97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2

Analysis

max time kernel
177s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2.exe
Size

249KB
MD5

5954246a0b09e7e8f609434e4b4b6650
SHA1

2b9d4c35b0a9c454de7ce1debd1e5e178276279f
SHA256

97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2
SHA512

f8fbd4d44640447a65298c03a7d645cd5185262110d97ebc403e02bb89250a7100b945683c161675bb25d9c3906580b94dd8c7b7e1139d2d4c5b123445752405
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5Nz24TWepY3333XI7aAPRf:h1OgLdaONxTWmYH3wJt

Score

9^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002316c-143.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1340	50dfba532c798.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002316c-143.dat	upx
behavioral2/memory/1340-147-0x00000000748E0000-0x00000000748EA000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1340	50dfba532c798.exe
1340	50dfba532c798.exe
1340	50dfba532c798.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029C18AF-4905-D5CC-210F-996EC4B853DE}	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029C18AF-4905-D5CC-210F-996EC4B853DE}\ = "Zoomex"	50dfba532c798.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029C18AF-4905-D5CC-210F-996EC4B853DE}\NoExplorer = "1"	50dfba532c798.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023154-133.dat	nsis_installer_1
behavioral2/files/0x0006000000023154-133.dat	nsis_installer_2
behavioral2/files/0x0006000000023154-134.dat	nsis_installer_1
behavioral2/files/0x0006000000023154-134.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50dfba532c7ba.tlb"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50dfba532c7ba.dll"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}\ProgID\ = "Zoomex.1"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}\InProcServer32\ThreadingModel = "Apartment"	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}\ = "Zoomex"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}\InProcServer32	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE}\ProgID	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50dfba532c798.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50dfba532c798.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1340	1480	97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2.exe	81
PID 1480 wrote to memory of 1340	1480	97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2.exe	81
PID 1480 wrote to memory of 1340	1480	97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2.exe	81

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50dfba532c798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{029C18AF-4905-D5CC-210F-996EC4B853DE} = "1"	50dfba532c798.exe

C:\Users\Admin\AppData\Local\Temp\97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2.exe
"C:\Users\Admin\AppData\Local\Temp\97f0e16f3af3d526e8122a058a07cccd99906b9a50f1d15bcf96283c29949df2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\50dfba532c798.exe
  .\50dfba532c798.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\50dfba532c7ba.dll

Filesize
115KB

MD5
6696822add17061dc0bb8ee5b42cc2d4

SHA1
d4622558ba366f2f94560da301a81c6c16f95a3c

SHA256
73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125

SHA512
0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
cac9a98c64acd255c907c491a47cb2d5

SHA1
485544d52a081850daba1f8ad91a20c9a6a15389

SHA256
7bb7c4d4bf1ca53cf9151d456ec99ec9ad97b60bda13880382751715e4b34826

SHA512
fda65c29fce10a8f5c1d484e5edd2f7e27308e5c919311b80380d99b8f70d50d85922a1acf660e397e9ca10460f3bf5e27a7795f5bfe899f46f706177769f30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
9857e64f242dd4a48d5a31a3e0c761d4

SHA1
e47ad88186c96bcc8fb1621eeb909e83266bb7fd

SHA256
88506320f46f8b9901e6093cbffdcd55a209d6ce95c8962b96bbf8cc95e95a41

SHA512
64e4f6a46e566cdaa26f62a5e6138e1b9e7794987ea409fa3725e2859822d28489ac73c069ad1502912477a9203f693f1446f9759c537fb79ca0d8645e94f334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
99cee5fce719d7f812f034c2a8b32402

SHA1
1af6911009505b746eb0cb8551f82e4406f5f938

SHA256
a6297dbf7017b866143fd93bf5a5060bcbe556f8b318a469ab8ef9c41c19396f

SHA512
3cbfb8c244992d97ab02b65b8db545c2f9d59129cf399084ac809837dd89afe4ae14773b07bf8be844134b9ea8e44a56cef5c5a7f531041627382cda406d1594

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
e1af1c5513e415aee23d87af1e13e8c3

SHA1
42cc7253efe87671df57afb181f2dc89d20c9739

SHA256
f248a8bfcaf635e94c966319dbb8386469513aa62150c659c1d78bf9c75dfb15

SHA512
9bb2ca34078f1d6b0661cbe0a2b18f74cb8ed888a4103ccd2d197b06b53f1cd642b1de7d3c905361af15d1256a34e62f616267e1ecef0eab2ea6a1a2b3c5f576

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\[email protected]\install.rdf

Filesize
700B

MD5
dfae962e2bbf61f85eb75de3625b92d6

SHA1
39fa5a32886e4350f67eaf3cdc6f09843278c40b

SHA256
5c0b1955ff416346a00ee6d6ed9072e139e459db79fd1e509ccf8b04d448933b

SHA512
8d0619823bdbcf2987385a89da48d9eb16ca7d1d49ae5953d3ea5ac2357a6f2cc40b334877b6555f73ab12c0daf9bd10f2a532c1e584923fa64aa0d659f37c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\50dfba532c798.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\50dfba532c798.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\50dfba532c7ba.dll

Filesize
115KB

MD5
6696822add17061dc0bb8ee5b42cc2d4

SHA1
d4622558ba366f2f94560da301a81c6c16f95a3c

SHA256
73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125

SHA512
0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\50dfba532c7ba.tlb

Filesize
2KB

MD5
096a65b8a695249d5d554776f1eeace3

SHA1
2f2506b886a59b4408b23653d8734004ec2dda6d

SHA256
a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568

SHA512
6e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\hnojfmliecpomcmolblepeojbjenhpfg.crx

Filesize
8KB

MD5
6a37b0ef117e9781b0570e117f367158

SHA1
a33ce0b93e3c3b082f675c917a13ddef03dd4ecd

SHA256
c4a690850409d383af8c971022c50d9250968d43127faabf853f4d6821e786cc

SHA512
0cc7b161fe5c61267bddea4bd1fb81ac6e2976aff0525dcb3a1bb33dba51d529a6f0c16262345a2e9b4986886835c7645d76cc7dcbd3240f4908e418f4e29449

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS177F.tmp\settings.ini

Filesize
6KB

MD5
9ae05d1a3f8621e2dddc33b390c416d2

SHA1
b62af1243efb2fe363a572613865c9c5f389bb2f

SHA256
985fa581d32e712607c10c67f077b72e576f058ef0ab1a20128246bcb15f4579

SHA512
c1fb5f03b3580884da9b6012c99e6e19d2f37adb5f6b020fc63462a0b18398eb34c6226ae7033241a55e25c107a2576f5800e519957d5a7fa729421c7330552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8B49.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8B49.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/1340-147-0x00000000748E0000-0x00000000748EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads