12fcee89bbd445a5f4521c9d5f637b4726658a33aa2135aa4fa468f8d0ca6360

Analysis

max time kernel
2s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be93cfd2de9fc49ecf6f64b9259c64fd.exe
Size

17KB
MD5

be93cfd2de9fc49ecf6f64b9259c64fd
SHA1

3951d2178bb35de0f3ae261ca71cd90123e0463e
SHA256

12fcee89bbd445a5f4521c9d5f637b4726658a33aa2135aa4fa468f8d0ca6360
SHA512

36537ef7cf9f41cfa2141811142d5659838a7f13a4b1a7856be1321a7117dfb5d8c541b17e313eb410485adf9b277b4f9ef7a0d3705fd9cd76b120300c7d045a
SSDEEP

384:IqV0cHn8tiDgu+rTXZde7ZAMX/gcCyq/cN/EOZPOr1qN3nVn1:jwtughTXZ07+MP9C9/cN8OQJqF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4524	azzxaime.exe
4648	azzxaime.exe
4756	azzxaime.exe
4860	azzxaime.exe

Loads dropped DLL 8 IoCs

pid	Process
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
4524	azzxaime.exe
4524	azzxaime.exe
4648	azzxaime.exe
4648	azzxaime.exe
4756	azzxaime.exe
4756	azzxaime.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zyzxjime.dll	be93cfd2de9fc49ecf6f64b9259c64fd.exe
File opened for modification	C:\Windows\SysWOW64\zyzxjime.dll	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\zyzxjime.dll	azzxaime.exe
File created	C:\Windows\SysWOW64\zyzxjime.dll	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\fxzxbime.sys	be93cfd2de9fc49ecf6f64b9259c64fd.exe
File opened for modification	C:\Windows\SysWOW64\fxzxbime.sys	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\azzxaime.exe	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\fxzxbime.sys	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\fxzxbime.sys	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\zyzxjime.dll	azzxaime.exe
File created	C:\Windows\SysWOW64\zyzxjime.dll	be93cfd2de9fc49ecf6f64b9259c64fd.exe
File opened for modification	C:\Windows\SysWOW64\azzxaime.exe	be93cfd2de9fc49ecf6f64b9259c64fd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\azzxaime.exe	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\fxzxbime.sys	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	be93cfd2de9fc49ecf6f64b9259c64fd.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\zyzxjime.dll	azzxaime.exe
File opened for modification	C:\Windows\SysWOW64\azzxaime.exe	azzxaime.exe
File created	C:\Windows\SysWOW64\azzxaime.exe	be93cfd2de9fc49ecf6f64b9259c64fd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ThreadingModel = "Apartment"	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32	azzxaime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ThreadingModel = "Apartment"	azzxaime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ = "C:\\Windows\\SysWow64\\zyzxjime.dll"	azzxaime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ = "C:\\Windows\\SysWow64\\zyzxjime.dll"	azzxaime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32	azzxaime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ = "C:\\Windows\\SysWow64\\zyzxjime.dll"	azzxaime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32	azzxaime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ = "C:\\Windows\\SysWow64\\zyzxjime.dll"	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ThreadingModel = "Apartment"	azzxaime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA59145F-315D-BC23-AC1F-145DF81A34AA}\InprocServer32\ThreadingModel = "Apartment"	azzxaime.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
4524	azzxaime.exe
4648	azzxaime.exe
4756	azzxaime.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe
Token: SeDebugPrivilege	4524	azzxaime.exe
Token: SeDebugPrivilege	4648	azzxaime.exe
Token: SeDebugPrivilege	4756	azzxaime.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1712	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	28
PID 2108 wrote to memory of 1712	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	28
PID 2108 wrote to memory of 1712	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	28
PID 2108 wrote to memory of 1712	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	28
PID 2108 wrote to memory of 4524	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	30
PID 2108 wrote to memory of 4524	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	30
PID 2108 wrote to memory of 4524	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	30
PID 2108 wrote to memory of 4524	2108	be93cfd2de9fc49ecf6f64b9259c64fd.exe	30
PID 4524 wrote to memory of 4596	4524	azzxaime.exe	31
PID 4524 wrote to memory of 4596	4524	azzxaime.exe	31
PID 4524 wrote to memory of 4596	4524	azzxaime.exe	31
PID 4524 wrote to memory of 4596	4524	azzxaime.exe	31
PID 4524 wrote to memory of 4648	4524	azzxaime.exe	33
PID 4524 wrote to memory of 4648	4524	azzxaime.exe	33
PID 4524 wrote to memory of 4648	4524	azzxaime.exe	33
PID 4524 wrote to memory of 4648	4524	azzxaime.exe	33
PID 4648 wrote to memory of 4712	4648	azzxaime.exe	34
PID 4648 wrote to memory of 4712	4648	azzxaime.exe	34
PID 4648 wrote to memory of 4712	4648	azzxaime.exe	34
PID 4648 wrote to memory of 4712	4648	azzxaime.exe	34
PID 4648 wrote to memory of 4756	4648	azzxaime.exe	36
PID 4648 wrote to memory of 4756	4648	azzxaime.exe	36
PID 4648 wrote to memory of 4756	4648	azzxaime.exe	36
PID 4648 wrote to memory of 4756	4648	azzxaime.exe	36
PID 4756 wrote to memory of 4812	4756	azzxaime.exe	37
PID 4756 wrote to memory of 4812	4756	azzxaime.exe	37
PID 4756 wrote to memory of 4812	4756	azzxaime.exe	37
PID 4756 wrote to memory of 4812	4756	azzxaime.exe	37
PID 4756 wrote to memory of 4860	4756	azzxaime.exe	39
PID 4756 wrote to memory of 4860	4756	azzxaime.exe	39
PID 4756 wrote to memory of 4860	4756	azzxaime.exe	39
PID 4756 wrote to memory of 4860	4756	azzxaime.exe	39
PID 4860 wrote to memory of 4920	4860	azzxaime.exe	40
PID 4860 wrote to memory of 4920	4860	azzxaime.exe	40
PID 4860 wrote to memory of 4920	4860	azzxaime.exe	40
PID 4860 wrote to memory of 4920	4860	azzxaime.exe	40

C:\Users\Admin\AppData\Local\Temp\be93cfd2de9fc49ecf6f64b9259c64fd.exe
"C:\Users\Admin\AppData\Local\Temp\be93cfd2de9fc49ecf6f64b9259c64fd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259396340.bat
  2⤵
  PID:1712
- C:\Windows\SysWOW64\azzxaime.exe
  C:\Windows\system32\azzxaime.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259396762.bat
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\azzxaime.exe
    C:\Windows\system32\azzxaime.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259396840.bat
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\azzxaime.exe
      C:\Windows\system32\azzxaime.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259396886.bat
        5⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259396949.bat
        6⤵
        
        PID:4920
      - C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        6⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259401005.bat
        7⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        7⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259401223.bat
        8⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        8⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259401910.bat
        9⤵
        
        PID:812
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        9⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259403142.bat
        10⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        10⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259404546.bat
        11⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        11⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259405888.bat
        12⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        12⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259408009.bat
        13⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        13⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259408649.bat
        14⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        14⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259411004.bat
        15⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        15⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259413017.bat
        16⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        16⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259414717.bat
        17⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        17⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259423875.bat
        18⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        18⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430551.bat
        19⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        19⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431612.bat
        20⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        20⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433952.bat
        21⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        21⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259434857.bat
        22⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        22⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259438476.bat
        23⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        23⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450348.bat
        24⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        24⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259451066.bat
        25⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        25⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259451924.bat
        26⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        26⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259455309.bat
        27⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        27⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259457462.bat
        28⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        28⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472609.bat
        29⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        29⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480378.bat
        30⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        30⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481969.bat
        31⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        31⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483217.bat
        32⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        32⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259484465.bat
        33⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        33⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259485121.bat
        34⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\azzxaime.exe
        
        C:\Windows\system32\azzxaime.exe
        34⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259516524.bat
        33⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259514932.bat
        32⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259513060.bat
        31⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259512858.bat
        30⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259510845.bat
        29⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259502717.bat
        28⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493373.bat
        27⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259486961.bat
        26⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482437.bat
        25⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481283.bat
        24⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259480846.bat
        23⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259468506.bat
        22⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259465246.bat
        21⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259464060.bat
        20⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259462142.bat
        19⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460894.bat
        18⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259454576.bat
        17⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259444513.bat
        16⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259443265.bat
        15⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259440036.bat
        14⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259439038.bat
        13⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259438383.bat
        12⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259436355.bat
        11⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259435060.bat
        10⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259433172.bat
        9⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259432283.bat
        8⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431706.bat
        7⤵
        
        PID:5864
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431285.bat
        6⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429849.bat
        5⤵
        
        PID:7248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259427400.bat
      4⤵
      PID:7416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429475.bat
    3⤵
    PID:7336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259428960.bat
  2⤵
  PID:7288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259396340.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259427400.bat

Filesize
121B

MD5
5c37f2c308f2a9c21f5869cd2e1f5fbb

SHA1
a5962e2d14a62638b589d03692c10d46f2ded9da

SHA256
03401227088bab33f8fcf2503aa6d888662c3df19b19f912151764a91ced2a69

SHA512
92fd5afb790507461bded85c1e4411a03cc44d8a5a4049e064634c1fca6a0a4ddef09a656bfb6df9bafdbed141dbfa622a4f4233e7b48e65266a324aea8d163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259428960.bat

Filesize
197B

MD5
5602c94bda26a5958ff8c92ba0a4e77a

SHA1
eca7a3003f335443c7071db336d47a95a14a0fa4

SHA256
c3cf7023d9fe2100ba9b189bf87ae7f73eda82413c578df38eccdc6d8f65100e

SHA512
fa243d97f035c641d3506ffe3744a8e82da8e7e1f9a6eb23fd938682a3cd4b7d94e178c8f74e4ae86ab68ce8b71101f577ee530f6301e280ef369b5d8d16c64b

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
1KB

MD5
713f4923802dfcd08331c9b9500655d8

SHA1
c13fa895bcc9f9ee40e760029b56bd11bac31f98

SHA256
d076bf34c6e9e6ff620c472b9a55a42e699d1218aa015a024d54c394fee42501

SHA512
845fd77d3581b91f0de44d0a3e3d8264c2f1b562fef69662df5dde1dcdf3686ffbccddf3ee99cb7104cf8b2563be384162d7f411702afa0d551c3c407897da23

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
1KB

MD5
8627981aa1bb3d06c9346498a7d2bb16

SHA1
da666beec220f38c232d39efb046e3175c72665a

SHA256
34b07c46d7457a61407cad44c6c3b9282428402d53cce6572569111c7baddcaa

SHA512
690547aff300d21d498c097c6c91b3b37a1402ddc48717290d43bb00c283b720968e51cb0cc9c5237d8b42887a083292de9259c999538102714b3040d86a00b6

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
2KB

MD5
856c9fe721d8e4631fdb7c02a0f35a3a

SHA1
ff3feb4e8528652b32d0da904c30046a5bd302fd

SHA256
e59053f6bae5ea29aa20a8f90906536a5aec1188225544066e0d464cedbdf117

SHA512
f098a0ad79cda3e9c8bd00f6eaf743006b8412878b452d298eddbda32fe98417d2fc4f3d8a58d83ba709ec8e37bb9d4823766f0685476cc1c70f98eeedc115e6

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
2KB

MD5
4b9aeb43ad0906333c42104c32b54f06

SHA1
2ee2de6e6a1f43e7c2cd3c93c132ba0c7f039af6

SHA256
c59f62366aeb07cd40edce21007c58de26e450abfd60e375b90e58cdd49fe6fd

SHA512
5ab37803afc7878b4c9a7e096ba8329eb4266d07b3108a0037d6aab0669f26aa37c6187326ab53d37beaf61e49fb7a9966c9742fc01f9b206c76b3bdc0b27fcd

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
3KB

MD5
85c3392534b8f0e9ed05396763d11a2a

SHA1
ecdb890f7f7d9adb07dfcda10de9030b71c45876

SHA256
e3f3b8081a415726d096ce5ee3b21a3972af0cec97bb8e8bac221786d22fac2f

SHA512
73a394d86a2f69579667b21bf214282f7768a2c96863751ef2a3aa2f5e7742b5135fd7df6615d78642dc9e96ae3f08270fb576fdafbecc254a4a0dc1270d461e

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
3KB

MD5
f7d0ab25589b526a0510b6d138190a45

SHA1
fe7a13265caabcc74cf5472f0b860dd7d3ad36d2

SHA256
979b212a6aa820a8c046baf1f5045ca5e06b861ae0a4c1d0923a25b42f8a027a

SHA512
163f6f4d4a0a19f1b08675f02e2151ae7d94d31ea915380139b86075fe6cc7fcb7de2ba5989523db6bb5db3db99a2fbd66a233a479f1158498e132102c84a1f7

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
4KB

MD5
9e81675129b2b714e19b0d14232d84ec

SHA1
56ed24001e0dfcc20a2274d129207f477fca628f

SHA256
88ee8eb05b396612d0fa6d84c22c4b35af9fc634c9871a8b028e5ff58a6cc617

SHA512
dfae194ba5bf232432beb7ffcb740dc5da9e7be47a1a47ed54b450fb11768f597bc3ec45f16200876740afc19e6b09f19f1bbdde5c014eeb285b0a43801d0465

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
4KB

MD5
fe06b2fe92cd023ca39c5024f4f2d600

SHA1
7103ecde94873542c993251ebbdce34ba0a6cdf8

SHA256
b475cce0773acf6195ed57cf3967b30b88b70ef62773b4f1b8ba90e0b22773e2

SHA512
74b9e62ffd4be867b677b26c2cdd3b436a453064f1bf9bba51bd944c5013b74b3050b647596bc1201ce4975c18fa1144c7456d81095f17bbca890cd9ffda6eba

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
5KB

MD5
a1bfcce7577e66938370ede255ffc432

SHA1
caa71aff6f707c7e5894bd127006ba5cb3833203

SHA256
21922e458863ed92547b88ec30a6a23c67262b59fd2fe574532003a1b85dedfd

SHA512
0e2f838b1f0381d09baf608df778e5fff72dadcfa6408bf06856df0afc98843168ff3e267c7e17f70c480408d506b1ca4edc25a5d502e7bfcd037ac58adeaae6

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
5KB

MD5
8ea11459389f498c5a419d3e3aa71e6d

SHA1
c5af93d80fcae8e17f775de4d5c233fa8d9cedd1

SHA256
5fc6bb1a4ca0fb2b71fa68c936db6d4d60264686acc37ccc8bd926f11dc9cd18

SHA512
83fcdec5f53ebdf5a6c7fad239ecb99c5769b4f91ee807ba80eccb2eed975d8e8fcf35c766e431cc250c36c8d3e47bfde27760cc8195ac364ef89430b8ef78a4

Download Submit
C:\Windows\SysWOW64\fxzxbime.sys

Filesize
6KB

MD5
2363ca5a5042b75488254779a9dcdf6d

SHA1
71c47b1bb461169b17d8be85907db9b2d61cadc3

SHA256
dcc247cc60434b545660efb8f52852f28b7d52381f653f397d9e63ca00c14a0f

SHA512
2564369281be61a8720537134bb3d06de500cdee6d218277cccfa0793686e7a4f8a968286a449b6aceb8c53c70497c27bc1fdea6c18751f086dddc2b91fa0d7d

Download Submit
C:\Windows\SysWOW64\zyzxjime.dll

Filesize
525KB

MD5
430395fe68180e8d4d70d4e0f8194a4a

SHA1
bd6e36562f4a16a65a5edf53fa5286bd468afe98

SHA256
e629b6350580533ec0016421d8209210f2e9f1404ce084492da3dca1ebc13dae

SHA512
d510718fd3c8c94d6840ee3e90a3754489da0b12d828e85f8c8e09b61fb3bd6dd2f2bcab1aff62dc522527ef22d4ba7e7489e91cde2e23208e848ccf858d5639

Download Submit
C:\Windows\SysWOW64\zyzxjime.dll

Filesize
74KB

MD5
5ff4a9615de7b66351262f26fb581d60

SHA1
a8edb4df745730f5ccd9d3a5b75220b8a3203aed

SHA256
89bb3a1b3b66be5b12c7ffd140750a02e6eb4082e7ccf1fc8ec7b80091e2291d

SHA512
90cdc30e349a72e41934f7b482598fd8c31ab0eabfa7fa14d9c3360ba8c454dafa404e32eab5cdd314fe1daba02629d89e75687bbcfad7a4273fea4d00453e52

Download Submit
\Windows\SysWOW64\azzxaime.exe

Filesize
17KB

MD5
be93cfd2de9fc49ecf6f64b9259c64fd

SHA1
3951d2178bb35de0f3ae261ca71cd90123e0463e

SHA256
12fcee89bbd445a5f4521c9d5f637b4726658a33aa2135aa4fa468f8d0ca6360

SHA512
36537ef7cf9f41cfa2141811142d5659838a7f13a4b1a7856be1321a7117dfb5d8c541b17e313eb410485adf9b277b4f9ef7a0d3705fd9cd76b120300c7d045a

Download Submit
memory/324-10413-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-9944-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-10411-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/1968-10412-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/1980-7312-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1980-7313-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1980-6292-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/1980-13507-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2108-9970-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-1026-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2108-1033-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2108-2115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2108-2143-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/2228-13508-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2228-12485-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2228-11442-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-14535-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2416-13506-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-14536-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2620-4223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-14546-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3788-6291-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/3788-5270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3856-7314-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4008-8336-0x0000000000360000-0x000000000037E000-memory.dmp

Filesize
120KB

Download
memory/4008-12486-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4008-3173-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4020-4227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4020-11441-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4020-5268-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/4524-1048-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4524-1052-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download
memory/4524-9956-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4648-1085-0x0000000000420000-0x000000000043E000-memory.dmp

Filesize
120KB

Download
memory/4648-9945-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4648-1069-0x0000000000420000-0x000000000043E000-memory.dmp

Filesize
120KB

Download
memory/4648-1066-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4648-3180-0x0000000000420000-0x000000000043E000-memory.dmp

Filesize
120KB

Download
memory/4648-4204-0x0000000000420000-0x000000000043E000-memory.dmp

Filesize
120KB

Download
memory/4728-14537-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-1086-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/4756-4222-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/4756-1083-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-1089-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/4756-9969-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-4220-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/4860-10974-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4860-5249-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/4860-2077-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5080-14622-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/5080-14553-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/5080-9936-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/5080-9512-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download
memory/5080-8337-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5756-14538-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5756-3913-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5792-5253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5792-12010-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5792-3172-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download
memory/5896-3157-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5896-12021-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7996-8334-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7996-8335-0x0000000000260000-0x000000000027E000-memory.dmp

Filesize
120KB

Download