440f.exe
  .\50d83ddde440f.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\50d83ddde4448.dll

Filesize
115KB

MD5
6696822add17061dc0bb8ee5b42cc2d4

SHA1
d4622558ba366f2f94560da301a81c6c16f95a3c

SHA256
73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125

SHA512
0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
1f12f496a4698af0c4e16257d727b0a8

SHA1
e6add0914d295b03f23753207532d05f525d063a

SHA256
0850ae7e25be3d6450cb779b109960394597f250bfcd7ffe1e4971448223cd24

SHA512
98e6b51bda79a100f6924c4c241aead71d0dc02a6d0fcceed08970ad478f6d15b459d0cd8202899d548627e0441f828b2afe69f93c08c9d9a26e8219757220ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
86602eff332f6a01eed558afda0d53ab

SHA1
b0b240eb6fda763affccbbace37cd65271508e6e

SHA256
cd48f4257522ad74769579eba5100a75229c4283a35aebd6d3f264796fd4a1a4

SHA512
308ce607185ca193cbb73a6f94055a8b4796cc8ccd0035c17c23fa169598fc145f631a7f06059668b633298691c130161946f0e69bfef125a36166ace696543e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
25fc5c309f1fdeab7025787ecd5ba4cc

SHA1
d3e1d2df1204b76bbe62361338939d76d8b94af3

SHA256
37ac67876bf30ede4363e08c793a970982e7b5015a7c088c9a2321ce7f38b8c5

SHA512
bbc06d33c29c049ce28d02d44ca645f62f0bc9d676775b69b838d3a35e83d1b65a3fde821bf03cf77b9b41ee2ae503bb8c197208a042daf0a44ea5a9921f3201

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
0482ef1b81cad540992654c1635cf480

SHA1
2b7a756ddff941f15546b63291edbe7e858f8197

SHA256
0ba1a9c8cba6bc5e7d0ff58b1dc6e9a713f39df3e0d7adc1e00d4e151abe541a

SHA512
98494d5b66aaa2a97b942e6c3412a4163513149b1b04a08a6264769ecc0443927267501af8beacf5b5e94d770dbe9fd198bb64e5a5ea064b601095cab3c12b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\[email protected]\install.rdf

Filesize
700B

MD5
9f71a513d83c085d3231b2062b8ead0b

SHA1
dc8bf915b2ccb24f6134855cbea31eb7dd0826bd

SHA256
dfe68c0e5a49c1b45498df8b2ae82dceea0aaf7c4a62ae26f659cb5a6083fc65

SHA512
6a201ed399870a284c32cb1ba88599b74271aed7c7f83ff37f623b4ad9971e488b3cda551d818bc45bd019143439a101bdf0a71486e6cd8bc790ba58dc8c534d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\50d83ddde440f.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\50d83ddde440f.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\50d83ddde4448.dll

Filesize
115KB

MD5
6696822add17061dc0bb8ee5b42cc2d4

SHA1
d4622558ba366f2f94560da301a81c6c16f95a3c

SHA256
73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125

SHA512
0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\50d83ddde4448.tlb

Filesize
2KB

MD5
096a65b8a695249d5d554776f1eeace3

SHA1
2f2506b886a59b4408b23653d8734004ec2dda6d

SHA256
a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568

SHA512
6e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\bldlfbbaonjecbdpnndljdhgmafknjap.crx

Filesize
8KB

MD5
b3f6fac5ed495e261c2ac70b906bb82b

SHA1
b2d12e71ada46d973a135c706708aef7a7c1cda6

SHA256
ee8fbebfe1435f11af7ee65a2b1e3423998fd3a86a806925916fef3692e28327

SHA512
b288883780d55f6e2833e35565db38ab2109d8122c5bc0782d4dd43c83f6fc858fc207af84bf70d2855997a99098b22c7e134703be9f0aeb2e4d7d5c951dd410

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFAFF.tmp\settings.ini

Filesize
6KB

MD5
100e6d5f263b71bdf077fbc3993bfaff

SHA1
fbea45a7c26523b0adc1d810660f093bf0baa2ab

SHA256
cf5ea1526fb850bc05c4adcf8716b7c010def32d9cd17e7ea55aa8953fde74c3

SHA512
d213f98fb6c529d04849d565f5f964ba52b67441df76fded2cca6ecf00f5bb4059c519ca2d716afa28f244db61c5ecdcd3701f4fdcd9ced4ad4ba7b1e7d61e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslFCE4.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslFCE4.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/3984-144-0x0000000074D30000-0x0000000074D3A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads