3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
110s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
Size

1.3MB
MD5

af24c3030002d1487c6455fdb1a09eec
SHA1

72732ddefce71c13297df596267260a5d8e892f3
SHA256

37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c
SHA512

470a0cf695add143555eaa45f3fe5c462edb1cea2cd1589b19f55029b488fae58da2bd588bf79cdb16eeb4518bc7b7189eba764d611d008b1b27145ca0e8a2e3
SSDEEP

24576:Auh7HYGSWwFda6lBbXUqcTGKcr5YrcRBlBnNmkE9pneHiAvuQnL1mp/DVmu6KUi0:Dhkkw7LNNmTDqnRmJDx61i0

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3704	netsh.exe
4476	netsh.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.my-ip.io
21	api.my-ip.io

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1872	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	87
PID 3556 wrote to memory of 1872	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	87
PID 3556 wrote to memory of 1872	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	87
PID 1872 wrote to memory of 4156	1872	cmd.exe	89
PID 1872 wrote to memory of 4156	1872	cmd.exe	89
PID 1872 wrote to memory of 4156	1872	cmd.exe	89
PID 4156 wrote to memory of 8	4156	net.exe	90
PID 4156 wrote to memory of 8	4156	net.exe	90
PID 4156 wrote to memory of 8	4156	net.exe	90
PID 3556 wrote to memory of 1460	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	91
PID 3556 wrote to memory of 1460	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	91
PID 3556 wrote to memory of 1460	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	91
PID 3556 wrote to memory of 2480	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	93
PID 3556 wrote to memory of 2480	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	93
PID 3556 wrote to memory of 2480	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	93
PID 3556 wrote to memory of 4372	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	95
PID 3556 wrote to memory of 4372	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	95
PID 3556 wrote to memory of 4372	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	95
PID 3556 wrote to memory of 208	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	97
PID 3556 wrote to memory of 208	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	97
PID 3556 wrote to memory of 208	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	97
PID 208 wrote to memory of 3944	208	cmd.exe	99
PID 208 wrote to memory of 3944	208	cmd.exe	99
PID 208 wrote to memory of 3944	208	cmd.exe	99
PID 3944 wrote to memory of 4168	3944	net.exe	100
PID 3944 wrote to memory of 4168	3944	net.exe	100
PID 3944 wrote to memory of 4168	3944	net.exe	100
PID 3556 wrote to memory of 3508	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	101
PID 3556 wrote to memory of 3508	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	101
PID 3556 wrote to memory of 3508	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	101
PID 3508 wrote to memory of 3872	3508	cmd.exe	103
PID 3508 wrote to memory of 3872	3508	cmd.exe	103
PID 3508 wrote to memory of 3872	3508	cmd.exe	103
PID 3872 wrote to memory of 3440	3872	net.exe	104
PID 3872 wrote to memory of 3440	3872	net.exe	104
PID 3872 wrote to memory of 3440	3872	net.exe	104
PID 3556 wrote to memory of 2608	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	105
PID 3556 wrote to memory of 2608	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	105
PID 3556 wrote to memory of 2608	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	105
PID 2608 wrote to memory of 3984	2608	cmd.exe	108
PID 2608 wrote to memory of 3984	2608	cmd.exe	108
PID 2608 wrote to memory of 3984	2608	cmd.exe	108
PID 3984 wrote to memory of 2080	3984	net.exe	109
PID 3984 wrote to memory of 2080	3984	net.exe	109
PID 3984 wrote to memory of 2080	3984	net.exe	109
PID 3556 wrote to memory of 2240	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	110
PID 3556 wrote to memory of 2240	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	110
PID 3556 wrote to memory of 2240	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	110
PID 2240 wrote to memory of 3704	2240	cmd.exe	113
PID 2240 wrote to memory of 3704	2240	cmd.exe	113
PID 2240 wrote to memory of 3704	2240	cmd.exe	113
PID 3556 wrote to memory of 748	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	115
PID 3556 wrote to memory of 748	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	115
PID 3556 wrote to memory of 748	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	115
PID 748 wrote to memory of 4476	748	cmd.exe	117
PID 748 wrote to memory of 4476	748	cmd.exe	117
PID 748 wrote to memory of 4476	748	cmd.exe	117
PID 3556 wrote to memory of 1404	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	120
PID 3556 wrote to memory of 1404	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	120
PID 3556 wrote to memory of 1404	3556	37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe	120
PID 1404 wrote to memory of 3928	1404	cmd.exe	122
PID 1404 wrote to memory of 3928	1404	cmd.exe	122
PID 1404 wrote to memory of 3928	1404	cmd.exe	122
PID 3928 wrote to memory of 4952	3928	net.exe	123

C:\Users\Admin\AppData\Local\Temp\37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
C:\Users\Admin\AppData\Local\Temp\37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe bcdedit /set shutdown /r /f /t 2
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      System Location Discovery: System Language Discovery
      PID:8
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      System Location Discovery: System Language Discovery
      PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      System Location Discovery: System Language Discovery
      PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      System Location Discovery: System Language Discovery
      PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\2010_x64.log.html

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\3ac54ddf2ad44faa6035cf\2010_x86.log.html.(MJ-DK9360817254)([email protected]).zxc

Filesize
81KB

MD5
1605535687a56d2b140248b895f53da9

SHA1
8809466a2a2cf7f7cc63f41a3186e769d14d17be

SHA256
50f1fc5afa9f6685ffc2d7b6b58067af06437287fa4935a817c16c040affa390

SHA512
5b4cf81957e00712adb9014aae06b1ba1a7fc0ffab3430a65bba97f239aa09c5287a14203966866fbf4b3340f730824e33eebbf7e7f733c9324c960a8174d667

Download Submit
C:\Program Files\7-Zip\Lang\gl.txt.(MJ-DK9360817254)([email protected]).zxc

Filesize
9KB

MD5
052d267f11a8aa61d6a23dcd5c13e2cf

SHA1
0e57001a62ba45899b31691056de141088ffafc1

SHA256
52574019e9af2f160f6ab8f2bb2d99b7ad588876c23ed290fc79d2bb6674c87d

SHA512
7add9f51b0d4ee35abee93d0048f522a03332d43468b478ef8e209a0054c6d821ca7fdec196d3fb867488e9cbb50fafcc528cfc5d68f2d155e6b52601ed20ca4

Download Submit
C:\Program Files\ApproveSwitch.TTS.(MJ-DK9360817254)([email protected]).zxc

Filesize
455KB

MD5
c4312b91e48e0eccd3fcdefad143ebb2

SHA1
dea0bec431be2ad42e3289b7effaec3f6ce016fb

SHA256
437c432e0e60dcca9a560105671695618322c20e571f49bb27f74d40363075c2

SHA512
84893b0535b800a4267a0ec86fc741d8dbf1693bd5206a9b650584b1fdbc29f81ffc65ce1acfb64564265f31eb149fb2c44d47c20c8314949d8e2f71322e3ed6

Download Submit
C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.(MJ-DK9360817254)([email protected]).zxc

Filesize
1.1MB

MD5
e8bcc3fa3ee35e3e3ae0461f525f7c75

SHA1
cfbc16dd1d05ccc4a584330c2794ff898d559fd9

SHA256
5fd5f250d580758cf694b02ac46e8315b7774ad09f0fc40974ad858ec123c092

SHA512
16ada4d05ed47f2c328ca2298c9451e0d7f0d91c0ee9856b86b9b973be23e6c5fe93dd28339780c05081782d95a055adcfaa5854641ada5f0cd8e28955758070

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.(MJ-DK9360817254)([email protected]).zxc

Filesize
640KB

MD5
8c14c27f118aa417bc3a6f87c0d303e6

SHA1
b76104afc50d793381877e591112ea58b5df207a

SHA256
00eb407907935bd24d2673feabe6b121889fbed7279cacd8069e57a284062814

SHA512
87aec378f30e0132728441a99ce292aa49b129c16bfb67c318f1b9ae496e1e4e1ae22d876cdb87d5dc0a129cb8b73c7baeaa00ca8f3a91e63ed796f5459c324c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.(MJ-DK9360817254)([email protected]).zxc

Filesize
446KB

MD5
2f95581e564224a30f9c93268d8874e8

SHA1
f9eb5b94744745b2a504152986b72d4baf6a7aec

SHA256
de3def96c55d3d3f704385e88985a9d445c9b9a06a91a55bfbb88680b675eb48

SHA512
48eb4f26caa9e3f0105c8deb76e9c23b68aa5864bb6d7bd5ccb535be7e70836d86d7d6a5463659e3bdb6d7af689864349a2147b44571f2bbb4b69c98a8491067

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
14KB

MD5
9e0cecf8b6184e8af043b6db3e96fdcd

SHA1
af043cda4bf9db82f5425dcddd1d8942a90038a3

SHA256
459973fdb7e69af064aa687917ea8e9aa76ce2ab28f6385d40f17aa1df795d43

SHA512
0c71c02130e6644a15afd5a8d638cb1bd964d5132d8bc6dc4115903b2d97c0a50ba79eddf28ed067e35d72d207fb5a0346188a90db943c7d6bd17129c8387028

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.(MJ-DK9360817254)([email protected]).zxc

Filesize
133KB

MD5
5782084b29fe77d2d545055743481d9d

SHA1
e74c816830122431dfe888f3d451713abf9850a1

SHA256
5c602ca699d5a86bfde297bcba0db6c50be373333ed121220a02edce350a8a14

SHA512
284174f664d4c3979756cf947a38c58fece746b531bd9820ec03934f4cadef2d19a78d01e4d72f4d4ed8ba3b79ae9ff2b330a365fd9be39392022eff20b0cbda

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.(MJ-DK9360817254)([email protected]).zxc

Filesize
64KB

MD5
38001d3eebfc0573d9d0126847e268ab

SHA1
0d59e4c9edc85f77e75315534307763a68a9c1a5

SHA256
966d1659922ef8a5e702c2eb88fe28f9532c32b95e4cb2bb2c96a85f886b1648

SHA512
4c2efdcca167e52a9ada0ac4ce24055572fafceb60bbaa4a593027da914ff79e22ae4ce239ce2cee7cc6fc621be738cdf6ce4a81087003c73e58ad14ca2aa171

Download Submit
C:\Program Files\UnblockOpen.docx.(MJ-DK9360817254)([email protected]).zxc

Filesize
634KB

MD5
c318d6f6a3e07a6143cf005183312f13

SHA1
5647e15139a27d74fbed1d595e62f7eef362a39e

SHA256
303d743bb86e46b3777489eb98091ad390792709f3abdb3d4aea5da0366d2fb3

SHA512
1c0a03ec548e45be03af521daea8660e6ca42fb1fdf474d418c04c3c1a80f9e82ec4467667e6cd7c231c70f958e42a945c6571675116f124ff4f83b26651c870

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
259KB

MD5
54ab8273f29e39e8e124a9e813698f4a

SHA1
cd5c02f11be5cdee68b3402ba9dbf12717e5b068

SHA256
8028e57423b5ba30c9d6af71ca4bbe2765cb276f4205c90a6ebb982733970629

SHA512
10a153c18f788de64db05592981b3dec5030d54a85bacc88ac09928149f06d5608a1d981c5d26db875fdaa43ba6d119d2476139104a6986acd3e241fe455e46b

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
223KB

MD5
27b38649baf93a7216075407a0efa2f0

SHA1
4bb2931e53e1cdc762d7278949f0ad82a6e579cf

SHA256
e36a1d133d17f9065f9055f0e504b4ef4914ed8884032325cdd016753a5f18d3

SHA512
95a860d641b459d4632f8e866bafb612bb7043e8b283cb7230c999b3c7bd60d985b68f0f4da3d4122b31f738ab30af2ff4ea261bb3411a85b40ef507d78f9ba9

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
247KB

MD5
eee38c71361b5f27808a113d1fe36178

SHA1
aeb6cfe2b57981c088d9c8af78b3b4a6448dde61

SHA256
ab3b2161960d02018565a852dda287cc7cfbefecadf0ded3c9ec73cdc4a122ca

SHA512
ed14429812b4bb716d5a73e2b336954f5d3579ceb76f600e632b31e84b3b8e0b75af9de7b2b8109c05fe01ef3a0e56157c53900f4dd66353de011510008d3fae

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
738KB

MD5
ceb35664e005cf299c1e4cd745b0bb01

SHA1
cc6149cd47e9e36c8b578d2c8b01a75b40caee7d

SHA256
b3201906b007427d32c3ba91e5a9251bff84afdda0d86ce665a282095693ba0b

SHA512
52593d5eed13ff9d236c2e3f07988ae8c0a42d4ae5a2c501ba652453279090764fe5ece1e537e0afb2875e3da1c0ca30ebd41436d93ec352d0a256ca09f786b8

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
494KB

MD5
174136752df9767026f344349e66ed46

SHA1
a9ef0c80d66cd7311dc9355233348cf00c9fabb0

SHA256
bb341b728d031e52ac89017029578be8b36dc9cdc1c8ab44abb37773ec139d24

SHA512
a6ab5d270427cb3887e2297425b0809a738dc452ec6bc9b0f6de413cf9956922ebe8ad3ad1c8d79a9958e01eebebd127536b66618b9c027df8165910ccf0446f

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
1.4MB

MD5
19befc1644a1bc80dcbd454b2b179628

SHA1
7eba4eb9470cfaa5f0221ad4abd0e4fcf513372e

SHA256
dd34865ad10ebcea7e33cb9d6fa6bd019fccf31f80e8d22deb90559494512335

SHA512
c6068fbf90da3ca9119f70bce33347706c012d7daec37f14c472589d26786c3c3eb238810dee2764b2e7b38443fec22ed854a1e7ae8d6530278281343d9dcb27

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
538KB

MD5
b6fd0dca0ee4b5ae8c39e9b44e05f6f5

SHA1
6238a8678dfc680590da8ac1fad4bb0d6771cc79

SHA256
5b9ff0deb04921a35e38569d010a7f46cb7084f04bc017a7044e6931316fe494

SHA512
a7ca3857998dba3e0dab047f6099db5e461c5d83202979600e9c8c588595ea6cfe23b62873962d44285c256d4f58dbf7a349a9a1ed4e3058d11b2f060f789c43

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
901KB

MD5
7a7b6b76a0c20775a7c6b260e9002655

SHA1
8ae8227782984888f502d26e02c419ac95d24bff

SHA256
c003793d6862f7c033a5f84cbca0ea7bff88d728d0161c65888fe719ec1d845b

SHA512
907b1f7b2574486fa041ab07dff9b1d3eceae518017576291529f41557d2ec677966e61cc852b0f7161a2d38a4266156c95ba1eb05673bd046ecca9567e41a32

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
193KB

MD5
46553f07a1ea12195baefe27365532b1

SHA1
0a770b4b193263abdb3d0ad4acc098c563a169e4

SHA256
deb4aa01997f568b207c5406531a1e46d6b0ba271f6cdc064807ff89847003c6

SHA512
e4775c774f5812e904a672b79b0e9a5c16ca7ca2b7a9156fdc3fdffdad1e57dfcc986435ea2c55b396466336104a30ec5ff07ebef87b43197188660a846988d6

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
345KB

MD5
e441897c8c7fb25398eaa1f37dd39b12

SHA1
c8a9e4cdfc8488326569bb154fa47a2c21338ee5

SHA256
ea1b5bf338a188e2f5abf106859f4bde395ac6acdb405201f58f8c83b675fb78

SHA512
6bb12a14e6a9d409c4f26880f9cd87c4ba97c44fcea9afee6865e939f3cafdc28a970a5854cbc6ac826f7e615834cc275be0319a6bd0dae0f6339d02d2c49297

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.(MJ-DK9360817254)([email protected]).zxc

Filesize
282KB

MD5
7d9c3995e82bbbb9b9da9761b9dc6571

SHA1
45b6a48cc15c0eaeea66e9e2a9223ad25951728a

SHA256
64f95459370d76f0c18e25a0ffd845a807811125d2dc00dd5b027be6ac0400c4

SHA512
6819c4b4b5585beb01137e41b8453246fd1b11b75256cfb50c4b84f3d218b1bb723763bc66aa4b78733e0b0fdf24eed21276cb6ea021b72f7520695b8d5813f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\08be2d44d1063d56_0.(MJ-DK9360817254)([email protected]).zxc

Filesize
517KB

MD5
8f532e29961b7efd94f330b72609c4c0

SHA1
769867491a2b581d304cc67d4cec7fc2bb01ea8e

SHA256
f80d1dbbc71823e0836c88a7ede1bb2a0e7deac8516befa9bd5240fc09c818c9

SHA512
cf59c28061dd633de07b39065c76a85edfd41c51c6ec3416e7c1e1549eac83704d58deebb15cb0eb20c3c82a4a4898d109edad24308e92ca9b99632798d993f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\bb9a4039-5fee-44f8-a618-d20a135c468d\311ba9559af907e8_1.(MJ-DK9360817254)([email protected]).zxc

Filesize
651KB

MD5
51191fda1094ed050e04030609a82d90

SHA1
bfe645a0bd4f14d905dc370de049b37a495fb959

SHA256
5a97fd75dde39b35f8e51990e260ab818c6d3b8f826fc162411e224e11d0cacf

SHA512
47e52db3a87d2f2be2ae3bb30363782c96493a721a980c06c187b0ed4a21412233d0571689aed8f62c8ad32f6fb840a317179f794f5cec866f76e81182c3a5ee

Download Submit
C:\Users\Admin\Music\WriteResolve.lnk.(MJ-DK9360817254)([email protected]).zxc

Filesize
192KB

MD5
06c4f8e0419017d0e38feda76fe4faf9

SHA1
51e6f9bf5b78cb1d8e18c1c97b857a9c2b69c75e

SHA256
e689c84e3e8c2350f11246cd8525e4858a36c4bc44be7135b44aef1dcfe65cd8

SHA512
b779d759b49db5ca0f121fefb71faac3ef116b5c58db9672cb5e5dbd02b4024fe53a8c278e5ea905646b09ed87b226c42ce0d0069eeb5aa4fe3fe3ff4d83e173

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads