Malware Analysis Report

2024-10-10 11:58

Sample ID 240614-jjn98s1ajb
Target a891e5644c3cf33cba704bc3b482833f_JaffaCakes118
SHA256 01b6b1fef127398f9aae43f9dabc1cf8ddf5a4e50981347a6f26b4c9d6291b54
Tags
evasion upx discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

01b6b1fef127398f9aae43f9dabc1cf8ddf5a4e50981347a6f26b4c9d6291b54

Threat Level: Likely malicious

The file a891e5644c3cf33cba704bc3b482833f_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion upx discovery

Modifies Windows Firewall

Checks computer location settings

UPX packed file

Modifies file permissions

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 2520 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 2520 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 2520 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 2520 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2520 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2520 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1312 wrote to memory of 860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1312 wrote to memory of 860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1312 wrote to memory of 860 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_53_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_80_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_443_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19002_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19003_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19004_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19003_out

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19004_out

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_1813_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_53_in protocol=UDP dir=in localport=53 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_80_in protocol=TCP dir=in localport=80 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_443_in protocol=TCP dir=in localport=443 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19002_in protocol=TCP dir=in localport=19002 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19003_in protocol=TCP dir=in localport=19003 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19004_in protocol=TCP dir=in localport=19004 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19003_out protocol=TCP dir=out remoteport=19003 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19004_out protocol=TCP dir=out remoteport=19004 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_1813_in protocol=UDP dir=in localport=1813 action=allow

C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe

nxwrapper.exe --startup=auto install

C:\Windows\system32\net.exe

net start NxFilter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start NxFilter

C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe

"C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo %PATH%

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:/Users/Admin/AppData/Local/Temp/bin/startup.bat"

Network

N/A

Files

memory/1988-0-0x000000001E000000-0x000000001E0F1000-memory.dmp

memory/1988-4-0x000000001E1B0000-0x000000001E1BF000-memory.dmp

memory/1988-16-0x000000001ECB0000-0x000000001ECBD000-memory.dmp

memory/1988-28-0x000000001E1E0000-0x000000001E1EE000-memory.dmp

memory/1988-24-0x000000001E9B0000-0x000000001E9B7000-memory.dmp

memory/1988-20-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

memory/1988-13-0x0000000000400000-0x000000000050A000-memory.dmp

memory/1988-11-0x000000001E7D0000-0x000000001E7D9000-memory.dmp

memory/1988-7-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

memory/1988-32-0x0000000010000000-0x0000000010016000-memory.dmp

memory/1988-34-0x000000001E1D0000-0x000000001E1DC000-memory.dmp

memory/1988-38-0x0000000000400000-0x000000000050A000-memory.dmp

memory/1268-39-0x0000000000400000-0x000000000050A000-memory.dmp

memory/1268-59-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

memory/1268-77-0x0000000000400000-0x000000000050A000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/bin/reset-acl.sh]

Signatures

N/A

Processes

/tmp/bin/reset-acl.sh

[/tmp/bin/reset-acl.sh]

/usr/bin/dirname

[dirname /tmp/bin/reset-acl.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.8:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win7-20240221-en

Max time kernel

150s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\startup.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1684 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1684 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1820 wrote to memory of 2576 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 1820 wrote to memory of 2576 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 1820 wrote to memory of 2576 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\startup.bat"

C:\Windows\system32\java.exe

java -Djava.net.preferIPv4Stack=true -Xmx768m -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.Main

C:\Windows\system32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 classifier1.jahastech.com udp
US 8.8.8.8:53 pool.ntp.org udp
N/A 10.127.1.36:19003 tcp
US 8.8.8.8:53 www.nxfilter.org udp
US 8.8.4.4:53 strict.bing.com udp
US 8.8.4.4:53 restrictmoderate.youtube.com udp
US 8.8.8.8:53 restrict.youtube.com udp
US 8.8.4.4:53 restrictmoderate.youtube.com udp
US 8.8.4.4:53 strict.bing.com udp
US 8.8.8.8:53 forcesafesearch.google.com udp
US 8.8.8.8:53 restrict.youtube.com udp
US 8.8.8.8:53 forcesafesearch.google.com udp
US 70.32.23.79:80 www.nxfilter.org tcp
US 8.8.8.8:53 cloudflare-dns.com udp
N/A 127.0.0.1:49815 tcp
N/A 127.0.0.1:49816 tcp
N/A 127.0.0.1:49817 tcp
N/A 127.0.0.1:49818 tcp
N/A 127.0.0.1:49819 tcp
N/A 127.0.0.1:49827 tcp
N/A 127.0.0.1:49820 tcp
N/A 127.0.0.1:49821 tcp
N/A 127.0.0.1:49847 tcp
US 8.8.8.8:53 licman.nxfilter.org udp
US 69.48.142.88:80 licman.nxfilter.org tcp

Files

memory/1820-2-0x0000000002550000-0x00000000027C0000-memory.dmp

memory/1820-15-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-24-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 ed373d2037be9dfd5d714505d2b08205
SHA1 c11d99adad418dd671e4f70bea2a028ec4b22cef
SHA256 0882510121564f08d875db4c5607ea82ed36b6e1132e8fbdb8cf499967ef2dc6
SHA512 e1a9f1febbb0aa2f6953c2e79c0a3454b26bd87d5d01893428ab7e1f65a7a6820f597ee2887e8a46961b41d03a5aa9676bf364f9ecb47f5bebe1916fbfaad710

memory/1820-38-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 9925a81820e36bdeea1a8f1f9ae43e86
SHA1 c1d4ab4dd770c3fdf7dbc4a4faa35c5f7e6970a6
SHA256 0d0e7c397ba1550c83e7a3dacc71ed239cfbe20e82241800689861983d83c912
SHA512 53bd5a80068d873954b0ba6f8b41a9ad6850c15ff024e7c4fa71ced1155d8412cbc48593d17ab027b3ffd1ba451f52135c7b528bb2f9ab5d413ca0a0be441bd0

memory/1820-54-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 02efa80175609be82c6a15da39449698
SHA1 ee2bf7da5ecbe49b630579bfb4339476daa4d8b2
SHA256 602ae3fe9bbf701f3431a5fa7120b8d4975d3570c018de27fa5c92156dc628d4
SHA512 b652f889ce946a245e0ff89f89c7658b67af2969912f179a11ac79c9b5c7d99abe90f1385c6135779556314f91c992b3af215456f123a600c804b0efe151381d

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 c9151792b39e0c91da547822594f2a56
SHA1 69695575f3f0422e8283868d2394860f5744ebc0
SHA256 3de05c8ef7b3a1ba27cf55ce3a9629732e13e9fb9456f23c5e2fcbe7d0499f74
SHA512 9722edf5609126850d70dbd1ce1d47a146df340d7f3dad1528cfa3a3e110e5f539570654049bd1807788ca320b8ccde1ee1a3b8aab5d27195ebc8f3bc251ddd4

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 288b1fc593d110af1381d6b2cf95eb4c
SHA1 247ae320433db52ba9a3d4b4370024249f095051
SHA256 d729bd87f061da5752f62eeed6a03fb822bd7629d4b13970f7121cafee32088c
SHA512 38ddff83944615ed82c1cf8bd895375fb985c3ddc410a163eb681ee16ecf381b5e47544e1eff01276c6b256b564614121852ece1663791ea92c1dab1800e2304

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 f3052b8a6957775a298c972ec998d397
SHA1 ba67f1ee8ed6c200172239903dcdf631aaa22138
SHA256 f60991e66b8a3709dbf7b516b0eb803dc430c65f288aa07c7910c8c2423a913a
SHA512 1430f30c0253417c7a393531d305d3a3c2d9ab4ee4dccca2ce8171d28df744b89dcf3b01d9df3df6fb24b354a6bf7b9134da7462dcb8d3f7e0d10a05ee697083

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 8bc0e857f702c6be4f360c62f4b5f02c
SHA1 36f7459770a1f67f3ef2f8e88bea5eddee01c16c
SHA256 69b487ec365e97590f730abef4df3bcdb62a5ab79172d311b6a02dd59d88a719
SHA512 756b63d046a1790d72d01b3c9667bb2ef89e5f9497018ccb4e45ec33d1108e271b76246fdc0eda478dca440dc8655eff1e5bad8fb95ba2e0b980a76edc125745

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 71d5184788a38b484f90d4271efacc57
SHA1 fdef39b72cf62229dca54ced20718f4fc26ee706
SHA256 5674a658fb7d474b05c32e413b8c372c99aaa0f5ddd39f581fd8aab98205f747
SHA512 4c4f2cc509062f0b30d433c7fe8582cb354ca6a2293d4acd168fd2e757245a4bb7c0d005866f942c111c0a3596e289d6beaa6b03901e9f418411a379a82543dc

memory/1820-116-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 7bcc5d2f18151ae22150394a706665f7
SHA1 34b56968a2c7c304a9165c4d723775dcddf72e51
SHA256 5718aab96f4fdeca339cda8d9b4a4e9ecfd03f70cd483ac7ab959bb48792914d
SHA512 cb5767be95c157ec53a552c9edd9752980d78b7e70382b5977cede40066af22fc43761dfb582d1b38aa6e8ba6b6a58f2d77e96af756dc8b0b46a3d88d16130b7

memory/1820-130-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 49e3c4c221a9d594f49b2250e6f67bfa
SHA1 bb71a730731577a4f8c5eed1794ce947b6194f88
SHA256 085ac9c7ba31d9b23d5c9d8335a28a5b9c930e715db3887a1c0636a66ecfc80a
SHA512 a4ba4c41c96c305ce8c20272441c49ba44ca9ea8de9c66d22240aff7125235dba17971974b8dcfb3940f2d1184d9fb21c20a5946e0159aecfed0e581da18135b

memory/1820-198-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-201-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-205-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 e12e3e4e537a14a676878ae5a7e67028
SHA1 3e1f66e61a91f85f2f75690afe9743cdec10436b
SHA256 b8439dc5159c2ac319ab827f65af6077d9b1c6084f6a880544504999922cf371
SHA512 8559b2fa0d730c3640a008098d1830b0a4838de3ae7bffbcc53e42d30e751b24f4955f0ee79397042b528c41f8808d5bd4fff693090d157ba1b27e964ab8c1de

memory/1820-215-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-223-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

MD5 c2f9995c022caa007e934f9b89781789
SHA1 0a9edde8f9d9d62a8e6ec77993ee89c5efa53d2e
SHA256 48a7aee180272064ec127779947353228f7583426f2528490ad9c841c0af1fd3
SHA512 2d113e20bb45d6c283fbbdba8ccbfa615cfb8a001e59ec85ad7c07073711f72dac5b84f4f7de6a8a086714ab6a0e25d17e4847a297d726bb7e90792d5d36cc89

memory/1820-225-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-240-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-241-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1820-244-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 797a146c30ce644f5085af8de32cb00b
SHA1 e374c8321bf9cfadbbe3ec5fef429f25a2dca3ac
SHA256 93f4bd53ed2744961a92304e379b6674de19894984bc2cb85c2e71b1d706f120
SHA512 9c6f551a10d9993b0f4fd1b9c7d0980b8f5f74a838e43eb691fa93c7d22af1152bd7c535e9c2c0bb9360b356414df35060578b6aca516333a20c1a50fb2477d7

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 0a496e6748856f8b4ecc566660128988
SHA1 62be86b44c2a8eb97f1ab8a584ed2f8eba470414
SHA256 745b512d0c8c3a89c37d749a2ff79e457c880bcc4b608bad0b7075e292d213e6
SHA512 6823bbaf4844e82e4e4ccbc899882a2cd91b7828a4df9e30290c401f054db01381e2d66c0b0e1aa55bab3c2341a5a9f96c0a19f46c296700f7399c0fc777bcb2

C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

MD5 4d5c8ba72671c3a3a8908f7afebeb82b
SHA1 77ed066d2b0a7957e7fa68c7e040682c696eaed4
SHA256 d04ae8a952a3f85db1f7eb41f19b3af0a7a836b8098bfaa984bc4e709d1efdfd
SHA512 cacd175449cd8270a32fd6ffce74dfefe48f05d2599b7c23561c4c919501e6ab152d561b1616a8e1a5f93efe63c742c5b0ed8b47a4ab5bdc16f9959a443d29bb

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 718f21e328623594e091bd07dfc41bfd
SHA1 b02920fd61daa7665615b722013fe2bf160e03d3
SHA256 607305a4df39c84cab146429afce73043ac6f24f851e62f4a5f767dcaecbeecb
SHA512 1b82748a9f802403a05224ec513938350bed51264a8540c151632725be9cf3ca767c0bd4c7d122737cd6380e0c3e3797674cd6c6bcb2b1f2428ae86060d1d9e4

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 f0a64c2e0766bf7331c7c7fa698bf924
SHA1 4606f032e013854ffe51b9ae42b50ec46e982416
SHA256 b9aae02b58ec589ec4808291831f8af4879394cc15baf377f0d6271adbb71769
SHA512 58a385a52e1ad5d46c9642fff1fa41ade5b9920c03e3e22f9b27487f3f9a61382ce8bf7dcd669367b985d48ae6f73a8cc4b8986fa848c4787cf66a242f9b207d

memory/1820-384-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1820-387-0x0000000002550000-0x00000000027C0000-memory.dmp

memory/1820-388-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/1820-570-0x00000000027E0000-0x00000000027F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 6046814d4c114f4f4e6cefb1be99ed4c
SHA1 76bb2ed570b25a22e4f411af18c29acf490e41f0
SHA256 c45d2f35030741b83408530ab53f255a68da280c48ef509a507af26b0684fbbb
SHA512 11afd3761686864a0cffc470a690c3869707ca8ebe62d1bde863cdbe070f2b19ca0a2504a5ae30792645ff0f69fbea7011fab28e3480b2a3cdd1174d7fe0e666

memory/1820-745-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1820-758-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/1820-771-0x00000000027E0000-0x00000000027F0000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

133s

Command Line

[/tmp/bin/startup.sh]

Signatures

N/A

Processes

/tmp/bin/startup.sh

[/tmp/bin/startup.sh]

/usr/bin/dirname

[dirname /tmp/bin/startup.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.8:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

128s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 3248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 3608 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 3608 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe
PID 3608 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3608 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1804 wrote to memory of 3700 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 3700 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2484 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
PID 4608 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
PID 4396 wrote to memory of 1012 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4396 wrote to memory of 1012 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4396 wrote to memory of 2468 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\hostname.exe
PID 4396 wrote to memory of 2468 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\hostname.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\instsvc.bat"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_53_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_80_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_443_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19002_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19003_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19004_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19003_out

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_19004_out

C:\Windows\system32\netsh.exe

netsh advfirewall firewall delete rule name=NxFilter_1813_in

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_53_in protocol=UDP dir=in localport=53 action=allow

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_80_in protocol=TCP dir=in localport=80 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_443_in protocol=TCP dir=in localport=443 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19002_in protocol=TCP dir=in localport=19002 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19003_in protocol=TCP dir=in localport=19003 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19004_in protocol=TCP dir=in localport=19004 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19003_out protocol=TCP dir=out remoteport=19003 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_19004_out protocol=TCP dir=out remoteport=19004 action=allow

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name=NxFilter_1813_in protocol=UDP dir=in localport=1813 action=allow

C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe

nxwrapper.exe --startup=auto install

C:\Windows\system32\net.exe

net start NxFilter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start NxFilter

C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe

"C:\Users\Admin\AppData\Local\Temp\nxwrapper.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo %PATH%

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:/Users/Admin/AppData/Local/Temp/bin/startup.bat"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -Djava.net.preferIPv4Stack=true -Xmx768m -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.Main

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\System32\hostname.exe

hostname

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 classifier1.jahastech.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 pool.ntp.org udp
N/A 10.127.1.237:19003 tcp
US 8.8.8.8:53 2.34.150.193.in-addr.arpa udp
US 8.8.8.8:53 forcesafesearch.google.com udp
US 8.8.4.4:53 restrictmoderate.youtube.com udp
US 8.8.4.4:53 strict.bing.com udp
US 8.8.4.4:53 restrictmoderate.youtube.com udp
US 8.8.8.8:53 forcesafesearch.google.com udp
US 8.8.4.4:53 strict.bing.com udp
US 8.8.8.8:53 restrict.youtube.com udp
US 8.8.8.8:53 restrict.youtube.com udp
US 8.8.8.8:53 www.nxfilter.org udp
US 70.32.23.79:80 www.nxfilter.org tcp
US 8.8.8.8:53 cloudflare-dns.com udp
N/A 127.0.0.1:50630 tcp
N/A 127.0.0.1:50637 tcp
N/A 127.0.0.1:50631 tcp
N/A 127.0.0.1:50640 tcp
N/A 127.0.0.1:50632 tcp
N/A 127.0.0.1:50633 tcp
N/A 127.0.0.1:50634 tcp
N/A 127.0.0.1:50635 tcp
N/A 127.0.0.1:50682 tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.23.32.70.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 licman.nxfilter.org udp
US 69.48.142.88:80 licman.nxfilter.org tcp
US 8.8.8.8:53 88.142.48.69.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2736-0-0x0000000000400000-0x000000000050A000-memory.dmp

memory/2736-5-0x000000001E1B0000-0x000000001E1BF000-memory.dmp

memory/2736-20-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

memory/2736-16-0x000000001ECB0000-0x000000001ECBD000-memory.dmp

memory/2736-12-0x000000001E7D0000-0x000000001E7D9000-memory.dmp

memory/2736-8-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

memory/2736-2-0x000000001E000000-0x000000001E0F1000-memory.dmp

memory/2736-24-0x000000001E9B0000-0x000000001E9B7000-memory.dmp

memory/2736-31-0x0000000010000000-0x0000000010016000-memory.dmp

memory/2736-28-0x000000001E1E0000-0x000000001E1EE000-memory.dmp

memory/2736-37-0x0000000000400000-0x000000000050A000-memory.dmp

memory/2736-34-0x000000001E1D0000-0x000000001E1DC000-memory.dmp

memory/2484-57-0x000000001E8C0000-0x000000001E8DA000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 5a0d42fa0745b7e94f6845a0a5d59c7e
SHA1 9a7401cde15e48659f35f015faec933a37293594
SHA256 e0cfe177c1603a7e986712e2244cad272e3f47443fc226bb4cd181cfc05d18dc
SHA512 b7f8ce8af583222fdeff51758cde058c1406d84762386cf10121484e9b8538df7403ba31a466fda76de13debc8030cce9ac1c27816dd0b959b47ced0f3e3f6a7

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 62299684d34919a2882af6e3f4174fe7
SHA1 00ebba7170334a93f90ea14657113c716f55c6e4
SHA256 be2346d5f1fd2a92170559089b6878d1b3abee474da755118a190c1691266a8f
SHA512 fc652672e217a4ff529fef647c221d84bee9df24dbd28babcc54e6cb5b6248ab655d80a536a5b37e57abefe82cd384432423be22dc0f9717a4719b3b74fa1978

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 200842bbda17d924711219a7904aa456
SHA1 e3e08c001d486106dfb4aaf99c736380eb4223c8
SHA256 4c8de59c10b29967dfaaaddd773b8c72232abac11511d4866f958320d4747d2c
SHA512 94ef47e47c91c11da6252755ec1a7a1e973619b16da14170da879f2df7ab7d615bf6c4c0c78227f4a86544b62e81d2d33331c2dad7c1d99a58e6060bdfa9821a

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 0711fc030beb2c1f0a60b53d3c11bc8d
SHA1 da94ae0549b9dc2e0d6197947f364ac213bcc08c
SHA256 a52bfee5884c2bb126ac65b99a196c75a97cdc3d86399482ace535921ed417b8
SHA512 b55a97876cf02276eeb3eb428e8f14c9674682d749f595ab5d54f2401a47e02d28a82457d4bef7bfa2b04a7ba169ce57b6482c453a36daade598d2473f5a329d

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 c2346ed37a2c68b22a8afd14252a65d4
SHA1 1c578bcc54b5867131507d9a6e2b1a70d32a3b80
SHA256 57e5f51df75ad7b170686ed0f9d8cf80da05785bd3069469580bc122035190e9
SHA512 82ec93c54f21330ad861d20b7fbddbf1be0fbd2f967768b2eb0db66500772c51ee0e2040ab326fb87593604e6bc35648985560062f01a55486a993ae456f1faa

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 61d8238f80ed454b3f32cc789660d0e9
SHA1 20ffd86b240998d6a33d03a1676a1dddac2eb428
SHA256 eebc25a58d4fa9a7aed53e07ce33a4a6454774e3823e23b7eaac089bf2619203
SHA512 9e44f723d191a1c843fd19507865d51d14386c45df2d542fd858c24296e6f74dbde3f10a41dd5358246737f4cb4aefc924dcad049afaeea5588e33a08331619e

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 bc9c9ad7a715059215a1c91a3dfb5000
SHA1 0b9747cabb4c61ba83ae4bb5ea94fb8e061836c2
SHA256 c90ebbdf67e6ecb4ba1f25d6c32d130603574350a8fb6792365066f89df89b72
SHA512 2bfe9cbc846e8cd0a132cb23bdafcf92adb4a63d23c1ffa31017954a81cb2adada3b5887861f84fb3695ccd9ef065e0898457fe7b52687911d425f69f420df74

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 419fe845f6597324babc0957882b13b2
SHA1 96dedc9c81c29ba3e69af29237a9c48ba5ffb5fc
SHA256 68b2d033da82b3e379c6defee28ff3169fb77a52b44efc0f979dd0bdeabb758b
SHA512 cedc04405a8c1dc0adc12fd0206de68c430fca7f73960d909713004ea6c624f8a7642ef98f5b01014dad5c5b2d6813dc03b26067ec51e6249a75735c27814f25

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 9f9245db547499d36cd53038b6db3b95
SHA1 015439a40c5c018282f3decc1a23ca386bf22f9e
SHA256 531b5e59b828840383ffdcfed995034ba8409e700fb5fa0a7dc9d99d78fb1f31
SHA512 6571b6c5b25ef5f71aa2c76b6aa6963b965532948bb2e29a02dcb8ba213f9b5ee9ffdf94aa0c1aa43ad152c52f169953f0256f4659e327d1bc73a124fc34fae8

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 27e3fe60712c25771a605712fd08c6a9
SHA1 9eb6ca3ce6493f94aa474af844c9ac9cec4e5bbb
SHA256 0387a271d7a8e04eea60a7efdf89827cf6b5b9b2056810db03c75e88775d6d7a
SHA512 4c0d146c078f26281136ce669a8c32248a6fb7f1198b46c27735cfe8b528985d96fc85233055c6ce127d1fbafde5b7b9078840a194a994d1d2dd4e7df2b77d8f

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 decaeb245cdc760461ffb885ccc1dd8d
SHA1 5c214c48290be36499157b15ace9969682f721c4
SHA256 c351062e315f4464b0b32000d61f880e2d1feabf5628a2557ada5e7797fe24db
SHA512 8438f72947594e8560928f4a57e06613aa41ad6c4610ec2df254e793e2fb1dadec10a1e1cd67920b4ee13d743a66e42e9066be18d107d11b29acff9785d40d7c

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 ccfd9c573fceb540b4b54929f4fe7655
SHA1 a7bf170e8c8c5bfcf5afba58da34c11724488994
SHA256 3640407cf763977b350f98624d293ebc1ef1f784ed7fca434d4e5d7247883f18
SHA512 e8eb7334717af2958e45287a02a5dbb4ea9b949c3b83146281c9a998e88a054f2fabac7c8064e155fa03c9ed1d49805d64fc08aee20fc750ad3d46d960ea12d3

C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

MD5 a3e760dec0defb74e8c20df0c6ae3b38
SHA1 7deccd0f8903e1f8d8421c4a93a91828da8a3fc4
SHA256 0847af7861e297a1ca06f62685594b01db2c06d93b084b80a7a590703c32bd19
SHA512 a8e227c1deaa28adb7ebd26497566dcc9d9562bae8cff1eb471584d7828fe436fd8007ea692cd3a9fa8fcc56051a5e3ae5d7d5764b1457a4d221d8fa688d1d98

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 526899405df75dece87520243090fb33
SHA1 19af7842e3ed9fe5926e4497f7bc341b50ef3f9c
SHA256 b6be0b302f9b200d1a5ea370368f3fdb12fbe17cb89cba2a0137acbc5d1f6a2f
SHA512 c299c8abd0cc1b1c2cd116e0f8262d272182e933cdfa64170d8a5b284cc7bc892a80a4eaf3d7382d5ea78da9e9016079469f3319fd124c29149537fc5b0ef1c9

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 cb5b3aba1ab280bbded6ba9cc72794ac
SHA1 e979fe71e42b29cab532b2855541056ccd4a7473
SHA256 c07caff45ad47ce313d4a1d1012e6b6933bbb434787493174593d52510bcf3b2
SHA512 ad657e6a2b701ce9ef128e5c6f90afd77a24ff47bc41f28555ed4854eb098de66c3eca56f3bdbf05c863e79feb98083bf7598ffb87ea13ee78cd16bd54c67fe9

C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

MD5 2f1dbd62acb90fc733d399db532d75fb
SHA1 4f631b1a75a9aada333feebec23321ff40cf9355
SHA256 3221e92f6a0e3f8f17ad7a39c3eca6a332ff146a1140b5f1b07638e6b5c6a7aa
SHA512 94b3bd42cb453b7ea948460dac6f881504e7193711b1aa64bdea0b6b3deb2174b64630a04e6bbfd19ccf007383038a577e6d91c0dd12fb31da76ba9acd32b449

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 479a84961ad218159bff91f3ab640d47
SHA1 f0399ffccbf907bf79936dbe34ca6264b8b3c2af
SHA256 bbfedc067c81a7c89cd3eaf1c6043e91c56d3ae119759b41064f5e95f56f2e9b
SHA512 0ef3500788e21bc120dbcf7a82e32fd71a4b295ee1c0f49ea43cc7ae463b74f4b73a8adf2c4f002855d55ad597db8690c0abd3680d01b57c9fd15543684dbf71

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 0e026a80243a432653957302c7debb9a
SHA1 209fd5dcf9b492545588f298aaedd682b79fcd95
SHA256 e133ddac45b1f356b60ee59dd01cdc91e41709948ef13d72bbbae05fc141d62f
SHA512 7b2af1ff30e5105f4c23bf7c41daa36d4cc917c255beee1d15da509b81dae134a999a9f668b71cb226874a3d53d67df75397e9c07a056d43fcba5c491c2bcab5

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 8a33f6acee5c79b1f9b245ec21f30f33
SHA1 76cc8a1f27d6f38605944caf38932ffee5da1e79
SHA256 a9b3e594456e56683b7a11c52a2180f5794d348f4a25b8cf69a1add3ec327f7b
SHA512 9d230f251613996c72bf8739831bba0269a4bf5cbb69439d656fbdc65f652b63a254c67bc9bbba693f6cdd12a8df2ac3705b4d8f172136c48a1f9af19962ee5f

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 a2099e1595f49f43cdef145b12544f2a
SHA1 49183c15b81551daf560fd3205d362252a430e9d
SHA256 f79826aa40b054b2237193a504dd568f131c29e304d9393052979e500800e958
SHA512 b25641d0ed2be004abb0f9f9ed386d9c67a236963f05f58450d705fea0698c0d15471aec07dd239bcd8653ac1ace266d457f271eec81967f15204ed925b6c793

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 4819fa9561a66dc372d1807874bd4844
SHA1 4b745c6750d03f941b1e3aa6b74c87428fa0eada
SHA256 f8ef8c276f0dfbb5da0c1960e15cab62545462670924c0bf08f9f857768c9767
SHA512 4d7487299eb296249e9d9039edd5765bea1f6e451ec2580a22c6512b97f9d5b1a07f4f00a545d19e58f9a0d9fc84df7235420eaab2d397ad1fe71dde9866674a

memory/2484-883-0x0000000000400000-0x000000000050A000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:42

Platform

debian9-mipsel-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/bin/reset-pw.sh]

Signatures

N/A

Processes

/tmp/bin/reset-pw.sh

[/tmp/bin/reset-pw.sh]

/usr/bin/dirname

[dirname /tmp/bin/reset-pw.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
GB 195.181.164.14:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

win7-20231129-en

Max time kernel

121s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\shutdown.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 2996 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 2996 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 3068 wrote to memory of 2672 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 3068 wrote to memory of 2672 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 3068 wrote to memory of 2672 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\shutdown.bat"

C:\Windows\system32\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin shutdown

C:\Windows\system32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:19001 tcp

Files

memory/3068-2-0x0000000002690000-0x0000000002900000-memory.dmp

memory/3068-15-0x0000000000140000-0x0000000000141000-memory.dmp

memory/3068-16-0x0000000002690000-0x0000000002900000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:42

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\admin.bat"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07ced7d2ebeda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112750" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2063813432" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092879b20bf700e4c81ff82d1ae3b8366000000000200000000001066000000010000200000001ffff43752dfefd1e7ac54da7e1c696b5fb665f6db626be60d6ede009ad8114c000000000e8000000002000020000000675c2e6c01c1e41ff6396e780137985ad0c41026047b41665a5790beae753f16200000002a2e74af8c9b46bd534a5820bbcdf8b20877ac8517f5f5f7ba93614ebc710bce400000006f35aed8669a6b6f9744332449ae72b216096baae232253f1a552007201bee863671f7e393a6ce291b1b6c6f441e45ce5d6c3f57db9655efe7ce2b64b9a6c364 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a8f47d2ebeda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425115923" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A69C22E2-2A21-11EF-9D11-76D7D0441B5E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2067095411" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092879b20bf700e4c81ff82d1ae3b8366000000000200000000001066000000010000200000001649f7a00c2232bdd15b7619c27b3c1cc8375edad2a62a344be24dad72a9b3aa000000000e8000000002000020000000dba126ca3a73f00789429e0c2cab659dee3f4e18500cfa0756a6659c83f7693220000000d2b7ec0572c8655b27e7dcae7ef1b146187efce15fe053cb3635c6f04f1001a6400000004a74af220f3a7beab080cd152d34fd81c8db01999ed6741f3acc8db81cbe32aab40f79f4b8e8cae1927cd5788aa9661600c738a47e988288e976ad7a1e57fc9d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2063813432" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112750" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112750" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\admin.bat"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost/admin

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-pw.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1736 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1736 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1548 wrote to memory of 2628 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 1548 wrote to memory of 2628 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 1548 wrote to memory of 2628 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-pw.bat"

C:\Windows\system32\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin reset_pw

C:\Windows\system32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:19001 tcp

Files

memory/1548-2-0x0000000002720000-0x0000000002990000-memory.dmp

memory/1548-15-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1548-16-0x0000000002720000-0x0000000002990000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:42

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win7-20240611-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\ping.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1916 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1916 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 3016 wrote to memory of 2668 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 3016 wrote to memory of 2668 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 3016 wrote to memory of 2668 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\ping.bat"

C:\Windows\system32\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin ping

C:\Windows\system32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:19001 tcp

Files

memory/3016-2-0x0000000002070000-0x00000000022E0000-memory.dmp

memory/3016-15-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3016-16-0x0000000002070000-0x00000000022E0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:42

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

149s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-acl.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-acl.bat"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin reset_acl

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:19001 tcp

Files

memory/4108-2-0x0000016C1D9F0000-0x0000016C1DC60000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 93730bd60047d57f4576402d97e456cf
SHA1 086addd1c2c8fb84affd5cda4031c2b81fcec719
SHA256 e207f1a7147f2e41f1efcf6b5b41d858272ce6adab0a43665a9844c74a7a2b17
SHA512 d1be6d7107543029120f41712697f966e28aa519d4ad2e6e345ab0516fe3bac2f8bfc13fcdcca53e9eeb1a38df7f405565593af784978a859838387d62109b8e

memory/4108-16-0x0000016C1D9D0000-0x0000016C1D9D1000-memory.dmp

memory/4108-18-0x0000016C1D9D0000-0x0000016C1D9D1000-memory.dmp

memory/4108-19-0x0000016C1D9F0000-0x0000016C1DC60000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

159s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\startup.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\startup.bat"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -Djava.net.preferIPv4Stack=true -Xmx768m -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.Main

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\hostname.exe

hostname

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 classifier1.jahastech.com udp
US 8.8.8.8:53 pool.ntp.org udp
US 8.8.8.8:53 61.8.111.131.in-addr.arpa udp
N/A 10.127.0.68:19003 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.nxfilter.org udp
US 70.32.23.79:80 www.nxfilter.org tcp
US 8.8.8.8:53 79.23.32.70.in-addr.arpa udp
N/A 127.0.0.1:50929 tcp
N/A 127.0.0.1:50931 tcp
N/A 127.0.0.1:50926 tcp
N/A 127.0.0.1:50930 tcp
N/A 127.0.0.1:50932 tcp
N/A 127.0.0.1:50928 tcp
N/A 127.0.0.1:50927 tcp
N/A 127.0.0.1:50925 tcp
US 8.8.4.4:53 forcesafesearch.google.com udp
US 8.8.4.4:53 forcesafesearch.google.com udp
US 8.8.8.8:53 strict.bing.com udp
US 8.8.4.4:53 strict.bing.com udp
US 8.8.8.8:53 restrictmoderate.youtube.com udp
US 8.8.4.4:53 restrict.youtube.com udp
US 8.8.8.8:53 restrict.youtube.com udp
US 8.8.8.8:53 restrictmoderate.youtube.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 cloudflare-dns.com udp
N/A 127.0.0.1:50949 tcp
US 8.8.8.8:53 licman.nxfilter.org udp
US 69.48.142.88:80 licman.nxfilter.org tcp
US 8.8.8.8:53 88.142.48.69.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4596-2-0x00000122A1DC0000-0x00000122A2030000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 061f1de2dca0616b00613c5b12bd4853
SHA1 2f20718a370be04b7c04cce2a61181fad2c732a1
SHA256 54e6137ecba43a8862ef680dc81b1c25ec20b7503531f59baa81340babed8184
SHA512 4da7f215a9b3089257aae4aca247e48e54e32513fcfebf1068752095e7c5a04a7f54abc8b3110160215a8f358a9d39d9b5b24562358e067d6da35433c597383a

memory/4596-12-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-33-0x00000122A2030000-0x00000122A2040000-memory.dmp

memory/4596-34-0x00000122A2040000-0x00000122A2050000-memory.dmp

memory/4596-35-0x00000122A1DC0000-0x00000122A2030000-memory.dmp

memory/4596-37-0x00000122A2050000-0x00000122A2060000-memory.dmp

memory/4596-39-0x00000122A2060000-0x00000122A2070000-memory.dmp

memory/4596-41-0x00000122A2070000-0x00000122A2080000-memory.dmp

memory/4596-43-0x00000122A2080000-0x00000122A2090000-memory.dmp

memory/4596-46-0x00000122A2090000-0x00000122A20A0000-memory.dmp

memory/4596-48-0x00000122A20A0000-0x00000122A20B0000-memory.dmp

memory/4596-50-0x00000122A20B0000-0x00000122A20C0000-memory.dmp

memory/4596-52-0x00000122A20C0000-0x00000122A20D0000-memory.dmp

memory/4596-55-0x00000122A2030000-0x00000122A2040000-memory.dmp

memory/4596-57-0x00000122A20D0000-0x00000122A20E0000-memory.dmp

memory/4596-56-0x00000122A2040000-0x00000122A2050000-memory.dmp

memory/4596-59-0x00000122A20E0000-0x00000122A20F0000-memory.dmp

memory/4596-73-0x00000122A20F0000-0x00000122A2100000-memory.dmp

memory/4596-72-0x00000122A2050000-0x00000122A2060000-memory.dmp

memory/4596-77-0x00000122A2060000-0x00000122A2070000-memory.dmp

memory/4596-78-0x00000122A2100000-0x00000122A2110000-memory.dmp

memory/4596-79-0x00000122A2070000-0x00000122A2080000-memory.dmp

memory/4596-80-0x00000122A2110000-0x00000122A2120000-memory.dmp

memory/4596-83-0x00000122A2120000-0x00000122A2130000-memory.dmp

memory/4596-82-0x00000122A2080000-0x00000122A2090000-memory.dmp

memory/4596-86-0x00000122A2130000-0x00000122A2140000-memory.dmp

memory/4596-85-0x00000122A2090000-0x00000122A20A0000-memory.dmp

memory/4596-93-0x00000122A2140000-0x00000122A2150000-memory.dmp

memory/4596-94-0x00000122A2150000-0x00000122A2160000-memory.dmp

memory/4596-92-0x00000122A20A0000-0x00000122A20B0000-memory.dmp

memory/4596-100-0x00000122A2160000-0x00000122A2170000-memory.dmp

memory/4596-101-0x00000122A2170000-0x00000122A2180000-memory.dmp

memory/4596-107-0x00000122A21B0000-0x00000122A21C0000-memory.dmp

memory/4596-105-0x00000122A21A0000-0x00000122A21B0000-memory.dmp

memory/4596-104-0x00000122A2180000-0x00000122A2190000-memory.dmp

memory/4596-112-0x00000122A2190000-0x00000122A21A0000-memory.dmp

memory/4596-111-0x00000122A21D0000-0x00000122A21E0000-memory.dmp

memory/4596-110-0x00000122A21C0000-0x00000122A21D0000-memory.dmp

memory/4596-109-0x00000122A20D0000-0x00000122A20E0000-memory.dmp

memory/4596-103-0x00000122A20C0000-0x00000122A20D0000-memory.dmp

memory/4596-99-0x00000122A20B0000-0x00000122A20C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 53d900445b3bb12c2a2164b6c0cc624e
SHA1 23fb8b3c44a3d476991c915493bf398514478698
SHA256 4c3c72322895764d614e5302540897dd9ede36969c5ad89352dda4e5ce597c6c
SHA512 fa071c218e0ba5acb79f7b4a40985cfc624794ec2f2beb15299129537750be790c4c0b37646b82b249a177bd3d5f198a950280005ea0e6e80d0bc87cda23f119

memory/4596-116-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-117-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-126-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-159-0x00000122A2220000-0x00000122A2230000-memory.dmp

memory/4596-162-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-165-0x00000122A2240000-0x00000122A2250000-memory.dmp

memory/4596-164-0x00000122A2230000-0x00000122A2240000-memory.dmp

memory/4596-163-0x00000122A20F0000-0x00000122A2100000-memory.dmp

memory/4596-158-0x00000122A2210000-0x00000122A2220000-memory.dmp

memory/4596-157-0x00000122A2200000-0x00000122A2210000-memory.dmp

memory/4596-156-0x00000122A21F0000-0x00000122A2200000-memory.dmp

memory/4596-155-0x00000122A21E0000-0x00000122A21F0000-memory.dmp

memory/4596-154-0x00000122A20E0000-0x00000122A20F0000-memory.dmp

memory/4596-171-0x00000122A2100000-0x00000122A2110000-memory.dmp

memory/4596-174-0x00000122A2280000-0x00000122A2290000-memory.dmp

memory/4596-183-0x00000122A22A0000-0x00000122A22B0000-memory.dmp

memory/4596-182-0x00000122A2290000-0x00000122A22A0000-memory.dmp

memory/4596-181-0x00000122A2110000-0x00000122A2120000-memory.dmp

memory/4596-173-0x00000122A2270000-0x00000122A2280000-memory.dmp

memory/4596-172-0x00000122A2260000-0x00000122A2270000-memory.dmp

memory/4596-196-0x00000122A22B0000-0x00000122A22C0000-memory.dmp

memory/4596-195-0x00000122A2120000-0x00000122A2130000-memory.dmp

memory/4596-215-0x00000122A2330000-0x00000122A2340000-memory.dmp

memory/4596-214-0x00000122A2340000-0x00000122A2350000-memory.dmp

memory/4596-213-0x00000122A2320000-0x00000122A2330000-memory.dmp

memory/4596-218-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-212-0x00000122A2310000-0x00000122A2320000-memory.dmp

memory/4596-211-0x00000122A2300000-0x00000122A2310000-memory.dmp

memory/4596-210-0x00000122A22F0000-0x00000122A2300000-memory.dmp

memory/4596-209-0x00000122A22E0000-0x00000122A22F0000-memory.dmp

memory/4596-208-0x00000122A2250000-0x00000122A2260000-memory.dmp

memory/4596-207-0x00000122A22D0000-0x00000122A22E0000-memory.dmp

memory/4596-206-0x00000122A22C0000-0x00000122A22D0000-memory.dmp

memory/4596-205-0x00000122A2130000-0x00000122A2140000-memory.dmp

memory/4596-221-0x00000122A2350000-0x00000122A2360000-memory.dmp

memory/4596-220-0x00000122A2150000-0x00000122A2160000-memory.dmp

memory/4596-219-0x00000122A2140000-0x00000122A2150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 df12081e6f534fa8b61d68c789088f42
SHA1 d7c7cd94be75d7300142a997657797cce76d2f7e
SHA256 b0e82f71ae06935218ae422099b2e88a2f9f2df44baa6c950bba7a7a1607a689
SHA512 2fb7d4f8d800f7953e89e3e79481c0c97eab09d05e20050883c37bb04b59cc17d1dbe9609adba289d0fa43b1ae711a56cdaa9de960b3ffba58a60d5c1edde674

memory/4596-234-0x00000122A2360000-0x00000122A2370000-memory.dmp

memory/4596-233-0x00000122A2170000-0x00000122A2180000-memory.dmp

memory/4596-232-0x00000122A2160000-0x00000122A2170000-memory.dmp

memory/4596-231-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-243-0x00000122A2370000-0x00000122A2380000-memory.dmp

memory/4596-242-0x00000122A21B0000-0x00000122A21C0000-memory.dmp

memory/4596-241-0x00000122A21A0000-0x00000122A21B0000-memory.dmp

memory/4596-240-0x00000122A2180000-0x00000122A2190000-memory.dmp

memory/4596-254-0x00000122A2390000-0x00000122A23A0000-memory.dmp

memory/4596-253-0x00000122A2380000-0x00000122A2390000-memory.dmp

memory/4596-258-0x00000122A1DA0000-0x00000122A1DA1000-memory.dmp

memory/4596-269-0x00000122A23D0000-0x00000122A23E0000-memory.dmp

memory/4596-268-0x00000122A2240000-0x00000122A2250000-memory.dmp

memory/4596-267-0x00000122A2230000-0x00000122A2240000-memory.dmp

memory/4596-266-0x00000122A23A0000-0x00000122A23B0000-memory.dmp

memory/4596-265-0x00000122A23C0000-0x00000122A23D0000-memory.dmp

memory/4596-264-0x00000122A2220000-0x00000122A2230000-memory.dmp

memory/4596-263-0x00000122A2210000-0x00000122A2220000-memory.dmp

memory/4596-262-0x00000122A2200000-0x00000122A2210000-memory.dmp

memory/4596-261-0x00000122A21F0000-0x00000122A2200000-memory.dmp

memory/4596-260-0x00000122A21E0000-0x00000122A21F0000-memory.dmp

memory/4596-252-0x00000122A2190000-0x00000122A21A0000-memory.dmp

memory/4596-251-0x00000122A21D0000-0x00000122A21E0000-memory.dmp

memory/4596-247-0x00000122A21C0000-0x00000122A21D0000-memory.dmp

memory/4596-274-0x00000122A2260000-0x00000122A2270000-memory.dmp

memory/4596-275-0x00000122A2270000-0x00000122A2280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db\config.lock.db

MD5 7c503d65a921104b33f22a2cc0d22f2d
SHA1 99be6c2c6a038d2a534ef459dbe462b297752cd6
SHA256 d2c55269fd8d5b28e2082276b7f430c8df2a49734f3f8a2fa34082ca7c646996
SHA512 f47ac6aa7fb1b504ce673177c01ded7bf636bb4cdf5de3c857e9cdfa5df48bd860a3bbd9caedee851ea7e8fbba356843933cde5d993ab04e6ac5ba985b38ac47

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 48bc2a968412a73e5b2b97e28a71336d
SHA1 732f0c97d113212fe664e5b987c1ddee6bace299
SHA256 664583f61a6a014f27a5bbd8ff8b7cadc5369da2f1c1e667ae500a027fe5402c
SHA512 13bd54becf7c43bc95ceceec78e7219825f62a9c46eed836cc55f8632a0dc766b3d4ac2d6a46e26f833ee48d4ffb46e3aa79d00b59e86b36cadf91889c55a923

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 d56ee470c1d5753377eda9665e70508c
SHA1 1a610e5f563b2e8a5c315b80b1a12a2ba0a54127
SHA256 da25c0b503ca058dcf097cf0e325a1e925df808f5f1658754b13d1ccf74f1692
SHA512 08b501ac375dd3e0777a4c341c14708ca8020ea692f7025f16b025c1ba543e013603c1ef56607bf149815a6805a6b30a51cd0ef36a63b778fa90744dc480a193

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 0ed72cd9d9514d11a201168f5062aade
SHA1 8ff850983efa0c41572943f4fe25357ee9e6f926
SHA256 d0f26e6c25355c6783c93318a62327596424e2e559657768a204db83937d345b
SHA512 9e74b1f9c93992c0e396f0172300c66ed48d5e01692edd5056eb173cd461f47df4bec492cbb4b748ffa6572d288f6d4289b935c598932397ef4030c6a4dbbb04

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 27fd60b8faee3f420111fe0b95da53e1
SHA1 08ed26a9ac6b986b52e487e8235e215955394dd4
SHA256 c58eb74c96334b06489e2445d09a8e7fa3acdbb8cd1825772fe30874cab63cd6
SHA512 e738e93a905c987f6a0b07828e8f48adffe91972d0d4464baac2e3ef7784ff0129d55f84ccd709f5aa88b072f7375774f21e4c3f3af827e893ae97ef5520a702

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 f5b55826a5a48eababdeee40ff472875
SHA1 c5d2ed7fc2b7bb0ec728ab125fbd52f8aff9eed9
SHA256 23779b55e7859aff507089c29fabf529598ceb767ec1372523ad7cd7ef1f1614
SHA512 2f25c2806930aa733aa5b48cd80e7feafbfe75954dae1ca013961f9a4840b81f9a42c71e5bee92d52493de4944348c2d0731aafa051fdfee5375f20f64d6c787

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 6fa1c6e34d2502a514ed1bba81995329
SHA1 5a6e9cee3cf75abaa239d45072d08ddb0450e035
SHA256 00f3befb6dac2a555c70309da6643ae87cc9eb1954ada817764b666b3fe45c90
SHA512 a5e7c03a8be31aac6ed2d3e1ce47b947acefaf319c2bb1c2c1201d2db6537185ce1133212397224a54dadacd88715e9c71b28b846c50f70384219702ed86ebc4

C:\Users\Admin\AppData\Local\Temp\db\jahaslist.lock.db

MD5 337f1c7d4c65a75520fb456d6c3881fb
SHA1 babac0cc2f8d54fab4d066c642de9f8157f6c1d5
SHA256 be9607592c078386c56bb31c9e2591bb3af010267133204b5790f7cda90d2dc4
SHA512 b0bcb546c0863b6d5a66c357aeac891f06e94a4fcb1b6698909bdbf4c081eee1ad9ac11fd4392e5a091ab81c224e3a7907c021089cade45baad46956dfe95289

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 ce3393574fb7ccbd6caf61347df2bd12
SHA1 f348a29f691f5d65e25e7b49687e8049941df601
SHA256 8bb4c3cd73aea7e03324f81e48d237efa39151a8ee7297e5ce1e8ec0c0b7d00a
SHA512 c2c9ca1ef65bfe4ba28316e13688a176821b3787419143d6cecf63d5f96d1adb33ab4843d2780c2a5bfe9ebe4fa80aad1d78563baf6a0786fee36df3352103be

C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

MD5 d90dc499f92457bc6e0c5337a5810d6a
SHA1 a8bb104f2af04fbd68e917147b4d28cf9dbb2a5e
SHA256 9b80a8a3c4b12decbe8d8c6b0130924b06e7e414e9063bce8a749e9ae2e17a2b
SHA512 cf8b4d2dbc1df47bf5ac8c380a257e4ca0b715fa812ea611222441541e0d2a2f6f333b4957688802926866f950efd89f3cd6a60ec502a6f86ea4b5bdc04b88e8

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 c16ff589071c67c17b2bd5075584f820
SHA1 25b4a705c9178a810ebf99003b54c723f2284646
SHA256 06b90e70fb4f3d2b4d9d19cab77fc30c326f1f15e67cd35bf004b30fd0066b70
SHA512 fdd7292b6d908a4b8d28a2071660631edc350033bf18132f86e4fbe95286815e59f19a6c45fb77f2b0990adfa88b300de174aeb2d61a1700a00c301a28f9fe60

C:\Users\Admin\AppData\Local\Temp\db\traffic.lock.db

MD5 83d4218c9e938b648c8019c9be88a099
SHA1 958545c48f9fa2a4e35630c5aa0e39e6c607cfde
SHA256 c8fbd30af42822f7abfa76ccc8b5e0e9d95989715f8d7f97fc343e81d0e8188e
SHA512 f73e75214078af36bc306897fc015b85930e558bdb7c55ad0508272d6544b0781553515e02ea904155fdc0cc573fc590547f769d8f5b7efa552e3349b36e27cc

C:\Users\Admin\AppData\Local\Temp\db\blacklist.lock.db

MD5 c108842b31658bdc3e56997b37ef20b7
SHA1 94b54a094ae632a6052339f4917ae45d2b3a0688
SHA256 b107afffacc120c7cbd63cb5d9afab8380fe12a3583b164b92e2e78571166096
SHA512 c16b031f18b60dd2ecba6b7d98f8d608fbf66970c95dcdcd62d49f0bf9247a4cfa833f2582b01474bd7bf50746bc9616b0f5005b38f3ed64f9bf013338b622d3

C:\Users\Admin\AppData\Local\Temp\db\local.lock.db

MD5 568cbe3b62507754d666f5c29f1c524b
SHA1 1a21c20db75d201bc417020a53b09dee6252e927
SHA256 1eea20fc40f457eb159e9bd898f36e4cf7477cb76895680aac191c82e724e7be
SHA512 cbc2b1883f0826cdff747401c16aad3a31edd4ed2a0c2f0140b57b72d5dcca37684319bdbeda65b0fcc7325cb3f7bbebc2278bfae074b5130b5412a71faa38cb

C:\Users\Admin\AppData\Local\Temp\db\komcache.lock.db

MD5 a1224bef177038d23494d5e5a7472dfe
SHA1 060277bd9f9478603a686dfaad548c0703e7f51b
SHA256 eaee96b1808395dab382c26757d1d9020f79fcf4deec8b5e4cddab8dc4cfd468
SHA512 c584dbdb29aa3eadf2de07f3e4180fe136e2dde8f3815ef5178993284f619b0e162a43700a9a3ca73e1d15eb951cc9083d72e6d52871ecea0456a1eccab448a4

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 7904a06fb901c86e2aed1f0c1ba57b63
SHA1 b06587e8b4ff84f2806d334440d5c4dc454fad31
SHA256 b4439cf5f4a1a6dc0c17c059b7c2692f54628f035430e397614e95519d9ab2e6
SHA512 efd7667707f4365c57a2a123fac1e69df8d00e325691d9fd7c123ebb4c6be7463d6ee44e2b515dd008dbdff9aeb74bd61c3181993161df8a474d1f8b65b14d0e

C:\Users\Admin\AppData\Local\Temp\db\pstcache.lock.db

MD5 9a0382b7bf87979fe01c9f0aa001c5c5
SHA1 0f387542c10055538f180c64b56024e093acb4ea
SHA256 54d4dda912f7227b1fa40135d88c04621543461885bf4369e4a3cf2f82cf3bee
SHA512 50910a0dc72377a2aafd726294c210f4a4e684f5ec423a851c0f3d2dc9f371190d53a4ed2e9cedc56f9561fc69bebada8e7b0c9f8029974c97f9cd6dc62217dc

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\shutdown.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\shutdown.bat"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin shutdown

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:19001 tcp

Files

memory/2640-2-0x0000018B80000000-0x0000018B80270000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 fb896ef8a8ba978c234f609562f4eb9f
SHA1 43f58a8678d3ca23b53f06f3f3aa9456107f6296
SHA256 43bc5af56c4da8d886e43ebe3f78c8acbf923799a3e5273802ffd0e82ddcae92
SHA512 747f837827395aad0d26f9eceec37b11acaae4af86cb7ca354f24262db75ad23107d4429f091353097582161a013244c81db4da030104a602772e1faa459715e

memory/2640-16-0x0000018BFAFE0000-0x0000018BFAFE1000-memory.dmp

memory/2640-18-0x0000018BFAFE0000-0x0000018BFAFE1000-memory.dmp

memory/2640-19-0x0000018B80000000-0x0000018B80270000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

147s

Command Line

[/tmp/bin/ping.sh]

Signatures

N/A

Processes

/tmp/bin/ping.sh

[/tmp/bin/ping.sh]

/usr/bin/dirname

[dirname /tmp/bin/ping.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.129.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.6:443 tcp
US 151.101.65.91:443 tcp
US 151.101.193.91:443 tcp
US 151.101.1.91:443 tcp
US 1.1.1.1:53 odrs.gnome.org udp
US 1.1.1.1:53 odrs.gnome.org udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:42

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-acl.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1232 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 1232 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\java.exe
PID 2096 wrote to memory of 2652 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 2096 wrote to memory of 2652 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe
PID 2096 wrote to memory of 2652 N/A C:\Windows\system32\java.exe C:\Windows\system32\hostname.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-acl.bat"

C:\Windows\system32\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin reset_acl

C:\Windows\system32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:19001 tcp

Files

memory/2096-2-0x0000000002650000-0x00000000028C0000-memory.dmp

memory/2096-15-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2096-16-0x0000000002650000-0x00000000028C0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:43

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:42

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:43

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\admin.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\bin\admin.bat"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-pw.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\reset-pw.bat"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin reset_pw

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\hostname.exe

hostname

Network

Country Destination Domain Proto
N/A 127.0.0.1:19001 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2172-2-0x0000027EB6870000-0x0000027EB6AE0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 17dd46a97de27ed5f80691fee69c3ddb
SHA1 a1fb9c55598747bceb9bf98b5414726c5cec4f45
SHA256 4b371c3e6c44b06c051ede6bade3944c5263c5ac9d8901457a1ea97d7ebee0c7
SHA512 64774f4a257c70566db0d06114acacda5aa8e7d09384aabfff327752d8e878fd6b495761a151dca2fd26e81daf39ff18e7f52ea5f8cc4a7cccbe4c945a01f924

memory/2172-16-0x0000027EB4FC0000-0x0000027EB4FC1000-memory.dmp

memory/2172-18-0x0000027EB4FC0000-0x0000027EB4FC1000-memory.dmp

memory/2172-19-0x0000027EB6870000-0x0000027EB6AE0000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

win10v2004-20240611-en

Max time kernel

90s

Max time network

140s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\ping.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\ping.bat"

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin ping

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\hostname.exe

hostname

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
N/A 127.0.0.1:19001 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4436-2-0x0000028401410000-0x0000028401680000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 20482aaf8d3fc039a430c017ad91be85
SHA1 31c2e35f0c10430db06c2312a7cb39be87e6f18f
SHA256 936569157a97ad2f7ebbfcb53fbb9cfbb4da7054a71d44d5e5c04bceb4dffbcf
SHA512 6a547d4334470772dcf678dd93ba696a94e22471aa70b41d27233f3a7e7d54af2c35bae9ae18c381c5d51da4e72b87d8d2293b1ea36c20a1d2b6dc27e708c598

memory/4436-16-0x000002847EF90000-0x000002847EF91000-memory.dmp

memory/4436-18-0x000002847EF90000-0x000002847EF91000-memory.dmp

memory/4436-19-0x0000028401410000-0x0000028401680000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:45

Platform

debian9-armhf-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 07:42

Reported

2024-06-14 07:44

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/bin/shutdown.sh]

Signatures

N/A

Processes

/tmp/bin/shutdown.sh

[/tmp/bin/shutdown.sh]

/usr/bin/dirname

[dirname /tmp/bin/shutdown.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.3:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp

Files

N/A