8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
Size

13.9MB
MD5

0db38e8c45411cebb9c33b17b8364432
SHA1

96632e92199e263ddcec9941c64132f21431e456
SHA256

8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb
SHA512

93730f01656e3bf0eac056dd20aaf789bcbf41d8d692f828eb69ca4dd7923b60d8e8c29ee16aaa5c6d23ff49e4cef8e7583d37617dd8e02832dc229e623e21f6
SSDEEP

393216:WGUWKE5RkZtrzXkXSmqZDKFV510w+kAEMN2PODKUxS:TUC5RkH3XeqWV5x+7E6DBxS

Score

9^/10

bootkit persistence

Malware Config

Signatures

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1900-8-0x0000000000400000-0x0000000002785000-memory.dmp	Nirsoft
behavioral2/memory/1900-19-0x0000000000400000-0x0000000002785000-memory.dmp	Nirsoft
behavioral2/memory/1900-199-0x0000000000400000-0x0000000002785000-memory.dmp	Nirsoft
behavioral2/memory/1900-200-0x0000000000400000-0x0000000002785000-memory.dmp	Nirsoft

Executes dropped EXE 12 IoCs

Processes:

ujysystem.exeujysystem.exewimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.execxdir.execxdir.execxdir.execxdir.exewimlib.EXEwimlib.EXE

pid	process
3488	ujysystem.exe
4928	ujysystem.exe
4332	wimlib.EXE
1804	Qiibiosinfo.exe
3132	Qiibiosinfo.exe
1808	QiiPECMD.exe
2500	cxdir.exe
5080	cxdir.exe
2660	cxdir.exe
1920	cxdir.exe
4392	wimlib.EXE
4740	wimlib.EXE

Loads dropped DLL 3 IoCs

Processes:

wimlib.EXEwimlib.EXEwimlib.EXE

pid process

4332 wimlib.EXE
4392 wimlib.EXE
4740 wimlib.EXE

pid	process
4332	wimlib.EXE
4392	wimlib.EXE
4740	wimlib.EXE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exeQiiPECMD.exe

description	ioc	process
File opened (read-only)	\??\Q:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\R:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\S:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\T:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\B:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\E:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\J:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\N:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\Y:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\F:	QiiPECMD.exe
File opened (read-only)	\??\A:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\K:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\L:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\Z:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\V:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\W:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\X:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\G:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\H:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\O:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\U:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\I:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\M:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
File opened (read-only)	\??\P:	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

cxdir.execxdir.execxdir.execxdir.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

660
660
660

pid	process
660
660
660

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

wimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.exewimlib.EXEwimlib.EXE

description	pid	process
Token: SeBackupPrivilege	4332	wimlib.EXE
Token: SeSecurityPrivilege	4332	wimlib.EXE
Token: SeRestorePrivilege	4332	wimlib.EXE
Token: SeSecurityPrivilege	4332	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4332	wimlib.EXE
Token: SeManageVolumePrivilege	4332	wimlib.EXE
Token: SeSystemEnvironmentPrivilege	1804	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	3132	Qiibiosinfo.exe
Token: SeBackupPrivilege	1808	QiiPECMD.exe
Token: SeRestorePrivilege	1808	QiiPECMD.exe
Token: 33	1808	QiiPECMD.exe
Token: SeIncBasePriorityPrivilege	1808	QiiPECMD.exe
Token: SeBackupPrivilege	4392	wimlib.EXE
Token: SeSecurityPrivilege	4392	wimlib.EXE
Token: SeRestorePrivilege	4392	wimlib.EXE
Token: SeSecurityPrivilege	4392	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4392	wimlib.EXE
Token: SeManageVolumePrivilege	4392	wimlib.EXE
Token: SeBackupPrivilege	4740	wimlib.EXE
Token: SeSecurityPrivilege	4740	wimlib.EXE
Token: SeRestorePrivilege	4740	wimlib.EXE
Token: SeSecurityPrivilege	4740	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4740	wimlib.EXE
Token: SeManageVolumePrivilege	4740	wimlib.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exeujysystem.exeujysystem.exe

pid	process
1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
3488	ujysystem.exe
3488	ujysystem.exe
4928	ujysystem.exe
4928	ujysystem.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 3472	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3472	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 3472 wrote to memory of 3488	3472	cmd.exe	ujysystem.exe
PID 3472 wrote to memory of 3488	3472	cmd.exe	ujysystem.exe
PID 3472 wrote to memory of 3488	3472	cmd.exe	ujysystem.exe
PID 1900 wrote to memory of 5084	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 5084	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 5084 wrote to memory of 4928	5084	cmd.exe	ujysystem.exe
PID 5084 wrote to memory of 4928	5084	cmd.exe	ujysystem.exe
PID 5084 wrote to memory of 4928	5084	cmd.exe	ujysystem.exe
PID 1900 wrote to memory of 1180	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 1180	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 1180	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1180 wrote to memory of 4332	1180	cmd.exe	wimlib.EXE
PID 1180 wrote to memory of 4332	1180	cmd.exe	wimlib.EXE
PID 1900 wrote to memory of 2216	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 2216	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 2216	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 2216 wrote to memory of 1804	2216	cmd.exe	Qiibiosinfo.exe
PID 2216 wrote to memory of 1804	2216	cmd.exe	Qiibiosinfo.exe
PID 2216 wrote to memory of 1804	2216	cmd.exe	Qiibiosinfo.exe
PID 1900 wrote to memory of 880	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 880	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 880	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 880 wrote to memory of 3132	880	cmd.exe	Qiibiosinfo.exe
PID 880 wrote to memory of 3132	880	cmd.exe	Qiibiosinfo.exe
PID 880 wrote to memory of 3132	880	cmd.exe	Qiibiosinfo.exe
PID 1900 wrote to memory of 3644	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3644	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3644	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 3644 wrote to memory of 1808	3644	cmd.exe	QiiPECMD.exe
PID 3644 wrote to memory of 1808	3644	cmd.exe	QiiPECMD.exe
PID 1900 wrote to memory of 3136	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3136	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3136	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 3136 wrote to memory of 2500	3136	cmd.exe	cxdir.exe
PID 3136 wrote to memory of 2500	3136	cmd.exe	cxdir.exe
PID 1900 wrote to memory of 3568	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3568	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3568	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 3568 wrote to memory of 5080	3568	cmd.exe	cxdir.exe
PID 3568 wrote to memory of 5080	3568	cmd.exe	cxdir.exe
PID 1900 wrote to memory of 3900	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3900	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 3900	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 3900 wrote to memory of 2660	3900	cmd.exe	cxdir.exe
PID 3900 wrote to memory of 2660	3900	cmd.exe	cxdir.exe
PID 1900 wrote to memory of 4144	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 4144	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 4144	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 4144 wrote to memory of 1920	4144	cmd.exe	cxdir.exe
PID 4144 wrote to memory of 1920	4144	cmd.exe	cxdir.exe
PID 1900 wrote to memory of 4536	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 4536	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 4536	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 4536 wrote to memory of 4392	4536	cmd.exe	wimlib.EXE
PID 4536 wrote to memory of 4392	4536	cmd.exe	wimlib.EXE
PID 1900 wrote to memory of 4412	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 4412	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 1900 wrote to memory of 4412	1900	8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe	cmd.exe
PID 4412 wrote to memory of 4740	4412	cmd.exe	wimlib.EXE
PID 4412 wrote to memory of 4740	4412	cmd.exe	wimlib.EXE

C:\Users\Admin\AppData\Local\Temp\8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe
"C:\Users\Admin\AppData\Local\Temp\8af06b63050a21782b094a8ce274147beb2e94b4a2b9d96a093836ec47cd50cb.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\\dism
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\\dism
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Temp\UjyQii\QiiPECMD.exe
C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
2⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "C:\Recovery\WindowsRE\Winre.wim" --header
2⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "C:\Recovery\WindowsRE\Winre.wim" --header
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\UjyQii\OSDownload.cfg
Filesize
327B

MD5
856aef3b3cf832cfff75e5c984b2ea30

SHA1
f7485078eefffc0909770d6b48dd8365a2c13bb3

SHA256
e0f515de08cf56dab29e8aca98932257f22f5e17a482595a39cb45fe89942ff5

SHA512
b9c50663b2d6969eaf689800043c52acbfc062c80dd75f83846b022176efc8c711c3d272fe86c78e08ba83a82b0838a1a66265827c48b61093122997fba0d0ad

Download Submit
C:\Temp\UjyQii\QiiImagex.EXE
Filesize
796KB

MD5
f7ed569ca894055142269eb21d6055fb

SHA1
0bf0b9cd8a85fa3c61564c001603320db5b55d0b

SHA256
f5c3c47b0d1683864a497248b97f5a99cef8829ca922c88004d4d7f0f616d636

SHA512
5c058f2775a9e1123e0f5cdb4894efef668fd42f45b57fcec55528f24e52aedcde196196dde898fd9cb7bfcfd2e44bab826040a4fe3a41c4e0855230837ca519

Download Submit
C:\Temp\UjyQii\QiiPECMD.exe
Filesize
1.2MB

MD5
9bf8a4771f079078ecf50136f46e1dd8

SHA1
96cabc623cc70ef930e3c3494db991cf062f3d54

SHA256
873658ce3138a9c8ae79e18256f18b2b9e6592c40521fe9532b83c60c44b7c32

SHA512
dbc582014bc335512204cbb5c31a6b13f691f3d2c41fa9e9279b7d2a995a213fd9a6cc5d81af5abe677830f442a8ee7929a8795273acc2cb5e9645f3baead2e4

Download Submit
C:\Temp\UjyQii\Qiibiosinfo.exe
Filesize
415KB

MD5
b0f69a1efa917a3e1add3636631a6ba6

SHA1
b2bed3c6ef332467954b4eced7157185958c8063

SHA256
11f61854e8dbf5b6d3006d1b6da5ae8a4d24a5f219e247108835974e9df0cfbd

SHA512
8948109e3329a453fc87d9b838c79bb6d11b0e14863b47243c64a1bb470512c7166d27aaa62df18085dbc13d0653b4de9ce68650abb03a0576d44a1ed2069c6a

Download Submit
C:\Temp\UjyQii\cxdir.exe
Filesize
42KB

MD5
2aa80509e9840822a3b6799a356efe90

SHA1
3dc558c97b209c91b7b45f90624f80c05c9094d0

SHA256
301ccb6e3f8a5118d7882963715e215140f0b7528039cab3fcd7ace02a48da0d

SHA512
9d4e5f95ef444424857e55c345d56ac679005a0bdfddf59fb96f078a5913e7be5ba07cd16993878815dc9d2364d909f20d8b7d65b09bd2ec687622f5812c6bc2

Download Submit
C:\Temp\UjyQii\dism.wim
Filesize
3.0MB

MD5
c8f006446a3547c834a74ee3cf2dcf09

SHA1
9840d65b62ead662a85a1c888095400d7bcee5b5

SHA256
c4436b65f0388985b5c1efd1db52d2ce4574e5bd3f8e4e633fed3ed565a57233

SHA512
4ca0e6afc34cfc3a9c757c9a8247b49269fac57e7bda954cc03b22a345439f6ad9fd3ce5afe89a36f0150ceac5181165f0c9a39c67c7258416caad42c05b7abe

Download Submit
C:\Temp\UjyQii\dism\X64\dism.exe
Filesize
277KB

MD5
d1d6b1f518a7d5012a96746db8bfc3cc

SHA1
1ad170a27a3e7311dac215ac0f1a240550b7e2a0

SHA256
70806ef320c231d1ae5660fdb03145c8e68d0c1e9558dd19863448c94c75b7be

SHA512
865201ba0c32585b36d9206f4662a5509f54d89bd65675cb25668b5d92db19ee33c5323e000cbe9366687b4d5f243a30c2469ddc371b248ead7f2d6f5b8a757b

Download Submit
C:\Temp\UjyQii\libwim-15.dll
Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
C:\Temp\UjyQii\ujysystem.exe
Filesize
833KB

MD5
3036cb4b587f98cb679ca65d4254b8a9

SHA1
dbd32893b687f8551951e2b0fe00220c6b540f6a

SHA256
e3d5c8efbc5e3a92e5e4d7f9d73c8a0c85cc9561d7ccc550ce74c2f5ba39e3f9

SHA512
731fc6ca8c764ebaf0d428a6a15187ce2b2deeffd6014e54ecd3059631498325a3e365078fcb46190903d6e0dc02bd0bc11e56c8dabb0202fdb6f769ef4f7383

Download Submit
C:\Temp\UjyQii\wimlib.EXE
Filesize
135KB

MD5
b31b05e78bc60474cc511974b8ebd63e

SHA1
48de3c65d7c5544b78322d32aaef8492c889a5f5

SHA256
102e24cb2e77b8354658924be1e9b2597cee215409539dfc2e19f14d3cd2b1a1

SHA512
0f25754551de7168494f78d1e3264a007177591d767662b1dfda80b4156cfedf2e9ea2f437e0b212197e9509b6cde06e2c80f550db42a321347eaf1a973bed32

Download Submit
memory/1900-11-0x000000000276A000-0x000000000276B000-memory.dmp

Filesize
4KB

Download
memory/1900-200-0x0000000000400000-0x0000000002785000-memory.dmp

Filesize
35.5MB

Download
memory/1900-199-0x0000000000400000-0x0000000002785000-memory.dmp

Filesize
35.5MB

Download
memory/1900-19-0x0000000000400000-0x0000000002785000-memory.dmp

Filesize
35.5MB

Download
memory/1900-1-0x000000000276A000-0x000000000276B000-memory.dmp

Filesize
4KB

Download
memory/1900-8-0x0000000000400000-0x0000000002785000-memory.dmp

Filesize
35.5MB

Download
memory/1900-0-0x0000000000400000-0x0000000002785000-memory.dmp

Filesize
35.5MB

Download
memory/1920-176-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-170-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2660-174-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3488-6-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/3488-14-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/3488-9-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/3488-7-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4332-144-0x00007FF651210000-0x00007FF65123A000-memory.dmp

Filesize
168KB

Download
memory/4332-145-0x00007FFF045A0000-0x00007FFF0468A000-memory.dmp

Filesize
936KB

Download
memory/4392-179-0x00007FF651210000-0x00007FF65123A000-memory.dmp

Filesize
168KB

Download
memory/4392-180-0x00007FFF045A0000-0x00007FFF0468A000-memory.dmp

Filesize
936KB

Download
memory/4740-183-0x00007FF651210000-0x00007FF65123A000-memory.dmp

Filesize
168KB

Download
memory/4740-184-0x00007FFF045A0000-0x00007FFF0468A000-memory.dmp

Filesize
936KB

Download
memory/4928-23-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4928-20-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4928-18-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/5080-172-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download