01b6b1fef127398f9aae43f9dabc1cf8ddf5a4e50981347a6f26b4c9d6291b54

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/instsvc.bat
Size

2KB
MD5

21e90735471f64b9b71b37c7d8492574
SHA1

05a2effac79c01bcb1f3798b11b542c63588d51c
SHA256

b1f3b4370fa8e86d8d86a7ee5dbaccaff73f6fc2f04b5ff43205751d1c152918
SHA512

f746d1fb930a77b36a3ffe8823abfcb8e7d81dbcd49e719e33ec82535a7464e4a0cb8df6b6ec5309e2bc7dab3dd21b02041bf88b668dad03c3578be1d2c7e053

Score

8^/10

discovery evasion upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 18 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5088	netsh.exe
2092	netsh.exe
4124	netsh.exe
3248	netsh.exe
544	netsh.exe
1980	netsh.exe
4156	netsh.exe
900	netsh.exe
5072	netsh.exe
1436	netsh.exe
2468	netsh.exe
3572	netsh.exe
2016	netsh.exe
3108	netsh.exe
4852	netsh.exe
1588	netsh.exe
4748	netsh.exe
4320	netsh.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1012	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/2736-0-0x0000000000400000-0x000000000050A000-memory.dmp	upx
behavioral4/memory/2736-37-0x0000000000400000-0x000000000050A000-memory.dmp	upx
behavioral4/memory/2484-883-0x0000000000400000-0x000000000050A000-memory.dmp	upx

Runs net.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 4852	3608	cmd.exe	91
PID 3608 wrote to memory of 4852	3608	cmd.exe	91
PID 3608 wrote to memory of 1588	3608	cmd.exe	92
PID 3608 wrote to memory of 1588	3608	cmd.exe	92
PID 3608 wrote to memory of 5072	3608	cmd.exe	93
PID 3608 wrote to memory of 5072	3608	cmd.exe	93
PID 3608 wrote to memory of 1436	3608	cmd.exe	94
PID 3608 wrote to memory of 1436	3608	cmd.exe	94
PID 3608 wrote to memory of 2468	3608	cmd.exe	95
PID 3608 wrote to memory of 2468	3608	cmd.exe	95
PID 3608 wrote to memory of 4748	3608	cmd.exe	96
PID 3608 wrote to memory of 4748	3608	cmd.exe	96
PID 3608 wrote to memory of 5088	3608	cmd.exe	97
PID 3608 wrote to memory of 5088	3608	cmd.exe	97
PID 3608 wrote to memory of 544	3608	cmd.exe	98
PID 3608 wrote to memory of 544	3608	cmd.exe	98
PID 3608 wrote to memory of 1980	3608	cmd.exe	99
PID 3608 wrote to memory of 1980	3608	cmd.exe	99
PID 3608 wrote to memory of 4320	3608	cmd.exe	100
PID 3608 wrote to memory of 4320	3608	cmd.exe	100
PID 3608 wrote to memory of 3572	3608	cmd.exe	102
PID 3608 wrote to memory of 3572	3608	cmd.exe	102
PID 3608 wrote to memory of 2016	3608	cmd.exe	103
PID 3608 wrote to memory of 2016	3608	cmd.exe	103
PID 3608 wrote to memory of 2092	3608	cmd.exe	104
PID 3608 wrote to memory of 2092	3608	cmd.exe	104
PID 3608 wrote to memory of 3108	3608	cmd.exe	105
PID 3608 wrote to memory of 3108	3608	cmd.exe	105
PID 3608 wrote to memory of 4156	3608	cmd.exe	106
PID 3608 wrote to memory of 4156	3608	cmd.exe	106
PID 3608 wrote to memory of 900	3608	cmd.exe	107
PID 3608 wrote to memory of 900	3608	cmd.exe	107
PID 3608 wrote to memory of 4124	3608	cmd.exe	108
PID 3608 wrote to memory of 4124	3608	cmd.exe	108
PID 3608 wrote to memory of 3248	3608	cmd.exe	109
PID 3608 wrote to memory of 3248	3608	cmd.exe	109
PID 3608 wrote to memory of 2736	3608	cmd.exe	110
PID 3608 wrote to memory of 2736	3608	cmd.exe	110
PID 3608 wrote to memory of 2736	3608	cmd.exe	110
PID 3608 wrote to memory of 1804	3608	cmd.exe	111
PID 3608 wrote to memory of 1804	3608	cmd.exe	111
PID 1804 wrote to memory of 3700	1804	net.exe	112
PID 1804 wrote to memory of 3700	1804	net.exe	112
PID 2484 wrote to memory of 4340	2484	nxwrapper.exe	114
PID 2484 wrote to memory of 4340	2484	nxwrapper.exe	114
PID 2484 wrote to memory of 4340	2484	nxwrapper.exe	114
PID 2484 wrote to memory of 4608	2484	nxwrapper.exe	116
PID 2484 wrote to memory of 4608	2484	nxwrapper.exe	116
PID 2484 wrote to memory of 4608	2484	nxwrapper.exe	116
PID 4608 wrote to memory of 4396	4608	cmd.exe	118
PID 4608 wrote to memory of 4396	4608	cmd.exe	118
PID 4396 wrote to memory of 1012	4396	java.exe	119
PID 4396 wrote to memory of 1012	4396	java.exe	119
PID 4396 wrote to memory of 2468	4396	java.exe	121
PID 4396 wrote to memory of 2468	4396	java.exe	121

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_53_in
  2⤵
  - Modifies Windows Firewall
  PID:4852
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_80_in
  2⤵
  - Modifies Windows Firewall
  PID:1588
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_443_in
  2⤵
  - Modifies Windows Firewall
  PID:5072
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19002_in
  2⤵
  - Modifies Windows Firewall
  PID:1436
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19003_in
  2⤵
  - Modifies Windows Firewall
  PID:2468
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19004_in
  2⤵
  - Modifies Windows Firewall
  PID:4748
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19003_out
  2⤵
  - Modifies Windows Firewall
  PID:5088
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_19004_out
  2⤵
  - Modifies Windows Firewall
  PID:544
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall delete rule name=NxFilter_1813_in
  2⤵
  - Modifies Windows Firewall
  PID:1980
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_53_in protocol=UDP dir=in localport=53 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:4320
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_80_in protocol=TCP dir=in localport=80 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3572
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_443_in protocol=TCP dir=in localport=443 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:2016
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19002_in protocol=TCP dir=in localport=19002 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:2092
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19003_in protocol=TCP dir=in localport=19003 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3108
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19004_in protocol=TCP dir=in localport=19004 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:4156
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19003_out protocol=TCP dir=out remoteport=19003 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:900
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_19004_out protocol=TCP dir=out remoteport=19004 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:4124
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name=NxFilter_1813_in protocol=UDP dir=in localport=1813 action=allow
  2⤵
  - Modifies Windows Firewall
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
  nxwrapper.exe --startup=auto install
  2⤵
  PID:2736
- C:\Windows\system32\net.exe
  net start NxFilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start NxFilter
    3⤵
    PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8
1⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
"C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %PATH%
  2⤵
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:/Users/Admin/AppData/Local/Temp/bin/startup.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -Djava.net.preferIPv4Stack=true -Xmx768m -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.Main
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:1012
  - - C:\Windows\System32\hostname.exe
      hostname
      4⤵
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
5a0d42fa0745b7e94f6845a0a5d59c7e

SHA1
9a7401cde15e48659f35f015faec933a37293594

SHA256
e0cfe177c1603a7e986712e2244cad272e3f47443fc226bb4cd181cfc05d18dc

SHA512
b7f8ce8af583222fdeff51758cde058c1406d84762386cf10121484e9b8538df7403ba31a466fda76de13debc8030cce9ac1c27816dd0b959b47ced0f3e3f6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

Filesize
103B

MD5
2f1dbd62acb90fc733d399db532d75fb

SHA1
4f631b1a75a9aada333feebec23321ff40cf9355

SHA256
3221e92f6a0e3f8f17ad7a39c3eca6a332ff146a1140b5f1b07638e6b5c6a7aa

SHA512
94b3bd42cb453b7ea948460dac6f881504e7193711b1aa64bdea0b6b3deb2174b64630a04e6bbfd19ccf007383038a577e6d91c0dd12fb31da76ba9acd32b449

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

Filesize
103B

MD5
a3e760dec0defb74e8c20df0c6ae3b38

SHA1
7deccd0f8903e1f8d8421c4a93a91828da8a3fc4

SHA256
0847af7861e297a1ca06f62685594b01db2c06d93b084b80a7a590703c32bd19

SHA512
a8e227c1deaa28adb7ebd26497566dcc9d9562bae8cff1eb471584d7828fe436fd8007ea692cd3a9fa8fcc56051a5e3ae5d7d5764b1457a4d221d8fa688d1d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

Filesize
103B

MD5
62299684d34919a2882af6e3f4174fe7

SHA1
00ebba7170334a93f90ea14657113c716f55c6e4

SHA256
be2346d5f1fd2a92170559089b6878d1b3abee474da755118a190c1691266a8f

SHA512
fc652672e217a4ff529fef647c221d84bee9df24dbd28babcc54e6cb5b6248ab655d80a536a5b37e57abefe82cd384432423be22dc0f9717a4719b3b74fa1978

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

Filesize
103B

MD5
9f9245db547499d36cd53038b6db3b95

SHA1
015439a40c5c018282f3decc1a23ca386bf22f9e

SHA256
531b5e59b828840383ffdcfed995034ba8409e700fb5fa0a7dc9d99d78fb1f31

SHA512
6571b6c5b25ef5f71aa2c76b6aa6963b965532948bb2e29a02dcb8ba213f9b5ee9ffdf94aa0c1aa43ad152c52f169953f0256f4659e327d1bc73a124fc34fae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

Filesize
103B

MD5
200842bbda17d924711219a7904aa456

SHA1
e3e08c001d486106dfb4aaf99c736380eb4223c8

SHA256
4c8de59c10b29967dfaaaddd773b8c72232abac11511d4866f958320d4747d2c

SHA512
94ef47e47c91c11da6252755ec1a7a1e973619b16da14170da879f2df7ab7d615bf6c4c0c78227f4a86544b62e81d2d33331c2dad7c1d99a58e6060bdfa9821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

Filesize
103B

MD5
419fe845f6597324babc0957882b13b2

SHA1
96dedc9c81c29ba3e69af29237a9c48ba5ffb5fc

SHA256
68b2d033da82b3e379c6defee28ff3169fb77a52b44efc0f979dd0bdeabb758b

SHA512
cedc04405a8c1dc0adc12fd0206de68c430fca7f73960d909713004ea6c624f8a7642ef98f5b01014dad5c5b2d6813dc03b26067ec51e6249a75735c27814f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

Filesize
103B

MD5
27e3fe60712c25771a605712fd08c6a9

SHA1
9eb6ca3ce6493f94aa474af844c9ac9cec4e5bbb

SHA256
0387a271d7a8e04eea60a7efdf89827cf6b5b9b2056810db03c75e88775d6d7a

SHA512
4c0d146c078f26281136ce669a8c32248a6fb7f1198b46c27735cfe8b528985d96fc85233055c6ce127d1fbafde5b7b9078840a194a994d1d2dd4e7df2b77d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

Filesize
103B

MD5
decaeb245cdc760461ffb885ccc1dd8d

SHA1
5c214c48290be36499157b15ace9969682f721c4

SHA256
c351062e315f4464b0b32000d61f880e2d1feabf5628a2557ada5e7797fe24db

SHA512
8438f72947594e8560928f4a57e06613aa41ad6c4610ec2df254e793e2fb1dadec10a1e1cd67920b4ee13d743a66e42e9066be18d107d11b29acff9785d40d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

Filesize
103B

MD5
bc9c9ad7a715059215a1c91a3dfb5000

SHA1
0b9747cabb4c61ba83ae4bb5ea94fb8e061836c2

SHA256
c90ebbdf67e6ecb4ba1f25d6c32d130603574350a8fb6792365066f89df89b72

SHA512
2bfe9cbc846e8cd0a132cb23bdafcf92adb4a63d23c1ffa31017954a81cb2adada3b5887861f84fb3695ccd9ef065e0898457fe7b52687911d425f69f420df74

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

Filesize
103B

MD5
0e026a80243a432653957302c7debb9a

SHA1
209fd5dcf9b492545588f298aaedd682b79fcd95

SHA256
e133ddac45b1f356b60ee59dd01cdc91e41709948ef13d72bbbae05fc141d62f

SHA512
7b2af1ff30e5105f4c23bf7c41daa36d4cc917c255beee1d15da509b81dae134a999a9f668b71cb226874a3d53d67df75397e9c07a056d43fcba5c491c2bcab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

Filesize
103B

MD5
8a33f6acee5c79b1f9b245ec21f30f33

SHA1
76cc8a1f27d6f38605944caf38932ffee5da1e79

SHA256
a9b3e594456e56683b7a11c52a2180f5794d348f4a25b8cf69a1add3ec327f7b

SHA512
9d230f251613996c72bf8739831bba0269a4bf5cbb69439d656fbdc65f652b63a254c67bc9bbba693f6cdd12a8df2ac3705b4d8f172136c48a1f9af19962ee5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

Filesize
103B

MD5
c2346ed37a2c68b22a8afd14252a65d4

SHA1
1c578bcc54b5867131507d9a6e2b1a70d32a3b80

SHA256
57e5f51df75ad7b170686ed0f9d8cf80da05785bd3069469580bc122035190e9

SHA512
82ec93c54f21330ad861d20b7fbddbf1be0fbd2f967768b2eb0db66500772c51ee0e2040ab326fb87593604e6bc35648985560062f01a55486a993ae456f1faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

Filesize
103B

MD5
526899405df75dece87520243090fb33

SHA1
19af7842e3ed9fe5926e4497f7bc341b50ef3f9c

SHA256
b6be0b302f9b200d1a5ea370368f3fdb12fbe17cb89cba2a0137acbc5d1f6a2f

SHA512
c299c8abd0cc1b1c2cd116e0f8262d272182e933cdfa64170d8a5b284cc7bc892a80a4eaf3d7382d5ea78da9e9016079469f3319fd124c29149537fc5b0ef1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

Filesize
103B

MD5
479a84961ad218159bff91f3ab640d47

SHA1
f0399ffccbf907bf79936dbe34ca6264b8b3c2af

SHA256
bbfedc067c81a7c89cd3eaf1c6043e91c56d3ae119759b41064f5e95f56f2e9b

SHA512
0ef3500788e21bc120dbcf7a82e32fd71a4b295ee1c0f49ea43cc7ae463b74f4b73a8adf2c4f002855d55ad597db8690c0abd3680d01b57c9fd15543684dbf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

Filesize
103B

MD5
a2099e1595f49f43cdef145b12544f2a

SHA1
49183c15b81551daf560fd3205d362252a430e9d

SHA256
f79826aa40b054b2237193a504dd568f131c29e304d9393052979e500800e958

SHA512
b25641d0ed2be004abb0f9f9ed386d9c67a236963f05f58450d705fea0698c0d15471aec07dd239bcd8653ac1ace266d457f271eec81967f15204ed925b6c793

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

Filesize
103B

MD5
4819fa9561a66dc372d1807874bd4844

SHA1
4b745c6750d03f941b1e3aa6b74c87428fa0eada

SHA256
f8ef8c276f0dfbb5da0c1960e15cab62545462670924c0bf08f9f857768c9767

SHA512
4d7487299eb296249e9d9039edd5765bea1f6e451ec2580a22c6512b97f9d5b1a07f4f00a545d19e58f9a0d9fc84df7235420eaab2d397ad1fe71dde9866674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

Filesize
103B

MD5
61d8238f80ed454b3f32cc789660d0e9

SHA1
20ffd86b240998d6a33d03a1676a1dddac2eb428

SHA256
eebc25a58d4fa9a7aed53e07ce33a4a6454774e3823e23b7eaac089bf2619203

SHA512
9e44f723d191a1c843fd19507865d51d14386c45df2d542fd858c24296e6f74dbde3f10a41dd5358246737f4cb4aefc924dcad049afaeea5588e33a08331619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

Filesize
103B

MD5
cb5b3aba1ab280bbded6ba9cc72794ac

SHA1
e979fe71e42b29cab532b2855541056ccd4a7473

SHA256
c07caff45ad47ce313d4a1d1012e6b6933bbb434787493174593d52510bcf3b2

SHA512
ad657e6a2b701ce9ef128e5c6f90afd77a24ff47bc41f28555ed4854eb098de66c3eca56f3bdbf05c863e79feb98083bf7598ffb87ea13ee78cd16bd54c67fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

Filesize
103B

MD5
ccfd9c573fceb540b4b54929f4fe7655

SHA1
a7bf170e8c8c5bfcf5afba58da34c11724488994

SHA256
3640407cf763977b350f98624d293ebc1ef1f784ed7fca434d4e5d7247883f18

SHA512
e8eb7334717af2958e45287a02a5dbb4ea9b949c3b83146281c9a998e88a054f2fabac7c8064e155fa03c9ed1d49805d64fc08aee20fc750ad3d46d960ea12d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

Filesize
103B

MD5
0711fc030beb2c1f0a60b53d3c11bc8d

SHA1
da94ae0549b9dc2e0d6197947f364ac213bcc08c

SHA256
a52bfee5884c2bb126ac65b99a196c75a97cdc3d86399482ace535921ed417b8

SHA512
b55a97876cf02276eeb3eb428e8f14c9674682d749f595ab5d54f2401a47e02d28a82457d4bef7bfa2b04a7ba169ce57b6482c453a36daade598d2473f5a329d

Download Submit
memory/2484-883-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2484-57-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

Filesize
104KB

Download
memory/2736-24-0x000000001E9B0000-0x000000001E9B7000-memory.dmp

Filesize
28KB

Download
memory/2736-37-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2736-28-0x000000001E1E0000-0x000000001E1EE000-memory.dmp

Filesize
56KB

Download
memory/2736-31-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2736-0-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/2736-2-0x000000001E000000-0x000000001E0F1000-memory.dmp

Filesize
964KB

Download
memory/2736-8-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

Filesize
120KB

Download
memory/2736-12-0x000000001E7D0000-0x000000001E7D9000-memory.dmp

Filesize
36KB

Download
memory/2736-16-0x000000001ECB0000-0x000000001ECBD000-memory.dmp

Filesize
52KB

Download
memory/2736-20-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

Filesize
104KB

Download
memory/2736-5-0x000000001E1B0000-0x000000001E1BF000-memory.dmp

Filesize
60KB

Download
memory/2736-34-0x000000001E1D0000-0x000000001E1DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads