38dcaf30cc9d82ee6b919db70bc954dbee92bc9b370f5ead158339932ba9b027

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1773565cd9cfff6c1e570c1cd8996dca.exe
Size

459KB
MD5

1773565cd9cfff6c1e570c1cd8996dca
SHA1

45f2df63ac7b82d2b2ae87a4ce03324b32c39f81
SHA256

38dcaf30cc9d82ee6b919db70bc954dbee92bc9b370f5ead158339932ba9b027
SHA512

f3ba89bd6ecac710606df46317281a87010414cb7360b55d409d38cf655a068109163f78c992d964f188d4f5346f9e649bc84a5239703dfe07ab48b368646fa0
SSDEEP

6144:1G3FnRQ3CTZyokIeWIo2i1oUSvEGkJXc5ILB2+PWzFLKlXlBk1RPd/WhubkirBt2:016ucvECUBv+hZzcd7aEARLWF

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	miniup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qmaey = "rundll32 \"C:\\Windows\\Downlo~1\\qmaey.dll\",start"	miniup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ki8 = "rundll32 \"C:\\Windows\\Downlo~1\\ki8.dll\",Run"	miniup.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
33	3996	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f1971.exe

Executes dropped EXE 4 IoCs

pid	Process
4728	miniup.exe
5368	f1971.exe
5188	f1971.exe
712	f1971.exe

Loads dropped DLL 26 IoCs

pid	Process
4416	regsvr32.exe
712	f1971.exe
3996	rundll32.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe
712	f1971.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	\??\PhysicalDrive0	f1971.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\f1971.exe	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\SysWOW64\f61.dll	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\SysWOW64\123	f1971.exe
File opened for modification	C:\Windows\SysWOW64\ccs	f1971.exe
File opened for modification	C:\Windows\SysWOW64\oop	f1971.exe
File created	C:\Windows\SysWOW64\-52-8-3663	rundll32.exe
File created	C:\Windows\SysWOW64\f1971.exe	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\SysWOW64\dsd	f1971.exe
File opened for modification	C:\Windows\SysWOW64\	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\SysWOW64\6f11.dll	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\SysWOW64\197c1.dll	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\SysWOW64\6f11.dlltmp	1773565cd9cfff6c1e570c1cd8996dca.exe
File created	C:\Windows\SysWOW64\f61.dll	1773565cd9cfff6c1e570c1cd8996dca.exe
File created	C:\Windows\SysWOW64\6f11.dll	1773565cd9cfff6c1e570c1cd8996dca.exe
File created	C:\Windows\SysWOW64\2bfe93	rundll32.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Downlo~1\ki8.dll	miniup.exe
File created	C:\Windows\9631.exe	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\9631.exe	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\Downlo~1\qmaey.dll	miniup.exe
File created	C:\Windows\191.bmp	1773565cd9cfff6c1e570c1cd8996dca.exe
File created	C:\Windows\63fd1.txt	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\63fd1.txt	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\191.bmp	1773565cd9cfff6c1e570c1cd8996dca.exe
File opened for modification	C:\Windows\3fd941.rm	1773565cd9cfff6c1e570c1cd8996dca.exe
File created	C:\Windows\Downlo~1\qmaey.dll	miniup.exe
File created	C:\Windows\a3f8dc3f	miniup.exe
File opened for modification	C:\Windows\Downlo~1\ki8.dll	miniup.exe
File created	C:\Windows\-93-8-3663	miniup.exe
File opened for modification	C:\Windows\	1773565cd9cfff6c1e570c1cd8996dca.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID\ = "IEHpr.Invoke.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\6f11.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\ = "{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\ = "Invoke Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer\ = "IEHpr.Invoke.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ = "Invoke Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\ = "IEHpr 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\ = "C:\\Windows\\SysWow64\\6f11.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID\ = "IEHpr.Invoke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID\ = "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib\ = "{ABBF3E09-6453-43cc-BC46-879C5DC5CB07}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\ = "Invoke Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\ = "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ = "IInvoke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ = "IInvoke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\ = "{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3880	1773565cd9cfff6c1e570c1cd8996dca.exe
Token: SeSystemtimePrivilege	3880	1773565cd9cfff6c1e570c1cd8996dca.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3880	1773565cd9cfff6c1e570c1cd8996dca.exe
4728	miniup.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2732	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	89
PID 3880 wrote to memory of 2732	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	89
PID 3880 wrote to memory of 2732	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	89
PID 3880 wrote to memory of 4728	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	90
PID 3880 wrote to memory of 4728	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	90
PID 3880 wrote to memory of 4728	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	90
PID 4728 wrote to memory of 3964	4728	miniup.exe	91
PID 4728 wrote to memory of 3964	4728	miniup.exe	91
PID 4728 wrote to memory of 3964	4728	miniup.exe	91
PID 4728 wrote to memory of 5288	4728	miniup.exe	92
PID 4728 wrote to memory of 5288	4728	miniup.exe	92
PID 4728 wrote to memory of 5288	4728	miniup.exe	92
PID 3880 wrote to memory of 4416	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	97
PID 3880 wrote to memory of 4416	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	97
PID 3880 wrote to memory of 4416	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	97
PID 3880 wrote to memory of 5368	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	98
PID 3880 wrote to memory of 5368	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	98
PID 3880 wrote to memory of 5368	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	98
PID 3880 wrote to memory of 5188	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	100
PID 3880 wrote to memory of 5188	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	100
PID 3880 wrote to memory of 5188	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	100
PID 3880 wrote to memory of 3996	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	104
PID 3880 wrote to memory of 3996	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	104
PID 3880 wrote to memory of 3996	3880	1773565cd9cfff6c1e570c1cd8996dca.exe	104

C:\Users\Admin\AppData\Local\Temp\1773565cd9cfff6c1e570c1cd8996dca.exe
"C:\Users\Admin\AppData\Local\Temp\1773565cd9cfff6c1e570c1cd8996dca.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\6f11.dll"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\hzcg\miniup.exe
  C:\Users\Admin\AppData\Local\Temp\hzcg\miniup.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\Downlo~1\qmaey.dll",start
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\Downlo~1\ki8.dll",Run
    3⤵
    PID:5288
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\6f11.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4416
- C:\Windows\SysWOW64\f1971.exe
  C:\Windows\system32\f1971.exe -i
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\SysWOW64\f1971.exe
  C:\Windows\system32\f1971.exe -s
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\f61.dll,Always
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:3996

C:\Windows\SysWOW64\f1971.exe
C:\Windows\SysWOW64\f1971.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hzcg\bho.dll

Filesize
52KB

MD5
f8f15a3bf018061ed8175c38b7adcdbd

SHA1
1edcd70fbdc0fa214d9945fbb06ff8cb744227d0

SHA256
6fb6cbb52552c4ddfeb1ec388708439871e5ac17eda1dcf7b3b3dfc9db96c899

SHA512
21a57f06650e46af61ab76121f6834568e7e5968bd95813d81766456e79a9690885919644e750a193a921322d3ab31150c4d3253468a8a040a2e7eb3780f69fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzcg\miniup.exe

Filesize
65KB

MD5
8ee98af38e6c1af39891764ca81b2371

SHA1
f396faa9927915989978af4e7c3f3168d0c0cec2

SHA256
1cdd44dee8cabab8cdfa104eba66e3370ad3f869aaa7bfac5d1f2d9f6f3858dd

SHA512
8b401ff22e27d60e3a2b107d823de7190be5b66a5f1737ff5d0b11fa60fc09df19c9d4014f5970e101a58db44146ea3694d6c85d56f1c6907eabb087e66f7277

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzcg\play.dll

Filesize
828KB

MD5
4fdf61c32981034098c0dd89fee696a9

SHA1
d50c5e1fdb0ac93830f8375d82c6616c94eb2874

SHA256
95cfb8c6a2f5e93ab66070a67ef5ee4719aa69e8a40b2facaae37aee05f017f0

SHA512
e700535511c506252c6100847d5c9bffe1c033422590d1c33f4357354bf8349a4d4aac313c2d21f620d1ce0a021c69197b194e871964fa3124f95e5eff173823

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzcg\ser.exe

Filesize
120KB

MD5
bf21bc4774bdbce5c7cef9a05fbd9b53

SHA1
3804950dce3b6db85dd15b4bf3f15db4f362f963

SHA256
c46ebb3ae103911ccc6e2713ae31961ba09ac5d1e28655f5dbc1450b85bee2ac

SHA512
8748661e20fa4527b62637fce20dfa4379a4382a3a5785906f34d08d8c83dbcc8ede82cedce39471d64ed7c180c77864dc472fac4ff87b10364c58e15e56d70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7p\miniDll.dll

Filesize
48KB

MD5
b183eb58336f1bf3c1bf55abc4743aae

SHA1
b3a4011b551ffdaed8c19a0d14ecac25e074934c

SHA256
2f3ef2445f92f679f6f8d16ebd8643d3d1fadb2d2be0e3d80ad3f8f214eceecd

SHA512
cd05c7d451b30357f19b0f81326ce226ffbe44efd2b1bc998e4afa2a17f58ea8394d950f0bc37573bd5b0be0fdedebba7c2868e98b306e4afdada53c20da0104

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7p\up.dll

Filesize
64KB

MD5
31dbfa092525549c886f12f54d02a09d

SHA1
04fefce326814978d53694c875c1b7257a708398

SHA256
c9b4babcbe32a7daee70d1b827af603b2b44da90a6380521777c3a9fa36af705

SHA512
bf34f53a9311d68e33d9afdf50ca0714769c6c3ffc474b082c1655aa09431ece639c72b6930b0fe85d83db57f418a7037871f16f3856b194bc84c2752fe964c2

Download Submit
memory/3880-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3880-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3880-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4728-45-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4728-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4728-81-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads