48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe
Size

13.0MB
MD5

2178feef72172ba435b913d3a5976f49
SHA1

bf68b94115198ae246e21bc5124c02fefe5d4530
SHA256

48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a
SHA512

6d757190f3242fc322c3c66c07ef0f92e6c87ad5b08bdfd207845cdd0b217e85b213d54555c668aeef5435d00b98f0a7e788f27043328880d274dacd2c90417b
SSDEEP

196608:mGjIlhqbkKXwgGO45S7Yqxr5cyXLObqIKEQtWStwKkrwyXIG:Q85AgGOJ7xmwObq4Qtbtir

Score

9^/10

bootkit evasion persistence upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ONJfiS.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a4d1-210.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ONJfiS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ONJfiS.exe

Executes dropped EXE 1 IoCs

pid	Process
1604	ONJfiS.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	ONJfiS.exe

Loads dropped DLL 8 IoCs

pid	Process
2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1604-212-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/files/0x000500000001a4d1-210.dat	upx
behavioral1/memory/1604-217-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-220-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-226-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-229-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-240-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-248-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-252-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-256-0x0000000009310000-0x000000000983F000-memory.dmp	upx
behavioral1/memory/1604-262-0x0000000009310000-0x000000000983F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ONJfiS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	ONJfiS.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll\ = "QMPlugin.RegDll"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ProgID	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BC9DF34-CEA3-49B1-1E2E-649C31584EA6}\1.0\HELPDIR	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE4DC416-DD10-AEE0-AE4E-2ACB605AD6D6}\TypeLib\Version = "1.0"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\ProgID\ = "QMPlugin.RegDll"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kdw.jywh\CLSID\ = "{A8093226-55C8-69A9-6D27-EE3554C802E7}"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE4DC416-DD10-AEE0-AE4E-2ACB605AD6D6}\TypeLib\Version = "1.0"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE4DC416-DD10-AEE0-AE4E-2ACB605AD6D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BC9DF34-CEA3-49B1-1E2E-649C31584EA6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QM\\hdu.dll"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BC9DF34-CEA3-49B1-1E2E-649C31584EA6}\1.0\ = "kdw"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID\ = "{33414471-126E-4FC8-B430-1C6143484AA9}"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8093226-55C8-69A9-6D27-EE3554C802E7}\InprocServer32\ThreadingModel = "Both"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\ = "MyMacro.MyGUIMacroControlServer"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8093226-55C8-69A9-6D27-EE3554C802E7}	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8093226-55C8-69A9-6D27-EE3554C802E7}\InprocServer32	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InProcServer32	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE4DC416-DD10-AEE0-AE4E-2ACB605AD6D6}	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE4DC416-DD10-AEE0-AE4E-2ACB605AD6D6}	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID\ = "MyMacro.MyGUIMacroControlServer"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BC9DF34-CEA3-49B1-1E2E-649C31584EA6}\1.0	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8093226-55C8-69A9-6D27-EE3554C802E7}\ProgID	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\SYS.dll"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.RegDll"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\ = "QMPlugin.Sys"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll\CLSID\ = "{34531331-126E-4FC8-B430-1C6143484AA9}"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE4DC416-DD10-AEE0-AE4E-2ACB605AD6D6}\TypeLib\ = "{8BC9DF34-CEA3-49B1-1E2E-649C31584EA6}"	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID\ = "{DACDED71-1201-4F76-9C30-BDA795A55678}"	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BC9DF34-CEA3-49B1-1E2E-649C31584EA6}\1.0\HELPDIR\	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	ONJfiS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID	ONJfiS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment"	ONJfiS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	ONJfiS.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe
2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe
1604	ONJfiS.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1604	2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe	28
PID 2232 wrote to memory of 1604	2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe	28
PID 2232 wrote to memory of 1604	2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe	28
PID 2232 wrote to memory of 1604	2232	48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe	28
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29
PID 1604 wrote to memory of 824	1604	ONJfiS.exe	29

C:\Users\Admin\AppData\Local\Temp\48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe
"C:\Users\Admin\AppData\Local\Temp\48240adbc5dd09d4652442dc386bee9a3ea4c8486bcc3d2ab3c8a9b8a82a337a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\ONJfiS.exe
  C:\Users\Admin\AppData\Local\Temp\ONJfiS.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" atl.dll /s
    3⤵
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28A6.tmp

Filesize
418B

MD5
c895d04c98ede1fc2b2dee89eccfcee0

SHA1
344e6e22660036383a3ba10b5fc1fb142cc8b116

SHA256
e63192eaa4d383962f76518a30ca8bc966501384879bade9cbe2c95b5d1f07b4

SHA512
5091353f9e991ecaf238cc83b3a65297512163269d5645a4042a48a323a850379ffcc5e290e084210e24457d2030a45006019b21644ab81ff0dd2d3f5a20d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\7942ADA.tmp

Filesize
5.8MB

MD5
37a6bb899d93428f98acb1862ef6a1a6

SHA1
3d25e0bf21e5c54d169db223880da3d03100de52

SHA256
59d0f70ae00a974c09d04d6aabf4700aedaa54b3b04e90ebe71e8143296830d1

SHA512
f9e2c655d8b33e2b43e820c0cc37884333f22257aa41450d8e23134564ef42eca92f09cf4b35d421f6e000677f62492f8eb8267277676811a5114f037e48edfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.ini

Filesize
1KB

MD5
09c6b26d1e0ff380321f586473d81098

SHA1
261ba0c9c3ddf3c9e8715ead3628212d2859bcba

SHA256
bc8eaa229e13a93be3bef498443182eb5d97551fbc5fcb1208d014b56161588f

SHA512
7700e2ab0c38f7b1a3190843f603b572f7952e4a3567855fbaf2f1085f7e5b4fcdaa97e9195a43299594a5c3b31d15232cb66d9c59a4231cc83487663ded832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugin\hduR.dll

Filesize
24KB

MD5
e29d9a912204844df5306ca3935b1f1c

SHA1
19ba6440827ad2ac515aeb6c8700fbb4c896e61c

SHA256
3453bb9b4550dd5a51a64c3d2d25f1b49744b05ac740c57f2dd9f89084811318

SHA512
9229d5c845eeb36cd293e8d998aca63ed14f41b43d7d11da8682ede4d24853eff19bf0801b8ab055d50c849be7cbf94b890a672d90b55eec5019cebf98925a3a

Download Submit
\Users\Admin\AppData\Local\Temp\ONJfiS.exe

Filesize
12.2MB

MD5
d671f16230f918c857325a0f09bf8728

SHA1
2e32a5d7e4a82e1069f714cb15f092f155c14721

SHA256
61240072d6982fba71d86c0c4de7041e428ff615066270c326c1e1acdfc64651

SHA512
074202a2542b145a4eda4185514a6ebf62ea70b033d9e3f6a79d052928914773894195122ecd02983ab289fbf4345b7d1f928c57fc781362ee9aecbefde78525

Download Submit
\Users\Admin\AppData\Local\Temp\QM\hdu.dll

Filesize
4.5MB

MD5
2a1ce6e37987a25f2ddc08787f99dee4

SHA1
192dc2f3a2ecee7273ee2da80927ba847bd88914

SHA256
d407081b6e655f516f0cd42c0e9fb00cf5579dc0c17c14900488eec400e97f7a

SHA512
cf608c12addfd359a5bcf891286392ec52d6a72887e5417bfbceb8fc6ce35293a974e65aa1c136cf2a4a0e7fd9eac268c8937824eaa2603edfe5127c2e293290

Download Submit
\Users\Admin\AppData\Local\Temp\cfgdll.dll

Filesize
59KB

MD5
3f9711ab8cfa0cbbeaeceba7904c8700

SHA1
94085220d65eb8c572fb394ab0d19815dcf80680

SHA256
517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5

SHA512
e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5

Download Submit
\Users\Admin\AppData\Local\Temp\plugin\SYS.DLL

Filesize
32KB

MD5
18c393dfa1c0f3d2da0f4acdec5d7639

SHA1
84f666216085f177bccb8fa94900ba625f7552bc

SHA256
3c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a

SHA512
ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4

Download Submit
\Users\Admin\AppData\Roaming\mymacro\qdisp.dll

Filesize
43KB

MD5
7171bc500507f070355c8903e0ea6d3d

SHA1
073d479fdbd1f2af5d494e90b950098be63dee75

SHA256
3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

SHA512
a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

Download Submit
memory/1604-225-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-240-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-212-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-8-0x0000000000401000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1604-7-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-217-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-219-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-220-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-222-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-224-0x0000000009960000-0x000000000996A000-memory.dmp

Filesize
40KB

Download
memory/1604-223-0x0000000009960000-0x000000000996A000-memory.dmp

Filesize
40KB

Download
memory/1604-261-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-227-0x0000000000401000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1604-226-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-228-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-229-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-239-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-45-0x00000000041B0000-0x00000000041BF000-memory.dmp

Filesize
60KB

Download
memory/1604-242-0x0000000009960000-0x000000000996A000-memory.dmp

Filesize
40KB

Download
memory/1604-241-0x0000000009960000-0x000000000996A000-memory.dmp

Filesize
40KB

Download
memory/1604-243-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-245-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-247-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-248-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-249-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-251-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-252-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-253-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-255-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-256-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/1604-257-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-259-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/1604-262-0x0000000009310000-0x000000000983F000-memory.dmp

Filesize
5.2MB

Download
memory/2232-6-0x0000000002C30000-0x00000000031C4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads