30a7c17ac7dcfcee1c2f62987bbaaa0161599ebe58329fca444adca7cc1079ee

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9944a68e769e60f718eed8fc9bbe8f.exe
Size

3.0MB
MD5

0e9944a68e769e60f718eed8fc9bbe8f
SHA1

fb143881d51567e30d775a6feb9e689e708bf79d
SHA256

30a7c17ac7dcfcee1c2f62987bbaaa0161599ebe58329fca444adca7cc1079ee
SHA512

6fadab0e61bd497d75f2e79a00be8dfe553b30e0c1ed791c8e4582bdabb6159619a4468e2b92ac1ea32c97cc4554f7d735ab8ba5ddf42fb573277e3ee6f95011
SSDEEP

49152:FFbRs47kQlDJqDvpHf2YDiF1yei0UYhNNEHCf/wrCjsru8/q106y0lhOdyj:z7kYD+p/1DEYiPEHC/OOqur0FjEj

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	gun4.25.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gun4.25.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	gun4.25.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	0e9944a68e769e60f718eed8fc9bbe8f.exe

Executes dropped EXE 13 IoCs

pid	Process
2716	FoxitReader22_setup.exe
3244	gun4.25.exe
564	Foxit Reader Setup.exe
4116	svehost.exe
4368	svehost.exe
2400	svehost.exe
3380	svehost.exe
948	svehost.exe
1260	svehost.exe
1324	svehost.exe
8	svehost.exe
1136	svehost.exe
3920	svehost.exe

Loads dropped DLL 33 IoCs

pid	Process
3244	gun4.25.exe
3244	gun4.25.exe
3244	gun4.25.exe
4116	svehost.exe
4116	svehost.exe
4116	svehost.exe
4368	svehost.exe
4368	svehost.exe
4368	svehost.exe
2400	svehost.exe
2400	svehost.exe
2400	svehost.exe
3380	svehost.exe
3380	svehost.exe
3380	svehost.exe
948	svehost.exe
948	svehost.exe
948	svehost.exe
1260	svehost.exe
1260	svehost.exe
1260	svehost.exe
1324	svehost.exe
1324	svehost.exe
1324	svehost.exe
8	svehost.exe
8	svehost.exe
8	svehost.exe
1136	svehost.exe
1136	svehost.exe
1136	svehost.exe
3920	svehost.exe
3920	svehost.exe
3920	svehost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	gun4.25.exe
File created	C:\Windows\SysWOW64\svehost.exe	gun4.25.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	gun4.25.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	gun4.25.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\ = "DevicesFlow"	gun4.25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}mU`lfCvOm]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlIhfFwg"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnCl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}dU`lfCvNf]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlKEWP\x7fJ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}eU`lfCvND]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\xCmoNNgsnqhr = "pneb\\aFegdJd`WoVBQWa"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHKOawZ"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf	Foxit Reader Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHR`@up"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMft"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHuaQmF"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hyPrKnstnjpuo = "XYkQdbmScVzoiBeF{RCMD\|Hr"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\xCmoNNgsnqhr = "pneb\\aFegdJd`WoVBQWa"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfs"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlIxpFVl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfy"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnEl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\xCmoNNgsnqhr = "pneb\\aFegdJd`WoVBQWa"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}kU`lfCvOQ]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hyPrKnstnjpuo = "XYkQdbmScVzoiBeF{RCMD\|Hr"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlJI{uBS"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\xCmoNNgsnqhr = "pneb\\aFegdJd`WoVBQWa"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnOl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHi}z[\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHyqcBn"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlJcYSJl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHSSEJQ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlKuS{G`"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfu"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfw"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlKioICi"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlIua^[_"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlJXPGek"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\LocalServer32\ = "%SystemRoot%\\SysWow64\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {046AEAD9-5A27-4D3C-8A67-F82552E0A91B}"	gun4.25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfr"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMft"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHn@\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}gU`lfCvNU]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnML"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlKQJlY@"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnC\|"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}jU`lfCvO@]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnO\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnN\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHn@L"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hyPrKnstnjpuo = "XYkQdbmScVzoiBeF{RCMD\|Hr"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfz"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfw"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnA\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnNl"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hyPrKnstnjpuo = "XYkQdbmScVzoiBeF{RCMD\|Hr"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlKHzPVQ"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}nU`lfCvOm]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}hU`lfCvOs]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlIa@zY}"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnC\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\hiChYBicx = "xJBlHtFzSL"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\nUntY = "aHSbLzsFZIHXtMfu"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\xCmoNNgsnqhr = "pneb\\aFegdJd`WoVBQWa"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\rRPuiugrag = "K\|O`MI}fU`lfCvNU]z{Ndg~"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5B82E288-5B82-E288-5B82-E2885B82E288}\Qtwivuvnuz = "tZMyDyCj~{v\x7fT^{lmumHnM\\"	svehost.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File created	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe
File opened for modification	C:\ProgramData\TEMP:77D27163	svehost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	3244	gun4.25.exe
Token: SeIncBasePriorityPrivilege	3244	gun4.25.exe
Token: 33	4116	svehost.exe
Token: SeIncBasePriorityPrivilege	4116	svehost.exe
Token: 33	4368	svehost.exe
Token: SeIncBasePriorityPrivilege	4368	svehost.exe
Token: 33	2400	svehost.exe
Token: SeIncBasePriorityPrivilege	2400	svehost.exe
Token: 33	3380	svehost.exe
Token: SeIncBasePriorityPrivilege	3380	svehost.exe
Token: 33	948	svehost.exe
Token: SeIncBasePriorityPrivilege	948	svehost.exe
Token: 33	1260	svehost.exe
Token: SeIncBasePriorityPrivilege	1260	svehost.exe
Token: 33	1324	svehost.exe
Token: SeIncBasePriorityPrivilege	1324	svehost.exe
Token: 33	8	svehost.exe
Token: SeIncBasePriorityPrivilege	8	svehost.exe
Token: 33	1136	svehost.exe
Token: SeIncBasePriorityPrivilege	1136	svehost.exe
Token: 33	3920	svehost.exe
Token: SeIncBasePriorityPrivilege	3920	svehost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
564	Foxit Reader Setup.exe
564	Foxit Reader Setup.exe
564	Foxit Reader Setup.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2716	1984	0e9944a68e769e60f718eed8fc9bbe8f.exe	90
PID 1984 wrote to memory of 2716	1984	0e9944a68e769e60f718eed8fc9bbe8f.exe	90
PID 1984 wrote to memory of 2716	1984	0e9944a68e769e60f718eed8fc9bbe8f.exe	90
PID 1984 wrote to memory of 3244	1984	0e9944a68e769e60f718eed8fc9bbe8f.exe	92
PID 1984 wrote to memory of 3244	1984	0e9944a68e769e60f718eed8fc9bbe8f.exe	92
PID 1984 wrote to memory of 3244	1984	0e9944a68e769e60f718eed8fc9bbe8f.exe	92
PID 2716 wrote to memory of 564	2716	FoxitReader22_setup.exe	91
PID 2716 wrote to memory of 564	2716	FoxitReader22_setup.exe	91
PID 2716 wrote to memory of 564	2716	FoxitReader22_setup.exe	91
PID 3244 wrote to memory of 4116	3244	gun4.25.exe	93
PID 3244 wrote to memory of 4116	3244	gun4.25.exe	93
PID 3244 wrote to memory of 4116	3244	gun4.25.exe	93
PID 4116 wrote to memory of 4368	4116	svehost.exe	101
PID 4116 wrote to memory of 4368	4116	svehost.exe	101
PID 4116 wrote to memory of 4368	4116	svehost.exe	101
PID 4368 wrote to memory of 2400	4368	svehost.exe	103
PID 4368 wrote to memory of 2400	4368	svehost.exe	103
PID 4368 wrote to memory of 2400	4368	svehost.exe	103
PID 2400 wrote to memory of 3380	2400	svehost.exe	105
PID 2400 wrote to memory of 3380	2400	svehost.exe	105
PID 2400 wrote to memory of 3380	2400	svehost.exe	105
PID 3380 wrote to memory of 948	3380	svehost.exe	106
PID 3380 wrote to memory of 948	3380	svehost.exe	106
PID 3380 wrote to memory of 948	3380	svehost.exe	106
PID 948 wrote to memory of 1260	948	svehost.exe	108
PID 948 wrote to memory of 1260	948	svehost.exe	108
PID 948 wrote to memory of 1260	948	svehost.exe	108
PID 1260 wrote to memory of 1324	1260	svehost.exe	109
PID 1260 wrote to memory of 1324	1260	svehost.exe	109
PID 1260 wrote to memory of 1324	1260	svehost.exe	109
PID 1324 wrote to memory of 8	1324	svehost.exe	114
PID 1324 wrote to memory of 8	1324	svehost.exe	114
PID 1324 wrote to memory of 8	1324	svehost.exe	114
PID 8 wrote to memory of 1136	8	svehost.exe	115
PID 8 wrote to memory of 1136	8	svehost.exe	115
PID 8 wrote to memory of 1136	8	svehost.exe	115
PID 1136 wrote to memory of 3920	1136	svehost.exe	117
PID 1136 wrote to memory of 3920	1136	svehost.exe	117
PID 1136 wrote to memory of 3920	1136	svehost.exe	117

C:\Users\Admin\AppData\Local\Temp\0e9944a68e769e60f718eed8fc9bbe8f.exe
"C:\Users\Admin\AppData\Local\Temp\0e9944a68e769e60f718eed8fc9bbe8f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\FoxitReader22_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxitReader22_setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\fox4F99.tmp\Foxit Reader Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\fox4F99.tmp\Foxit Reader Setup.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:564
- C:\Users\Admin\AppData\Local\Temp\gun4.25.exe
  "C:\Users\Admin\AppData\Local\Temp\gun4.25.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\svehost.exe
    C:\Windows\system32\svehost.exe 1416 "C:\Users\Admin\AppData\Local\Temp\gun4.25.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\svehost.exe
      C:\Windows\system32\svehost.exe 1436 "C:\Windows\SysWOW64\svehost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1456 "C:\Windows\SysWOW64\svehost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1468 "C:\Windows\SysWOW64\svehost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1460 "C:\Windows\SysWOW64\svehost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1472 "C:\Windows\SysWOW64\svehost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1464 "C:\Windows\SysWOW64\svehost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1480 "C:\Windows\SysWOW64\svehost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1476 "C:\Windows\SysWOW64\svehost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 952 "C:\Windows\SysWOW64\svehost.exe"
        12⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
918cd02cdd0e6b18e5ab0d180687df26

SHA1
62defadba6f597c9f7b6e9c5a34e8df7fac7eba6

SHA256
36c8f8b274b1ef25424a7f76b7237df331700811eb0ebd78756c4e63815da3e5

SHA512
e0dea647d2a26ae6c723ec051dd3cff553d7b85d210978c8cc3bbf4de201a06d0e201c70372839959ae4542517db28df4db3048132200fdbad841211fc704a91

Download Submit
C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
b133d7a997c100ea575f2870425bd5d6

SHA1
6d9dfe4bf3f704f897a441fb15d6d578d17bb960

SHA256
42c0fdaff590e68b41e8f508b63259905d56771f21e674eedcee9fa97e259a22

SHA512
cea77cea93398f2d28c2dfd7631fe95d3049592abff7d4ee80899f502ccf8cfecf5d373b8b66ce95f3ad6934c700815cbb03c09625c23123c0e4bf48e7c439f8

Download Submit
C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
781f1a86923a189ee8d4a958af78ba2a

SHA1
33eb9d9fa230dc371a2fd9bb2fbea940004d3e1f

SHA256
c787639d99358c785bf9bda7f96beda985d08d2e41c1922d024c3e46c89cbdb5

SHA512
9b36ea55ffbbf14f17f796c7eafc130aec1ca8d0038b91a780e2f4ea75e7013723bd845c653b782c59c69b79c1f24e826e189f7825511d0971513e77829eb6ef

Download Submit
C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
e1ce25a9830b55be5ee18016f97802a0

SHA1
a18d6e1e6bb46f7cc140154126b57c4631e34df3

SHA256
7274cdd6332c74f2f5b2b329185bdba80127f200d2f807439e59555ec997d173

SHA512
826670f42d5aa319cd2972d1066be1e25a6e3a1fcd426a7d02e0153ce174d93ae869cba83bb1f5ac36bfcb5fd279b158a400317c964fbe24be55cc8d00f2c9ce

Download Submit
C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
b58bc3eec6184287d49b4f9ae3382805

SHA1
e1cc5db92d7ef408050350f75bfe33484256a547

SHA256
da126ebbe7f4a15855e781854ecee27ffe4bd7d8039bdba17b2a244e975655c0

SHA512
5c52ee49265de5cfd0e27660b89d410adbf7c0df6c872bb2aa046f0e130f084a106baf8e286f0f04646198f7bb761ed9cadb8ef2ad0b81d5c7f241a03e1734e6

Download Submit
C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
299c99adbbf15a158d902766537bf675

SHA1
06c42a78d97b8c928b105943dfdff77712e29d35

SHA256
f191483912407d3cf15aed822d0cab25e222a6addce5359bd0ed45966d1009ad

SHA512
d10d4b8c28c5ca4b03d15a3c7cfbb38573879296b3e139c23fdc738a876bc005e9c7e267181d5748a64c2fec608dd09066efc94e6b5bf9784497267d5969543c

Download Submit
C:\ProgramData\TEMP:77D27163

Filesize
107B

MD5
f19c1f5e4bb550bc560029528fe66e5b

SHA1
ccf749c5a2a98c9ab8fb53e841ae37891751edd1

SHA256
50443ea296ea8f7c5496327ca976cff4f9855cd79e488fa8fa0e6d72b77573f9

SHA512
17849f7f977ec85f774cbc2c6fabdfc64f9e6fb7ad0bf2a55d6335442a5f163afbeb36b417cb5be717cdca29a507d6a02387c991d502d40054a5c86433b96a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxitReader22_setup.exe

Filesize
1.4MB

MD5
6aa5fe44c731afabc98d2c8afcd5d2d9

SHA1
02a690431a6d7feb5a51720e61c4928d6786f480

SHA256
3d69decef50b4ee05656ffab20eb5ad33fec0db7868c5713d2c4e3eadeaed057

SHA512
ffdfc41c3a38e072116cbbe2de14c5acd289c49f7313f645b807fa291dc3b1810fa5f1c1ba7d1a9205fddf321466d8b1e1d99c1ae2aebdd54a6ca910d3632d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxitReader22_setup.exe

Filesize
1024KB

MD5
ec25d613abca036398766b75c7456136

SHA1
ce814eac8c0e982df8fc111d1731c1783438eb33

SHA256
b02d8f049afbd407034593aedc047c25332c5075f726e5536f943477a86e0346

SHA512
33af98e59fb8d5c77c6f9f5957e77092af9e4888cb46ab270b77c7e143b3be2c59b4924af3dcbeb68ea150fe70cc3f7de32d2a279ff5f82b91ab8ed38f94a991

Download Submit
C:\Users\Admin\AppData\Local\Temp\gun4.25.exe

Filesize
896KB

MD5
fc2a36eab622edefed89535d99863e8b

SHA1
49a476e5898df62a14a539f9e1dbd00385eaae27

SHA256
8223209a5e4fa00d0706a95af2477065d1d8783e9147cf25316f71f1ae5fc517

SHA512
2bb663af9a5cb7d9cf63ee8dfd964516fc226c65ddedcb3f7014cca375b11ec71a84ece7f9f7d67ffef5fd9d9eef59ed349149652331b0232d0f4357ceacd51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gun4.25.exe

Filesize
92KB

MD5
c600858aea4aa2288504923af67fd97b

SHA1
e2d3f8e2f2c246ec39fe12eb803fa246273876d7

SHA256
9d12951e6ce800cb7738d33539efd253d5d04ae18db7730e64efb7b1f17a4447

SHA512
f508965e6b7b77b5a7c5f07fa9bb3be2d976d45a44e8421d5060909f52dc0bbfdc751c4cd4df6120e134f15ddbb23b43e52d74884878a11c0fae5df363aea849

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
C:\Windows\SysWOW64\svehost.exe

Filesize
920KB

MD5
0cc4d625f7ede56f5f8832e421a61865

SHA1
e037c88deffe0ce61dc19d64bb60d78d9ab3b068

SHA256
576dcc08435e14a385ed84ad6618a7cd14c557903233fa8cadb3de7b2f00381a

SHA512
bac8009778cb0536c7e62ac459a69381b818022af8a50577becfbe51e2f9128a0516339d4eb6d27dd862e628a3366db0544182dfcd3a4c52d7b29af3edd165c9

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/8-305-0x0000000002250000-0x00000000022E5000-memory.dmp

Filesize
596KB

Download
memory/8-356-0x0000000002250000-0x00000000022E5000-memory.dmp

Filesize
596KB

Download
memory/8-355-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/948-205-0x0000000000860000-0x00000000008F5000-memory.dmp

Filesize
596KB

Download
memory/948-256-0x0000000000860000-0x00000000008F5000-memory.dmp

Filesize
596KB

Download
memory/948-255-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1136-385-0x00000000020A0000-0x0000000002135000-memory.dmp

Filesize
596KB

Download
memory/1136-383-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1136-338-0x00000000020A0000-0x0000000002135000-memory.dmp

Filesize
596KB

Download
memory/1260-293-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1260-294-0x00000000022D0000-0x0000000002365000-memory.dmp

Filesize
596KB

Download
memory/1260-238-0x00000000022D0000-0x0000000002365000-memory.dmp

Filesize
596KB

Download
memory/1324-266-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1324-326-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1324-327-0x00000000021D0000-0x0000000002265000-memory.dmp

Filesize
596KB

Download
memory/1324-272-0x00000000021D0000-0x0000000002265000-memory.dmp

Filesize
596KB

Download
memory/1984-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1984-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2400-144-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-134-0x0000000002050000-0x00000000020E5000-memory.dmp

Filesize
596KB

Download
memory/2400-147-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-148-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-193-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-146-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-143-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-139-0x0000000002050000-0x00000000020E5000-memory.dmp

Filesize
596KB

Download
memory/2400-194-0x0000000002050000-0x00000000020E5000-memory.dmp

Filesize
596KB

Download
memory/3244-47-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-48-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-25-0x00000000008E0000-0x0000000000975000-memory.dmp

Filesize
596KB

Download
memory/3244-39-0x00000000008E0000-0x0000000000975000-memory.dmp

Filesize
596KB

Download
memory/3244-44-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-89-0x00000000008E0000-0x0000000000975000-memory.dmp

Filesize
596KB

Download
memory/3244-96-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-22-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-59-0x0000000002B50000-0x0000000002B65000-memory.dmp

Filesize
84KB

Download
memory/3244-43-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-49-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3244-50-0x00000000008E0000-0x0000000000975000-memory.dmp

Filesize
596KB

Download
memory/3244-46-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3380-223-0x0000000002090000-0x0000000002125000-memory.dmp

Filesize
596KB

Download
memory/3380-172-0x0000000002090000-0x0000000002125000-memory.dmp

Filesize
596KB

Download
memory/3380-222-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3920-368-0x00000000007C0000-0x0000000000855000-memory.dmp

Filesize
596KB

Download
memory/4116-86-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-101-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-77-0x0000000002160000-0x00000000021F5000-memory.dmp

Filesize
596KB

Download
memory/4116-83-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-87-0x0000000002160000-0x00000000021F5000-memory.dmp

Filesize
596KB

Download
memory/4116-95-0x0000000002B60000-0x0000000002B75000-memory.dmp

Filesize
84KB

Download
memory/4116-85-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-84-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-81-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-80-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-123-0x0000000002160000-0x00000000021F5000-memory.dmp

Filesize
596KB

Download
memory/4116-72-0x0000000002160000-0x00000000021F5000-memory.dmp

Filesize
596KB

Download
memory/4116-128-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4116-100-0x0000000002160000-0x00000000021F5000-memory.dmp

Filesize
596KB

Download
memory/4116-99-0x0000000002160000-0x00000000021F5000-memory.dmp

Filesize
596KB

Download
memory/4368-115-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-117-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-109-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/4368-116-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-119-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/4368-118-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-127-0x00000000032A0000-0x00000000032B5000-memory.dmp

Filesize
84KB

Download
memory/4368-112-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-160-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-113-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-104-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/4368-130-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/4368-129-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/4368-131-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4368-161-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads