metasploit | 038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f

Analysis

max time kernel
4s
max time network
4s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
Size

253KB
MD5

8384773576743ad27862147fcaf4abac
SHA1

816cc2a3591b07a5e7307889fc30c5b55a97fa33
SHA256

038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f
SHA512

89aa3214d4e89baba86b11b3323165a7711b8f66733f8ffd8b00173b4afe180c008da7b18bd790bae8fcfc13870f16a3b449776a11dd8517a8e5fb7dfbfbfdeb
SSDEEP

6144:2K0VsPXoRDaNItnM5GEJFwvP6bQ7yMP+DE827c23EOca:QuoROIukSm6b7MP+Dd2FEOca

Score

10^/10

metasploit aspackv2 backdoor bootkit persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c000000012240-34.dat	aspack_v212_v242
behavioral1/files/0x0005000000018698-275.dat	aspack_v212_v242
behavioral1/files/0x00050000000186a0-280.dat	aspack_v212_v242
behavioral1/files/0x00050000000186a0-286.dat	aspack_v212_v242
behavioral1/files/0x00050000000186a0-282.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b37-346.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b37-342.dat	aspack_v212_v242
behavioral1/files/0x0006000000018b37-340.dat	aspack_v212_v242

Executes dropped EXE 10 IoCs

pid	Process
2544	vqmixzr.exe
2832	critmjk.exe
1888	felehjr.exe
2228	jrfdald.exe
1088	wtltlxi.exe
1060	dagtxnr.exe
3056	lxiypyu.exe
932	qgqtfda.exe
1828	nhjgbpm.exe
972	kxnbxvx.exe

Loads dropped DLL 20 IoCs

pid	Process
1500	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
1500	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
2544	vqmixzr.exe
2544	vqmixzr.exe
2832	critmjk.exe
2832	critmjk.exe
1888	felehjr.exe
1888	felehjr.exe
2228	jrfdald.exe
2228	jrfdald.exe
1088	wtltlxi.exe
1088	wtltlxi.exe
1060	dagtxnr.exe
1060	dagtxnr.exe
3056	lxiypyu.exe
3056	lxiypyu.exe
932	qgqtfda.exe
932	qgqtfda.exe
1828	nhjgbpm.exe
1828	nhjgbpm.exe

Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nhjgbpm.exe
File opened for modification	\??\PhysicalDrive0	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
File opened for modification	\??\PhysicalDrive0	felehjr.exe
File opened for modification	\??\PhysicalDrive0	jrfdald.exe
File opened for modification	\??\PhysicalDrive0	wtltlxi.exe
File opened for modification	\??\PhysicalDrive0	dagtxnr.exe
File opened for modification	\??\PhysicalDrive0	qgqtfda.exe
File opened for modification	\??\PhysicalDrive0	vqmixzr.exe
File opened for modification	\??\PhysicalDrive0	critmjk.exe
File opened for modification	\??\PhysicalDrive0	lxiypyu.exe
File opened for modification	\??\PhysicalDrive0	kxnbxvx.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\felehjr.exe	critmjk.exe
File created	C:\Windows\SysWOW64\dagtxnr.exe	wtltlxi.exe
File opened for modification	C:\Windows\SysWOW64\dagtxnr.exe	wtltlxi.exe
File opened for modification	C:\Windows\SysWOW64\critmjk.exe	vqmixzr.exe
File opened for modification	C:\Windows\SysWOW64\qgqtfda.exe	lxiypyu.exe
File created	C:\Windows\SysWOW64\kxnbxvx.exe	nhjgbpm.exe
File opened for modification	C:\Windows\SysWOW64\kxnbxvx.exe	nhjgbpm.exe
File opened for modification	C:\Windows\SysWOW64\jrfdald.exe	felehjr.exe
File opened for modification	C:\Windows\SysWOW64\wtltlxi.exe	jrfdald.exe
File created	C:\Windows\SysWOW64\qgqtfda.exe	lxiypyu.exe
File opened for modification	C:\Windows\SysWOW64\nhjgbpm.exe	qgqtfda.exe
File created	C:\Windows\SysWOW64\vqmixzr.exe	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
File created	C:\Windows\SysWOW64\critmjk.exe	vqmixzr.exe
File opened for modification	C:\Windows\SysWOW64\felehjr.exe	critmjk.exe
File created	C:\Windows\SysWOW64\jrfdald.exe	felehjr.exe
File created	C:\Windows\SysWOW64\nhjgbpm.exe	qgqtfda.exe
File opened for modification	C:\Windows\SysWOW64\vqmixzr.exe	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
File created	C:\Windows\SysWOW64\wtltlxi.exe	jrfdald.exe
File created	C:\Windows\SysWOW64\lxiypyu.exe	dagtxnr.exe
File opened for modification	C:\Windows\SysWOW64\lxiypyu.exe	dagtxnr.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	kxnbxvx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	felehjr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	qgqtfda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	jrfdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wtltlxi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	qgqtfda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	vqmixzr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	jrfdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wtltlxi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	dagtxnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	nhjgbpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	critmjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	jrfdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	vqmixzr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	felehjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	vqmixzr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	nhjgbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	critmjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	lxiypyu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	nhjgbpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	felehjr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	dagtxnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	lxiypyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	kxnbxvx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wtltlxi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	dagtxnr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	qgqtfda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	critmjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	lxiypyu.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2544	1500	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe	28
PID 1500 wrote to memory of 2544	1500	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe	28
PID 1500 wrote to memory of 2544	1500	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe	28
PID 1500 wrote to memory of 2544	1500	038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe	28
PID 2544 wrote to memory of 2832	2544	vqmixzr.exe	29
PID 2544 wrote to memory of 2832	2544	vqmixzr.exe	29
PID 2544 wrote to memory of 2832	2544	vqmixzr.exe	29
PID 2544 wrote to memory of 2832	2544	vqmixzr.exe	29
PID 2832 wrote to memory of 1888	2832	critmjk.exe	30
PID 2832 wrote to memory of 1888	2832	critmjk.exe	30
PID 2832 wrote to memory of 1888	2832	critmjk.exe	30
PID 2832 wrote to memory of 1888	2832	critmjk.exe	30
PID 1888 wrote to memory of 2228	1888	felehjr.exe	31
PID 1888 wrote to memory of 2228	1888	felehjr.exe	31
PID 1888 wrote to memory of 2228	1888	felehjr.exe	31
PID 1888 wrote to memory of 2228	1888	felehjr.exe	31
PID 2228 wrote to memory of 1088	2228	jrfdald.exe	32
PID 2228 wrote to memory of 1088	2228	jrfdald.exe	32
PID 2228 wrote to memory of 1088	2228	jrfdald.exe	32
PID 2228 wrote to memory of 1088	2228	jrfdald.exe	32
PID 1088 wrote to memory of 1060	1088	wtltlxi.exe	33
PID 1088 wrote to memory of 1060	1088	wtltlxi.exe	33
PID 1088 wrote to memory of 1060	1088	wtltlxi.exe	33
PID 1088 wrote to memory of 1060	1088	wtltlxi.exe	33
PID 1060 wrote to memory of 3056	1060	dagtxnr.exe	34
PID 1060 wrote to memory of 3056	1060	dagtxnr.exe	34
PID 1060 wrote to memory of 3056	1060	dagtxnr.exe	34
PID 1060 wrote to memory of 3056	1060	dagtxnr.exe	34
PID 3056 wrote to memory of 932	3056	lxiypyu.exe	35
PID 3056 wrote to memory of 932	3056	lxiypyu.exe	35
PID 3056 wrote to memory of 932	3056	lxiypyu.exe	35
PID 3056 wrote to memory of 932	3056	lxiypyu.exe	35
PID 932 wrote to memory of 1828	932	qgqtfda.exe	36
PID 932 wrote to memory of 1828	932	qgqtfda.exe	36
PID 932 wrote to memory of 1828	932	qgqtfda.exe	36
PID 932 wrote to memory of 1828	932	qgqtfda.exe	36
PID 1828 wrote to memory of 972	1828	nhjgbpm.exe	37
PID 1828 wrote to memory of 972	1828	nhjgbpm.exe	37
PID 1828 wrote to memory of 972	1828	nhjgbpm.exe	37
PID 1828 wrote to memory of 972	1828	nhjgbpm.exe	37

C:\Users\Admin\AppData\Local\Temp\038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe
"C:\Users\Admin\AppData\Local\Temp\038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\vqmixzr.exe
  C:\Windows\system32\vqmixzr.exe 492 "C:\Users\Admin\AppData\Local\Temp\038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\critmjk.exe
    C:\Windows\system32\critmjk.exe 452 "C:\Windows\SysWOW64\vqmixzr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\felehjr.exe
      C:\Windows\system32\felehjr.exe 456 "C:\Windows\SysWOW64\critmjk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\jrfdald.exe
        
        C:\Windows\system32\jrfdald.exe 540 "C:\Windows\SysWOW64\felehjr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\wtltlxi.exe
        
        C:\Windows\system32\wtltlxi.exe 484 "C:\Windows\SysWOW64\jrfdald.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\dagtxnr.exe
        
        C:\Windows\system32\dagtxnr.exe 500 "C:\Windows\SysWOW64\wtltlxi.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\lxiypyu.exe
        
        C:\Windows\system32\lxiypyu.exe 552 "C:\Windows\SysWOW64\dagtxnr.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\qgqtfda.exe
        
        C:\Windows\system32\qgqtfda.exe 556 "C:\Windows\SysWOW64\lxiypyu.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\nhjgbpm.exe
        
        C:\Windows\system32\nhjgbpm.exe 560 "C:\Windows\SysWOW64\qgqtfda.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\kxnbxvx.exe
        
        C:\Windows\system32\kxnbxvx.exe 564 "C:\Windows\SysWOW64\nhjgbpm.exe"
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\kbaumzc.exe
        
        C:\Windows\system32\kbaumzc.exe 568 "C:\Windows\SysWOW64\kxnbxvx.exe"
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\orwpinn.exe
        
        C:\Windows\system32\orwpinn.exe 572 "C:\Windows\SysWOW64\kbaumzc.exe"
        13⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\jxnjkku.exe
        
        C:\Windows\system32\jxnjkku.exe 576 "C:\Windows\SysWOW64\orwpinn.exe"
        14⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\iqouexe.exe
        
        C:\Windows\system32\iqouexe.exe 580 "C:\Windows\SysWOW64\jxnjkku.exe"
        15⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\nrexvck.exe
        
        C:\Windows\system32\nrexvck.exe 584 "C:\Windows\SysWOW64\iqouexe.exe"
        16⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\nkfhppu.exe
        
        C:\Windows\system32\nkfhppu.exe 488 "C:\Windows\SysWOW64\nrexvck.exe"
        17⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\joahnfm.exe
        
        C:\Windows\system32\joahnfm.exe 592 "C:\Windows\SysWOW64\nkfhppu.exe"
        18⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\xjsxtal.exe
        
        C:\Windows\system32\xjsxtal.exe 596 "C:\Windows\SysWOW64\joahnfm.exe"
        19⤵
        
        PID:752
        
        C:\Windows\SysWOW64\yagmrfz.exe
        
        C:\Windows\system32\yagmrfz.exe 600 "C:\Windows\SysWOW64\xjsxtal.exe"
        20⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\geisjyb.exe
        
        C:\Windows\system32\geisjyb.exe 604 "C:\Windows\SysWOW64\yagmrfz.exe"
        21⤵
        
        PID:904
        
        C:\Windows\SysWOW64\dcpacxp.exe
        
        C:\Windows\system32\dcpacxp.exe 528 "C:\Windows\SysWOW64\geisjyb.exe"
        22⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\ihiavht.exe
        
        C:\Windows\system32\ihiavht.exe 520 "C:\Windows\SysWOW64\dcpacxp.exe"
        23⤵
        
        PID:616
        
        C:\Windows\SysWOW64\zvixzvc.exe
        
        C:\Windows\system32\zvixzvc.exe 536 "C:\Windows\SysWOW64\ihiavht.exe"
        24⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cjlauvr.exe
        
        C:\Windows\system32\cjlauvr.exe 588 "C:\Windows\SysWOW64\zvixzvc.exe"
        25⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\bbmsoib.exe
        
        C:\Windows\system32\bbmsoib.exe 624 "C:\Windows\SysWOW64\cjlauvr.exe"
        26⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\yvhfnlh.exe
        
        C:\Windows\system32\yvhfnlh.exe 628 "C:\Windows\SysWOW64\bbmsoib.exe"
        27⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\qgsiudx.exe
        
        C:\Windows\system32\qgsiudx.exe 632 "C:\Windows\SysWOW64\yvhfnlh.exe"
        28⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\pytaoqh.exe
        
        C:\Windows\system32\pytaoqh.exe 636 "C:\Windows\SysWOW64\qgsiudx.exe"
        29⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\ulmiham.exe
        
        C:\Windows\system32\ulmiham.exe 640 "C:\Windows\SysWOW64\pytaoqh.exe"
        30⤵
        
        PID:400
        
        C:\Windows\SysWOW64\ekzfsyt.exe
        
        C:\Windows\system32\ekzfsyt.exe 508 "C:\Windows\SysWOW64\ulmiham.exe"
        31⤵
        
        PID:436
        
        C:\Windows\SysWOW64\pgrqztu.exe
        
        C:\Windows\system32\pgrqztu.exe 648 "C:\Windows\SysWOW64\ekzfsyt.exe"
        32⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\zqpavwi.exe
        
        C:\Windows\system32\zqpavwi.exe 652 "C:\Windows\SysWOW64\pgrqztu.exe"
        33⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\gurnehl.exe
        
        C:\Windows\system32\gurnehl.exe 656 "C:\Windows\SysWOW64\zqpavwi.exe"
        34⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\ldwiavw.exe
        
        C:\Windows\system32\ldwiavw.exe 516 "C:\Windows\SysWOW64\gurnehl.exe"
        35⤵
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kbaumzc.exe

Filesize
45KB

MD5
d767f78d78344bce5fa7c564b46f58ea

SHA1
3cbe8e34f43925e8d0008cc89ea3eddce9b8eb9f

SHA256
315f801bb198f2511cded6a9ec0589e3205c291f248b63b23db298cebfb4b907

SHA512
003c18a864e99a5ce4723f86e4097ace45b586aea0f622a0aa42fcc47dc331f08c2dc2ff08cdc8b2ebea4c60f85e8fc76134a44bc60cbf04a3d9ad2aad6caa3b

Download Submit
C:\Windows\SysWOW64\kxnbxvx.exe

Filesize
240KB

MD5
3817deda5a735ce690abbcb6d369ac93

SHA1
b8b1e102d91a370e85cfc2266d83811382f92366

SHA256
bf9546dc2903916e061e5ba7f9ed5f9f7f7c75ebbeb13bd5d040ea0e9af189d6

SHA512
95f9a8ef99b38d9f61068df180194c5594bbff859edaa255da93071139c00140621b7b305c9095ca28aaee59e4cb4eea0199a9d86b27274806ffb9d2417f7d02

Download Submit
C:\Windows\SysWOW64\nkfhppu.exe

Filesize
56KB

MD5
b959bc8c99e5921a56aac57d6a611796

SHA1
a805a73ffe491893d927bb34f52d81b5545ea36f

SHA256
d155284bd2a9eb4eef3ab19fdeed498ccd0a0ee116f1e6baa707c8d2daa33734

SHA512
3e2902586f810defd1f9fea956e2cff2a3a17faef3ba7f4808fba64eb9390e041088691283c99028a7e4eedb04040a205747ea2121742d5bdb62a02ad02a7120

Download Submit
\Windows\SysWOW64\kbaumzc.exe

Filesize
65KB

MD5
55a3fd498cd90b17414a1ad080f9c1b4

SHA1
fb2e55995a8bfd0998b06ce1f028f812b99b101b

SHA256
776567654facdd06bd63a2d1847e5042c56ae4849314729c519d7b38bd71cfa9

SHA512
62bb066299cd7bc287675d9b5cff0dabd9448194b0d3d1dbe8076a2a19bef6f8dd375b24c3dcde8229c06b359262a6fce0f2ab38077e9ed8268603abe52ec998

Download Submit
\Windows\SysWOW64\kbaumzc.exe

Filesize
72KB

MD5
3de840a66bbedd5db4dc9617a9bb931c

SHA1
c20de71c3fe88e0e673a4d13e1e6ba321340fb65

SHA256
6b39eb20863df88ae6f1e5368683a989264c3b2ac41b27830faaa3ba5ccd9326

SHA512
9b36d03c3961322c4b4e1997366d78199c2f49b8254d457ca96b4351f0e00d12c8abe3018ff8f0294b78c7049b07ba11959a97f17e1602860740bdbc72187e8b

Download Submit
\Windows\SysWOW64\nkfhppu.exe

Filesize
71KB

MD5
019067af7ad7cba18610a6dc374d5ef6

SHA1
7b76853d505d28ba0db6534f6169a94e9a059907

SHA256
897f058c095ef087f9cafa3027584a1ace17a4fd612e881fdd7b9bc7c7bb41b4

SHA512
16f2329caa482592d5ddf308070d04c4e675d645272dc7e8cbdc9b5ae52abd740a5a64192f469a90edafe4a1428d7a68f0223c167ed881a583901400fc0ba223

Download Submit
\Windows\SysWOW64\nkfhppu.exe

Filesize
23KB

MD5
7203ca94dbc92141eede4580eb801bdb

SHA1
833573624412a0911438a1f36b03b0a06d6794da

SHA256
74f2d67ebc42e75c8902257ed8471e318d783262b8d661d3c32d161bebb6f733

SHA512
f98a1e2769db65bb31e0d06e0b1dacb56b263dfc3c92bbc13bbc3f0e5c88a8243dd3b798ac1cd3ed3faa4d2ea950c9cc841eca04b8db1253e702fe3d4d32fee7

Download Submit
\Windows\SysWOW64\vqmixzr.exe

Filesize
253KB

MD5
8384773576743ad27862147fcaf4abac

SHA1
816cc2a3591b07a5e7307889fc30c5b55a97fa33

SHA256
038554b5f93582b62368e60ba492763db3300cd6ce8afd08c163ef0c1ae9214f

SHA512
89aa3214d4e89baba86b11b3323165a7711b8f66733f8ffd8b00173b4afe180c008da7b18bd790bae8fcfc13870f16a3b449776a11dd8517a8e5fb7dfbfbfdeb

Download Submit
memory/400-460-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/436-468-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/616-404-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/752-372-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/904-388-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/932-266-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/972-288-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1060-242-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1084-382-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1196-436-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1476-412-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1484-396-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1500-26-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1500-70-0x0000000002D10000-0x0000000002E2B000-memory.dmp

Filesize
1.1MB

Download
memory/1500-22-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1500-24-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1500-29-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1500-0-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1500-23-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1500-30-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1500-32-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1500-20-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1500-33-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1500-31-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1500-35-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1500-36-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1500-38-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1500-40-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1500-39-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1500-37-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1500-42-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1500-41-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1500-44-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1500-46-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1500-45-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1500-43-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1500-47-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1500-48-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1500-49-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1500-51-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1500-50-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1500-53-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1500-54-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1500-52-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1500-56-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1500-57-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1500-55-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1500-58-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1500-60-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1500-61-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1500-63-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1500-62-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1500-59-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1500-21-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1500-72-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1500-1-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1500-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1500-74-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1500-2-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1500-4-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1500-19-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1500-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1500-18-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1500-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1500-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1500-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1500-16-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1500-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1500-13-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1500-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1500-8-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1500-9-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1500-10-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1500-12-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1500-11-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1620-484-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1716-326-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1744-428-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1828-276-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1872-311-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1888-168-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1892-452-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2292-364-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2308-422-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2328-482-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2544-89-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2544-73-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2544-71-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2592-350-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2724-358-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2792-445-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2896-336-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3036-300-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3056-252-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads