8ebd1b8741900582b4c72acf34988c2817d62a0756a4a21875c68dfe8714e482

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 07:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bin/instsvc.bat
Size

2KB
MD5

21e90735471f64b9b71b37c7d8492574
SHA1

05a2effac79c01bcb1f3798b11b542c63588d51c
SHA256

b1f3b4370fa8e86d8d86a7ee5dbaccaff73f6fc2f04b5ff43205751d1c152918
SHA512

f746d1fb930a77b36a3ffe8823abfcb8e7d81dbcd49e719e33ec82535a7464e4a0cb8df6b6ec5309e2bc7dab3dd21b02041bf88b668dad03c3578be1d2c7e053

Score

8^/10

discovery evasion upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4204	netsh.exe
1748	netsh.exe
3200	netsh.exe
4892	netsh.exe
552	netsh.exe
2236	netsh.exe
3488	netsh.exe
5072	netsh.exe
3964	netsh.exe
4372	netsh.exe
3260	netsh.exe
3732	netsh.exe
2800	netsh.exe
4736	netsh.exe
4880	netsh.exe
1916	netsh.exe
3032	netsh.exe
4216	netsh.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3212	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/404-7-0x0000000000400000-0x000000000050A000-memory.dmp	upx
behavioral4/memory/404-38-0x0000000000400000-0x000000000050A000-memory.dmp	upx
behavioral4/memory/4664-858-0x0000000000400000-0x000000000050A000-memory.dmp	upx

Runs net.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3732	5096	cmd.exe	85
PID 5096 wrote to memory of 3732	5096	cmd.exe	85
PID 5096 wrote to memory of 5072	5096	cmd.exe	86
PID 5096 wrote to memory of 5072	5096	cmd.exe	86
PID 5096 wrote to memory of 3964	5096	cmd.exe	87
PID 5096 wrote to memory of 3964	5096	cmd.exe	87
PID 5096 wrote to memory of 1748	5096	cmd.exe	89
PID 5096 wrote to memory of 1748	5096	cmd.exe	89
PID 5096 wrote to memory of 3200	5096	cmd.exe	90
PID 5096 wrote to memory of 3200	5096	cmd.exe	90
PID 5096 wrote to memory of 4204	5096	cmd.exe	93
PID 5096 wrote to memory of 4204	5096	cmd.exe	93
PID 5096 wrote to memory of 4372	5096	cmd.exe	94
PID 5096 wrote to memory of 4372	5096	cmd.exe	94
PID 5096 wrote to memory of 4892	5096	cmd.exe	95
PID 5096 wrote to memory of 4892	5096	cmd.exe	95
PID 5096 wrote to memory of 3260	5096	cmd.exe	98
PID 5096 wrote to memory of 3260	5096	cmd.exe	98
PID 5096 wrote to memory of 552	5096	cmd.exe	99
PID 5096 wrote to memory of 552	5096	cmd.exe	99
PID 5096 wrote to memory of 2800	5096	cmd.exe	102
PID 5096 wrote to memory of 2800	5096	cmd.exe	102
PID 5096 wrote to memory of 4736	5096	cmd.exe	103
PID 5096 wrote to memory of 4736	5096	cmd.exe	103
PID 5096 wrote to memory of 2236	5096	cmd.exe	104
PID 5096 wrote to memory of 2236	5096	cmd.exe	104
PID 5096 wrote to memory of 4880	5096	cmd.exe	105
PID 5096 wrote to memory of 4880	5096	cmd.exe	105
PID 5096 wrote to memory of 3488	5096	cmd.exe	106
PID 5096 wrote to memory of 3488	5096	cmd.exe	106
PID 5096 wrote to memory of 1916	5096	cmd.exe	107
PID 5096 wrote to memory of 1916	5096	cmd.exe	107
PID 5096 wrote to memory of 3032	5096	cmd.exe	108
PID 5096 wrote to memory of 3032	5096	cmd.exe	108
PID 5096 wrote to memory of 4216	5096	cmd.exe	109
PID 5096 wrote to memory of 4216	5096	cmd.exe	109
PID 5096 wrote to memory of 404	5096	cmd.exe	111
PID 5096 wrote to memory of 404	5096	cmd.exe	111
PID 5096 wrote to memory of 404	5096	cmd.exe	111
PID 5096 wrote to memory of 4608	5096	cmd.exe	112
PID 5096 wrote to memory of 4608	5096	cmd.exe	112
PID 4608 wrote to memory of 5112	4608	net.exe	113
PID 4608 wrote to memory of 5112	4608	net.exe	113
PID 4664 wrote to memory of 4196	4664	nxwrapper.exe	115
PID 4664 wrote to memory of 4196	4664	nxwrapper.exe	115
PID 4664 wrote to memory of 4196	4664	nxwrapper.exe	115
PID 4664 wrote to memory of 5072	4664	nxwrapper.exe	117
PID 4664 wrote to memory of 5072	4664	nxwrapper.exe	117
PID 4664 wrote to memory of 5072	4664	nxwrapper.exe	117
PID 5072 wrote to memory of 3964	5072	cmd.exe	119
PID 5072 wrote to memory of 3964	5072	cmd.exe	119
PID 3964 wrote to memory of 3212	3964	java.exe	120
PID 3964 wrote to memory of 3212	3964	java.exe	120
PID 3964 wrote to memory of 1340	3964	java.exe	122
PID 3964 wrote to memory of 1340	3964	java.exe	122

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_53_in
  2⤵
  - Modifies Windows Firewall
  PID:3732
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_80_in
  2⤵
  - Modifies Windows Firewall
  PID:5072
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_443_in
  2⤵
  - Modifies Windows Firewall
  PID:3964
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19002_in
  2⤵
  - Modifies Windows Firewall
  PID:1748
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19003_in
  2⤵
  - Modifies Windows Firewall
  PID:3200
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19004_in
  2⤵
  - Modifies Windows Firewall
  PID:4204
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19003_out
  2⤵
  - Modifies Windows Firewall
  PID:4372
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19004_out
  2⤵
  - Modifies Windows Firewall
  PID:4892
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_1813_in
  2⤵
  - Modifies Windows Firewall
  PID:3260
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_53_in protocol=UDP dir=in localport=53 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:552
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_80_in protocol=TCP dir=in localport=80 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:2800
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_443_in protocol=TCP dir=in localport=443 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:4736
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19002_in protocol=TCP dir=in localport=19002 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:2236
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19003_in protocol=TCP dir=in localport=19003 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:4880
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19004_in protocol=TCP dir=in localport=19004 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3488
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19003_out protocol=TCP dir=out remoteport=19003 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:1916
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19004_out protocol=TCP dir=out remoteport=19004 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3032
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_1813_in protocol=UDP dir=in localport=1813 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
  nxwrapper.exe --startup=auto install
  2⤵
  PID:404
- C:\Windows\system32\net.exe
  net start NxFilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start NxFilter
    3⤵
    PID:5112

C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
"C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %PATH%
  2⤵
  PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:/Users/Admin/AppData/Local/Temp/bin/startup.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -Djava.net.preferIPv4Stack=true -Xmx768m -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.Main
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:3212
  - - C:\Windows\System32\hostname.exe
      hostname
      4⤵
      PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
dde7b8dcf6afd947f24ae52aad70ac52

SHA1
2481489cda480e9fe517f78982c740dbbb4ea7c2

SHA256
41da15d780d2bf8d16eeb39e117d64409db0d9ad61e2c2321e2517ec3f692556

SHA512
4a2e7eab1ee2a66b82397e5cecdc77808873a1140e2d77dee92f942a1c2f304de9e959c4f38e0c5f7fe911ac31633701c71640f15b2066ca7a9195fde83a71b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

Filesize
103B

MD5
a2b5de002d5a8c12fbc8b7f3d5a1cdbf

SHA1
ed3212501d393fcc1d9ce958931af6c9be54ffb7

SHA256
fde975ffe879c0d4987332eb0c474049663fa6666c7f627c98cd6ba3b5a9917d

SHA512
6de74908280e81e6675bf25ab70398762203cd37c7ee3abd14fa659972cae93194652334db5c381e65d1a05fb8b90fa95eac8ba52e5c122c7904ec69b7569b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

Filesize
103B

MD5
19b1e321174df4db155fc1100e7c93f3

SHA1
84974cccc7e42d8c151879c4b16efe99f7e5a529

SHA256
a2250dd1ca14f48f1bc3d33f270f1f078282f703a45c80d900d9d5e9cebf6ef1

SHA512
d094075b6f97c7c36ad14d31746a6e777c8dda3a7bf1df77c72255553e9a807c8a0f6cec5d2647d9b78ab4cafcea10d90f1074dde3d97b7b94f580dcbbcd4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

Filesize
103B

MD5
f3f1d38cea0f0d09182e5eea5c19b4e9

SHA1
82f3686bf8a7ecf0beb6c946a7ff3354d7514fc8

SHA256
a628eecf02e68e5830811921ba7a208f266ba639a51c424886c422cbd8829928

SHA512
49f63ea0a1686e57c15edfdf2c4c68b96701d0cb8804576d99bff66351c6f2d2822272b6c88b27b912fe02ced158312150330f13cedc68e945c20b6053b6c0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

Filesize
103B

MD5
4bd6b7c2323ab8dd359bd7c3a61782bf

SHA1
995e0eb56bbe32457532ed4658265fa397969bc3

SHA256
0bb1c717c997e128d51329496a58e00871dd23140102969b1473e66407ca2de2

SHA512
2906120372295247d836d337a59581c106555e98b7b30dab5348068e38166dfc2e7c98115c5554dd9b6ca658c820c7f3d94a983f4009e61eac559ea97fed279f

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

Filesize
103B

MD5
b24daed8e17ca2a0ef0b9a99e896925f

SHA1
443b0b9849e786c872930b7ee53193343fc9020d

SHA256
718846aac6078b059b18c7a6a22b4fcb524f9e9b2c5e24aa294223136b49ee7e

SHA512
e0462b9f026fdc246fd25930cea7a4bf2abc8cd4896f316c4a8ebd8fd8652cfb83a4d9c28bfd8ed58999417aff684c0502ab9e55143178cf4cb170eac66151e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

Filesize
103B

MD5
0788c2e8030a2e19f78b04d3018b10c7

SHA1
512a3cfe98a6a5d01f07e0098c0660ced9a6bf4f

SHA256
f3405cefcf1ae83c94c7b7a73ea1875aeb52ca507afc94a515aaf16fc73e5880

SHA512
c9e9de5de437eabd7c63d9544ca9019c3401adaeb21017c7cfb732a292f396f6a0adbd2e762df28feffcbdf1879a5d1490e251063bca363b1fffd2cb83816c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

Filesize
103B

MD5
f4672305454993e81f8be8de9938d201

SHA1
88a93d08a0df1c3208507090d28e31c024a6e1cd

SHA256
9808d8f08445ba5469454b3d9f2818aa18947c3b0aae08f39720dc807611ed85

SHA512
b25b499fa77ba6a33587a2c9339703c11992d114dc427e74bcb2e896d9e23db1040a30152571fa583beaaebe0865e2cebfd10360dcc4f939a644b8b2e2ec1a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

Filesize
103B

MD5
6c1a798ca6a3d7ca4dbb20849bbab74c

SHA1
b71ec95fd6b532957e99513fb24b7bd0a660b274

SHA256
1a07af6e0a121875e3a7ce99abda2462b9506f7aaf06af79e5d5822d9bcc11a6

SHA512
86b24187eac5545136af5d064ce9014a47a3d9b4a3c1a37a4e7407bbb110d287dbc3b89c45d2179d47e75c5d5df3114a5da7d9e9d89e4ec353a3748cab323be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.h2.db

Filesize
34KB

MD5
3779ea54f8b7f157af0e4cd03bbbe588

SHA1
ebb506503623390d8f698f31a47208f0e184b139

SHA256
19b083cae0a4a2bdc461a735269f18d5b6d655bdc894e59f5a56ecc759a2f4c1

SHA512
3dd1dfb9f47027d4d615ef311e64ccbca6bcc8ab6cefb5e8a8765f7fce48a5e7527dbbcec4483e0b570b16834714942712b0b4133032c460bbda4e7d1a051644

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.h2.db

Filesize
34KB

MD5
f34b43d6a5f530ec42d50ad6536eac75

SHA1
cd2c978238bc1427b15cc4b7cc092e228b4efbbd

SHA256
e625bf335a68fb0cb9df45f22c241f1c3d01adaaaf10b41d6cc3eed1716cf9ae

SHA512
744b06efbfe3326cf6c2210702c9e9c75922ff5a2dcd3c0ded19b524f2217c41f4f39a1add1c63a29eb128de4effa3fd30ecd9d434a0337f5bb75deccebc6d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

Filesize
103B

MD5
edee3e4b2bcfaba95c4feb4519eb08b8

SHA1
2de96bbd49ce951e551fd92571e97f5279615b15

SHA256
1eb69c8cd094270fa0cdedd2251927f17abe8dd073f53fe8b029a3514cc4716b

SHA512
29d581be49b920ed7c959297be2897b4dc2ee03de0ea5adc3cf84ddf50833e7083f775fe06d55d093b8f6c2037024728a230808228825f8f49a82d1befe92d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

Filesize
103B

MD5
8772705ece7c48a49a53d2b32920d79d

SHA1
794c5b077a4c8133a691b0d8930277990777e808

SHA256
2896cfa8ba0db175fb15c9744850798a2861e6d5da597a7f969a828e46557c8e

SHA512
296b8d5d970e8cf2d6a44dc86dc3a1a2c7924f3eea356dd3522bd78acea3c22146a3931a7c9834877eb242058fd4efa514c1a5e1e8cef500a37185ff454de081

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

Filesize
103B

MD5
73c22296f3b53330415e5f7ec63add1d

SHA1
3dc8af69f2da5b0cd5e5794d02ee673419d9853a

SHA256
a8f068b29b01feaf656644a625d25d971bde5f154355f13ed45d9b0f05dbceab

SHA512
13a4a74f0f088ac378aab21fee5daa537e1688cb339efc89f0808e10eb0a98c8d2c6f16f66b8396299246001acbb07482c7a478da6a27ac41e5eb8258cb3156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

Filesize
103B

MD5
faa8b0925bc55580faea3664bb9d74dc

SHA1
fd6b4ddd0fb1af9c61af52d1a2f8bd5c19e2da24

SHA256
2f1598b8c4f0462b85ff79b509c1764dd15166db34c0daa8c8347592694eb60e

SHA512
1988fe264ed6a7ff813da43b8f1344f5eb58c3d2cdcf0209f7e27814331dfb5f3302332afe15ad3b8d9631b78e01d09204695a27ea7dc36170999253f9e36547

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

Filesize
103B

MD5
e7270200a6700ec43c079e32b7ccaf28

SHA1
b38885ecb060631386aa95fe29f83f34f69b44c5

SHA256
539caa76ee2456d0a4ec5d5a43e76789e750255b51b6733225b48cd25db4b1c2

SHA512
e8b1d855f485a46cbdd3b3c96bab804fe90e7e9c10d466bddf7a8ec7bc1d6a795f806aad7cf6a7a48cd383399f1174cd429c7480a8a822de3382f3fc32052c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

Filesize
103B

MD5
1ba4b4a48764f1d80d50cd412864ee50

SHA1
51972247d28ef7fa24eff74c41fedd855902b1ba

SHA256
95b2d4e0b3e79fa53d2d01a1bf4a163cb010c8b49e5331fe318a2aeb823d59af

SHA512
1cf8baf3dbee25862dcf309799fe841fae07f543dce3987dddf5221d9e08e67c7f82644acd9e12720cb04db87574b8edcaedf1db0c6589b98e898dd772ad926a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

Filesize
103B

MD5
61adda6eff9d160f743472a702bbc134

SHA1
2056a77f9664817c650f9b7989bee594fc1c3264

SHA256
5591b76d839cd43851e59aa6d845972739edd5aefac1374bb91f2a9018170710

SHA512
5a3044f9e5dc546e53bf2a77a350ab1debd01d2b798b48bbe8c425c2cc705855339c6748e454671452995ad4a5b1f7a129f845de7c3aede2641f0b39370af139

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

Filesize
103B

MD5
d3d54ff0994b33f7e90c71313411e7ba

SHA1
05b67c6d824e38b57ee701dccfd573028fab2bef

SHA256
40020f37774a9545a6a2bda59f2267ceb57a143ce0daa05df09d899862762732

SHA512
91e24c53494f890389156327a638a79e043c2eb08394f5e983f4204d6bae0e950b006ae1b72602b6720608c240c154364c0fbc3dfe5668d33075386e14934aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

Filesize
103B

MD5
3c75e6b0b43f107e61642425a30b83f1

SHA1
6c28e24552a56d8703fa66a92dba2c1ed3755cfe

SHA256
6320d727cb10fbc91ae6c931c15943a7260046378db13a4befcd749e007a540e

SHA512
6c4869e0f9f606f022646ec231281520bd3b5a288407c407be4ef7511656db3087e86b7bcacfad74c461e6407ce44a5ef4426095ba99ff17d6ae0cf1ffc86818

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

Filesize
103B

MD5
4b9a9455b7231c33990a3c6c36a1aeed

SHA1
28dffa6157f2f23ad783b6041a230e0ac3dc6aa1

SHA256
343ec03848810283cbe9fa691eb517b61fcb8f11e5bb8a903ddf2d4a8ead924e

SHA512
9d1b04c630bc97aa909a18b72b0d1ebb4c6d92dcab17de89f2c9d3693740781a481ea3fb7c80e59e093366e84e66537859c04d2728e6fdef71418de03e3af09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

Filesize
103B

MD5
a1481a5ec98c65620db35c18ddf99260

SHA1
edc5c71848b5be45e09feb3c46d31eeed12fb4a5

SHA256
5731a8d8d18b6e554318eecf1be383210789144c98545fa5cd5ee67aeb5e004e

SHA512
9094987e1c9410d207876c4ec0148ddb008fab77f865ec1f62e57034404e0fd17d73f019e1da6c56aa72bdf137c495607c27f100a5f868a8a6a3f5a898b8d5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

Filesize
103B

MD5
3433f09dbefacdf9f9a3cff37dd55241

SHA1
c7a4abf189b387f95f7b1473c7f864e1d34b20fa

SHA256
8df95d342291bea72261fea7ead8ecf7b6f6fa7239eb796641e2e7413ac280ba

SHA512
d71a742b32c2afa20e275add178af7fa3cf3a8fbb860c0b7fce755eeee8e79f94e17d0bbc06f5cdfad7e30891280cc565730de5ed9bd63d4bc6536c1f46e8101

Download Submit
memory/404-12-0x000000001E7D0000-0x000000001E7D9000-memory.dmp

Filesize
36KB

Download
memory/404-7-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/404-34-0x000000001E1D0000-0x000000001E1DC000-memory.dmp

Filesize
48KB

Download
memory/404-4-0x000000001E1B0000-0x000000001E1BF000-memory.dmp

Filesize
60KB

Download
memory/404-0-0x000000001E000000-0x000000001E0F1000-memory.dmp

Filesize
964KB

Download
memory/404-8-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

Filesize
120KB

Download
memory/404-20-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

Filesize
104KB

Download
memory/404-16-0x000000001ECB0000-0x000000001ECBD000-memory.dmp

Filesize
52KB

Download
memory/404-38-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/404-24-0x000000001E9B0000-0x000000001E9B7000-memory.dmp

Filesize
28KB

Download
memory/404-28-0x000000001E1E0000-0x000000001E1EE000-memory.dmp

Filesize
56KB

Download
memory/404-31-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/4664-58-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

Filesize
104KB

Download
memory/4664-858-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads