c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
Size

9.2MB
MD5

d93ffee2720341299fd0e9ff4dcf7f08
SHA1

53991521737dd2ce35a90429ced04185198e0f80
SHA256

c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8
SHA512

02fa3ba5352821d54a7a2ac5b1bc4fa2f95eae28167204bdb33bdc672edaa5c1ca0bfc610c20f7ea90dd73c5f64e02a9daa9f0bd44ec46da7450550e067e23b7
SSDEEP

98304:0te1xEOX9OcczjREI9tQeek2rT0DIcsn9Vhek2rv0DIRpKWf2gcek2rQ/:VGOXsccpt9crYercrsyfLccrw

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Server.dll

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Server.dll

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surrogate.cmd.lnk	COM Surrogate.cmd
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security Health.cmd.lnk	Windows Security Health.cmd

Executes dropped EXE 18 IoCs

pid	Process
2780	Windows ygjaxs.dll
2748	COM Surrogate.cmd
2900	Windows Security Health.cmd
2840	Server.dll
13588	Server.dll
13648	Serveri.dll
2068	Windows.Gaming.Input.exe
3116	Server.dll
4948	Serveri.dll
5040	Serveri.dll
5152	Windows.dll
5200	Phxph.exe
5288	Windows.dll
21084	Windows.dll
10840	Phxph.exe
23884	Phxph.exe
39492	Phxph.exe
25792	Phxph.exe

Loads dropped DLL 16 IoCs

pid	Process
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2748	COM Surrogate.cmd
2748	COM Surrogate.cmd
2900	Windows Security Health.cmd
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2748	COM Surrogate.cmd
2900	Windows Security Health.cmd
2900	Windows Security Health.cmd
2068	Windows.Gaming.Input.exe
2068	Windows.Gaming.Input.exe
2068	Windows.Gaming.Input.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Gaming.Input = "C:\\Windows\\SysWOW64\\Windows.Gaming.Input.exe"	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windows.Gaming.Input.exe	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
File created	C:\Windows\SysWOW64\Serveri.dll	Windows Security Health.cmd
File opened for modification	C:\Windows\SysWOW64\Serveri.dll	Windows Security Health.cmd
File opened for modification	C:\Windows\SysWOW64\Windows.Gaming.Input.exe	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
File created	C:\Windows\SysWOW64\Phxph.exe	Server.dll
File opened for modification	C:\Windows\SysWOW64\Phxph.exe	Server.dll

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
3116	Server.dll
13648	Serveri.dll
3116	Server.dll
3116	Server.dll
3116	Server.dll
3116	Server.dll
3116	Server.dll
3116	Server.dll
13648	Serveri.dll
13648	Serveri.dll
13648	Serveri.dll
13648	Serveri.dll
13648	Serveri.dll
13648	Serveri.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
2840	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
13588	Server.dll
5200	Phxph.exe
5152	Windows.dll
4948	Serveri.dll
5288	Windows.dll
5152	Windows.dll
5152	Windows.dll

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000120fc-2.dat	upx
behavioral1/memory/2780-7-0x0000000000400000-0x0000000000524000-memory.dmp	upx
behavioral1/memory/2780-8732-0x0000000000400000-0x0000000000524000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.Gaming.Input.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows ygjaxs.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Health.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM Surrogate.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
10884	cmd.exe
23572	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
23572	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
13588	Server.dll

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2840	Server.dll
Token: SeLoadDriverPrivilege	13588	Server.dll
Token: 33	13588	Server.dll
Token: SeIncBasePriorityPrivilege	13588	Server.dll

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
2780	Windows ygjaxs.dll
2780	Windows ygjaxs.dll
2780	Windows ygjaxs.dll
2748	COM Surrogate.cmd
2748	COM Surrogate.cmd
2900	Windows Security Health.cmd
2900	Windows Security Health.cmd
2068	Windows.Gaming.Input.exe
2068	Windows.Gaming.Input.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2780	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	30
PID 2700 wrote to memory of 2780	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	30
PID 2700 wrote to memory of 2780	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	30
PID 2700 wrote to memory of 2780	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	30
PID 2700 wrote to memory of 2748	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	31
PID 2700 wrote to memory of 2748	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	31
PID 2700 wrote to memory of 2748	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	31
PID 2700 wrote to memory of 2748	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	31
PID 2700 wrote to memory of 2900	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	32
PID 2700 wrote to memory of 2900	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	32
PID 2700 wrote to memory of 2900	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	32
PID 2700 wrote to memory of 2900	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	32
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 2840	2748	COM Surrogate.cmd	33
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2748 wrote to memory of 13588	2748	COM Surrogate.cmd	34
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2900 wrote to memory of 13648	2900	Windows Security Health.cmd	35
PID 2700 wrote to memory of 2068	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	36
PID 2700 wrote to memory of 2068	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	36
PID 2700 wrote to memory of 2068	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	36
PID 2700 wrote to memory of 2068	2700	c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe	36
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2748 wrote to memory of 3116	2748	COM Surrogate.cmd	37
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 4948	2900	Windows Security Health.cmd	38
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2900 wrote to memory of 5040	2900	Windows Security Health.cmd	39
PID 2068 wrote to memory of 5152	2068	Windows.Gaming.Input.exe	40
PID 2068 wrote to memory of 5152	2068	Windows.Gaming.Input.exe	40
PID 2068 wrote to memory of 5152	2068	Windows.Gaming.Input.exe	40
PID 2068 wrote to memory of 5152	2068	Windows.Gaming.Input.exe	40
PID 2068 wrote to memory of 5152	2068	Windows.Gaming.Input.exe	40
PID 2068 wrote to memory of 5152	2068	Windows.Gaming.Input.exe	40

C:\Users\Admin\AppData\Local\Temp\c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe
"C:\Users\Admin\AppData\Local\Temp\c0b33353c9f851eff81e9b542cbff2ccffe05f5c0da84658aecbd26f3a165ee8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\Windows ygjaxs.dll
  "C:\Users\Admin\AppData\Local\Temp\\Windows ygjaxs.dll"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\COM Surrogate.cmd
  "C:\Users\Admin\AppData\Local\Temp\\COM Surrogate.cmd"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Server.dll > nul
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:10884
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:23572
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:13588
- - C:\Users\Admin\AppData\Local\Temp\Server.dll
    C:\Users\Admin\AppData\Local\Temp\\Server.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3116
- C:\Users\Admin\AppData\Roaming\Windows Security Health.cmd
  "C:\Users\Admin\AppData\Roaming\\Windows Security Health.cmd"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:13648
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4948
- - C:\Windows\SysWOW64\Serveri.dll
    C:\Windows\system32\\Serveri.dll
    3⤵
    - Executes dropped EXE
    PID:5040
- C:\Windows\SysWOW64\Windows.Gaming.Input.exe
  C:\Windows\system32\\Windows.Gaming.Input.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5152
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5288
- - C:\Users\Admin\AppData\Roaming\Windows.dll
    C:\Users\Admin\AppData\Roaming\\Windows.dll
    3⤵
    - Executes dropped EXE
    PID:21084

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5200

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:10840

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:23884

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:39492

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:25792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Phxph.exe

Filesize
22.1MB

MD5
44d1ce29474bad8ada3d778af1dac0f3

SHA1
319f966cc44529a564f9d5d19e0fb99e0af2ea19

SHA256
d75217eccc9e4b9a2ccfb2819b1fdbf01a074042292bcf3162ec27a01b7ee1cf

SHA512
511ac3bfa10928190c7cb035a976c673fb758950ce4accde4a80b81b62ee0585d5d51930571ffa177fb1d63ecd4a770415bc09800cc5cd1ac6cb7efa16b7d025

Download Submit
C:\Windows\SysWOW64\Windows.Gaming.Input.exe

Filesize
2.0MB

MD5
7c42c0289a8ef2395efc1e7925b2d16e

SHA1
5b75f9495a791d982e269f3fb4dcac2b95f5138c

SHA256
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7

SHA512
01e5a6f9a5145e01603c84f772e038b2ee40e45fb4d9b307269b199411fa68127e2443ede7ea30f0c630d2c84090de2c38b75ff8e139a7886e341e82b36750bc

Download Submit
\Users\Admin\AppData\Local\Temp\COM Surrogate.cmd

Filesize
2.9MB

MD5
e1d44431b799d360d924352fb87c0aae

SHA1
87210f7c8f8759a5b23e8567643b2dfef51fc1e7

SHA256
f41cea6229006c96d286c284cda8ae342d987edfcbec9e3da2a38dc4233ad9f7

SHA512
a1cf0fe054e92770d5b7bb22538cd90ce906e0e3119ce66761da3f3cc55642818f0d7cadafb23fb62215395ce1b475affc4c0389e69f5209b708c8dbfcdd646c

Download Submit
\Users\Admin\AppData\Local\Temp\Server.dll

Filesize
1.1MB

MD5
1144ea1e19cb2a42f7ad2fa04db8e476

SHA1
2ef6e0f9c5e57305bff6d30080cf68c1d3e101d9

SHA256
20569e9045f5c150eafa51752334b62c78b9dbc308d61dacfcb2098a76c5cf50

SHA512
3df308eafc0f014a07fbdeb706b32eb5de7e02a7496e70e5035d9b76db239435a2511964fc027380aad19763755c4e07e52f4e157b691c55c5a03d5b21593556

Download Submit
\Users\Admin\AppData\Local\Temp\Windows ygjaxs.dll

Filesize
459KB

MD5
f6bad3e56004d0ec916b9f93bbb971a1

SHA1
75e7d20bc42572a7dc1b9a12dc464576079b90b8

SHA256
d0b6965be9cc036a316acb456491562aea12d2bb52af12a475966ee7b41fc000

SHA512
07961000646b1e95504528afb0d2812a0ad0f3196999cc91401ebad0ecc520bd41075d85fdcce90d4d52b99d92ac21420b5e4140ccc3553a03969af6bab555a6

Download Submit
\Users\Admin\AppData\Roaming\Windows Security Health.cmd

Filesize
2.9MB

MD5
fe86e62f1f8cc2b9160c316c7e1ccffd

SHA1
540ed568fad46b2e4bccd6460e98e7e07a78068f

SHA256
bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af

SHA512
1cbe0eba13af47bfa1781d766dfaab6a0a185afa8f48694b5aab25c20a557101b69b63977a04c4cef0f9b5fde66deaea888e459f755fdee99c061e63f7eeb48a

Download Submit
memory/2068-17470-0x00000000024A0000-0x00000000025C3000-memory.dmp

Filesize
1.1MB

Download
memory/2700-5-0x0000000002E30000-0x0000000002F54000-memory.dmp

Filesize
1.1MB

Download
memory/2748-34-0x0000000002FC0000-0x00000000030E3000-memory.dmp

Filesize
1.1MB

Download
memory/2748-12011-0x0000000002FC0000-0x00000000030E3000-memory.dmp

Filesize
1.1MB

Download
memory/2748-17466-0x0000000002FC0000-0x00000000030E3000-memory.dmp

Filesize
1.1MB

Download
memory/2748-8729-0x0000000002FC0000-0x00000000030E3000-memory.dmp

Filesize
1.1MB

Download
memory/2780-8732-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2780-7-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2840-897-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-881-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-871-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-873-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-892-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-907-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-865-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-851-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-849-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-847-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-846-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-859-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-869-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-863-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-905-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-903-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-901-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-899-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-861-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-895-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-893-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-889-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-887-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-885-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-883-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-867-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-879-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-877-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-875-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-857-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-855-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-35-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2840-36-0x00000000752D0000-0x0000000075317000-memory.dmp

Filesize
284KB

Download
memory/2840-853-0x0000000002100000-0x0000000002211000-memory.dmp

Filesize
1.1MB

Download
memory/2840-12013-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2900-17455-0x0000000003190000-0x00000000032B3000-memory.dmp

Filesize
1.1MB

Download
memory/2900-34859-0x0000000003190000-0x00000000032B3000-memory.dmp

Filesize
1.1MB

Download
memory/3116-104433-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/3116-12012-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4948-34856-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5152-78294-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5200-78296-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/5288-85421-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/10840-86991-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/10840-95687-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/13588-17458-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/13648-17464-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/13648-113148-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/21084-86973-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/23884-104410-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/39492-113127-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads